National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

1. Security requirements for remote work

1.1 Security Policy

The organisation must have a security policy for using devices for remote work.
The policy must be in place and enforced.

1.2 General

All devices should have up-to-date software.
All devices should have up-to-date antivirus.
Only the Admins are allowed to install software on the computers.
The users should not have pirate applications, music or videos on the computers.
Connect only to protected WI-FI networks.
Use only WAP2 Protocol when setting up a home network.
Always use a strong password for your home network.

1.3. Access Control

1.3.1. Account Management

Each user identity (user-ID) shall uniquely identify only one user. Shared or group user-IDs should not be permitted unless explicitly approved by the management of the organisation or by any associated internal Standard Operating Procedures (SOPs).

Local users in systems have to be avoided.

Centralized users directory (AD) has to be maintained.

Privileged (root/administrator/PGP) passwords (keys) have to be printed and provided to the appointed team leader in a sealed envelope for emergencies. At least two team members must sign the envelope.

1.3.2. Access Enforcement

User authentication and authorization mechanisms shall be implemented in the organisation’s systems. It also applies to desktop and notebook computers and workstations.

All system and application accounts shall be automatically revoked after a pre-defined period of inactivity for three months.

User has to be blocked for 15 minutes automatically after 10 (ten) unsuccessful login attempts.

All vendor-supplied default passwords shall be changed before any system put into operation.

After inactivity, the computer should default back to the lock screen after a pre-defined period of inactivity of 5 minutes (or according to internal SOPs).

1.3.3. Least Privilege

The organisation should employ the principle of least privilege, allowing only authorized accesses for which are necessary to accomplish assigned tasks in accordance with the services and functions of the organisation. In respect to this, security functions are insourced the IT infrastructure support team and include establishing system accounts, configuring access authorizations, setting events to be audited, and setting intrusion detection parameters in firewalls.

BIOS Access should be locked for all users.

1.3.4. Remote Access (VPN)

The organisation must implement a cryptographic mechanism to protect the confidentiality and integrity of remote access sessions with VPN (Virtual Private Network) technology.

1.3.5. Access Control for Mobile Devices (smartphones, notebooks)

All mobile devices provided by the organisation for the use within the operational environment are subject for the approval as per change and configuration management procedure.

If a mobile device is used to manage the organisation’s information inside and or outside the premises, it has to be encrypted (including removable media), password protected and has VPN capabilities.

1.3.6. Bring your own device (BYOD)

Personal devices that are outside of the organisation’s boundary and for which the organisation has no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. BYOD includes personally owned devices (e.g., notebook computers, smartphones, tablets).

It is forbidden to use personally owned devices in and outside of the organisation for accessing any of the organisation’s services such as email and related with email usage activities like reading/editing attachments unless the mobile devices/tablets/laptops comply with the encryption and password protection requirements of the organisation and all the requirements of the security policy.

1.3.7. Two Factor Authentication

The organisation must use 2FA (Two Factor Authentication) for an extra layer of security when connecting to the VPN.

1.4. Audit and Accountability

1.4.1. Audit Events and Content

All information systems, network and security equipment deployed should log events on the device, VM or information system, as well as on a central log server.

All information systems, network and security equipment, shall be configured to capture and log all information relevant to security-related events and analysis.

All log data shall be transmitted over a secure channel – natively or via an encrypted tunnel; e.g. SSL, SSH, SNMPv3 etc. between the device and the central log server. Legacy devices may be exempt from this requirement until they are end-of-life if this feature is not supported by the vendor.

Based on international best practice, the following audit events/logs have to be generated by the organisation’s systems and infrastructure components and stored in a separate location (central log server):

Input validation failures, e.g. protocol violations, unacceptable encodings, invalid parameter names and values
Output validation failures, e.g. database recordset mismatch, invalid data encoding
Authentication successes and failures
Authorization (access control) failures
Session management failures, e.g. cookie session identification value modification
Application errors and system events, e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors, file upload virus detection, configuration changes
Application and related systems start-ups and shut-downs, and logging initialisation (starting, stopping or pausing)
Modifications to configuration

Each log entry needs to include sufficient information for the intended subsequent monitoring and analysis. The application logs must record “when, where, who and what” for each event. The properties for these will be different depending on the architecture, class of application and host system/device, but often include the following:

Parameter	Values
When	· Log date and time (international format) · Event date and time · Interaction identifier
Where	· Application identifier, e.g. name and version · Application address, e.g. cluster/host name or server IP address and port number, workstation identity, local device identifier · Service, e.g. name and protocol · Geolocation (when feasible and possible) · Window/form/page, e.g. entry point URL and HTTP method for a web application, dialogue box name · Code location, e.g. script name, module name
Who (human or machine user)	· Source address, e.g. user’s device/machine identifier, user’s IP address, cell/RF tower ID, mobile telephone number · User identity (if authenticated or otherwise known), e.g. user database table primary key value, user name, license number
What	· Type of event · Severity of event e.g. {0=emergency, 1=alert, …, 7=debug}, {fatal, error, warning, info, debug, trace} · Security relevant event flag (if the logs contain non-security event data too) · Description

1.4.2. Audit / Logs Storage Capacity

The organization must maintain dedicated audit records/logs facility where all the logs from the organisation’s systems, infrastructure components and computers are being sent to preserve logs confidentiality, integrity and availability in case of a disruptive event or incident. No alternative records/logs facility is allowed.
All audit records/logs shall be kept for at least six months. Audit records/logs might be archived. Legal log retention requirement takes precedence over this baseline.

1.4.3. Time Stamps / NTP

Centralized NTP service has to be used to synchronise clocks of all systems and be able to correlate generated logs for troubleshooting, analysis or investigations.
All organisation’s systems’ time must be synchronised. The only exceptions are systems for which there is no NTP agent available on the market.

1.4.4. Protection of Audit Information

Only the Security Administrator should have delete rights.

1.5. Security Assessment and Authorization

1.5.1. Least Functionality

The organisation must configure information systems to provide only essential capabilities and prohibits or restricts the use of unnecessary functions.

Disable USB Ports
Disable unnecessary protocols, and services
Disable other input methods (CD, DVD)

*with this you can avoid having an OS booted from an external source.

1.5.2. Information System Component Inventory

The organisation should develop and document an inventory of infrastructure components and information systems that accurately reflects current design and setup.
When changed, the list has to be updated as soon as changes occur. The actual list of assets has to be maintained by the IT support team.
Every asset has to have an owner. An owner is responsible for preserving confidentiality, integrity and availability of information used andstored in the asset.

1.5.3. Device Physical Security

The bottom case of the computer (laptop) must be secured with a security strip to avoid unauthorised access to the internal components. In the case, it happens to be able to notice it immediately.

1.6. Backups and storage of information

All user data must be stored on a dedicated server (via LAN in the office, or remotely via secure VPN) never on the computer.
Each computer should be backed up to the server.

1.7. Troubleshooting / Problem Management

When a user may suspect that any information or the computer security has been compromised when suddenly without any user action, it is running slowly or when strange messages and warnings appear on the screen then the user must:

Do not panic.
Do not turn off your PC.
Note the contents of the warning message.
Communicate with the organization and the IT Support Admin Team.
Act according to the instructions given by the IT Support Admin Team.
Provide all necessary information needed to assist the investigation and detection of the problem.

All employees must immediately inform the Administrators in the event of a malware o suspicious behaviour and any issues related to information security.