The global health crisis of COVID-19 has necessitated the implementation of confinement measures and restrictions on travel for only essential purposes. Faced with this exceptional and unprecedented situation, entities such as administrations, businesses, or communities, hereinafter referred to as entities, which had the possibility, had to implement telecommuting to preserve essential activities that this mode of operation can enable.

However, an uncontrolled implementation of telecommuting can increase security risks for the entities that use it. It can even endanger their activity in the face of cybercrime that has been doubling efforts in recent years.

Following the information note issued on March 20, 2020, to Chief Information Security Officers (CISOs), this note was developed by the General Directorate of Information Systems Security to describe the security measures to be taken to better control the risks associated with telecommuting.

A. MAIN SECURITY RISKS AND CYBER THREATS RELATED TO TELECOMMUTING

In this unprecedented context characterized by the use of telecommuting, entities are more exposed to IT risks and attacks. These attacks have the following main objectives:

• Data theft or alteration: Attackers take advantage of reduced security measures outside the entity's premises to access data on workstations. Indeed, at home, workstations are directly exposed to the Internet without adequate protection (lack of flow filtering, presence of other equipment on the same network, use of the workstation for non-professional purposes).
• Disruption of activity: In these times of health crisis, the activity of entities is more dependent on their information systems. Attackers will seek by all means to disrupt the proper functioning of these systems, notably through denial-of-service attacks. In this regard, online services and remote access platforms are the most targeted by this type of attack.

In Decree to achieve their goals, the main means and attack vectors used are

B. TELECOMMUTING SECURITY PROTECTION MEASURES

To address the above risks, it is recommended to implement the following cybersecurity measures and draw the attention of the CISO to ensure their implementation:

For any further assistance or information, please contact the General Directorate of Information Systems Security at the following email address: contact@dgssi.gov.ma

• Phishing: These are fraudulent messages (email, SMS, chat, etc.) aimed at stealing confidential information (passwords, sensitive entity data, personal or banking information) by impersonating a trusted third party or infecting the machine with malicious code (virus, ransomware, spyware, etc.). This technique now takes advantage of both the excitement surrounding information about the COVID-19 pandemic and the use of email as the primary means of communication among collaborators.
• Bypassing access mechanisms to information systems: Remote access without appropriate security measures increases attackers' opportunities to access information systems. This access can be direct by exploiting vulnerabilities in systems and applications exposed on the Internet, or indirect by passing through a compromised user workstation used as a rebound point.

1. Using appropriate means and equipment for telecommuting: It is strongly recommended to use, as much as possible, means provided, secured, and controlled by the entity (equipped with antivirus, firewall, disk encryption, etc.) and to reinforce access security to sensitive information systems.
2. Limit remote access: External or remote access should be reserved for essential persons and services and strictly filtered at the firewall level. This access should be based on adequate privileges and limited to the needs of users. It is also necessary to partition systems for which remote access is not necessary to preserve them.
3. Secure remote access: Remote connections to internal information systems must systematically be made via a virtual private network (VPN). Implementing two-factor authentication is recommended to prevent identity theft.
4. Strengthen password policy: Passwords should be sufficiently long, complex, and unique on each device or service used. In this context, it is also necessary to reduce the password change period and implement mechanisms to counter brute force attacks. At the slightest doubt or even as a preventive measure, passwords should be changed, and two-factor authentication should be activated whenever possible.
5. Ensure compliance with security update deployment: All equipment and systems, especially those exposed to the Internet (laptops, tablets, smartphones, servers, network or security equipment, etc.), must systematically and immediately benefit from security updates. Indeed, a lack of update of a single equipment is often the cause of an intrusion into the entities' network.
6. Ensure data backup: Since they do not necessarily have automatic backup mechanisms deployed at the entity's central level, telecommuters must be aware of the importance of regularly backing up their data to cope with potential data loss following a cyberattack (e.g., ransomware).
7. Supervise external access activity and sensitive systems: This supervision should allow the entity to detect any abnormal activity that could be a sign of a cyberattack, such as suspicious connection by an unknown user, elevation of privileges of a known user, or unusual volume of information download…
8. Activate logging at the telecommuting infrastructure level: Logging is often the only way to understand how a cyberattack could have occurred and therefore to remedy it, as well as to assess the extent of the attack. Therefore, logging, especially at the level of laptops, perimeter equipment, and exposed services, should be activated.
9. Respect security rules on collaborative platforms: The use of cloud platforms for exchanging professional information (video conferencing, document sharing, messaging, etc.) must be done ensuring not to share sensitive data. In any case, and as far as possible, it is recommended to use VPN connections and strong authentication mechanisms.
10. Sensitize and support telecommuters: This involves giving telecommuters clear instructions on what they can and cannot do and making them aware of the security risks associated with telecommuting. Attention should be drawn to:
•  The exclusive use of telecommuting equipment for professional purposes;
•  The use of secure protocol (WPA2) and strong passwords to protect the home wifi network;
•  The systematic reporting of any incident or suspicious event to the entity's CISO.