Data breaches through insiders—or trusted employees, contractors and vendors who have access to your network—are becoming more and more common.
For example, the recent JP Morgan breach began when hackers compromised one employee’s username and password to a web development server. The major breach at US retailer Target started when hackers stole credentials from an HVAC vendor who connected to Target’s network for invoicing and billing purposes.
Once these hackers established a beachhead into the network, they were able to conduct island-hopping attacks to access more sensitive areas to install malware and steal valuable data.
One of the most attractive beachheads for cyber criminals are the remote access tools used by insiders with privileged access to perform IT tasks, such as maintenance and support. The privileged users include internal system administrators, but also third-party outsourcers and vendors who have been contracted to perform IT functions.
Often these third-parties are the weakest link in a company’s network, as they are focused on delivering specific services at a low cost, but not held to the same security standards as internal employees.
In fact, the Trustwave 2014 Security Pressures Report recommends, “When partnering with third-party IT providers (or any vendors that have access to IT systems), businesses should require these companies have detailed and locked-down security policies, perform ongoing and regular penetration testing, demonstrate appropriate remote access controls, ensure software and hardware is consistently patched and isolate data from other customers.”
Security involves many layers, but one of the foundational layers is limiting and securing remote access pathways for all of your privileged users. It not only makes it harder for cybercriminals to compromise legitimate access pathways, but also for malicious insiders to do harm.
Five steps companies can adopt today to improve remote access security include:
- Consolidate remote access tools so you can centrally manage and monitor all insider and external remote access through one centralised system.
- Once you implement a central remote access solution, there is no longer a need for open listening ports, such as the default RDP port 3389, which is commonly targeted by hackers. By blocking broad access to 3389 (and any ports used by other legacy remote access tools), you can completely shut that door for hackers.
- Multi-factor authentication is a must for remote access, for both employees and external outsourcers and vendors. This not only makes it extremely hard for hackers to compromise credentials, it eliminates the ability for IT teams or vendors to share log-ins to cut corners on license costs, which ultimately compromises the integrity of an audit trail.
- In addition to limiting admin privileges for users and applications, consider restricting when and from where users can remotely access your systems. For example, an IT outsourcer may be able access your systems from his computer on his company network, but not from his iPad at home.
- Regularly monitor your network or set up alerts for unexpected access activity, such as a vendor logging in overnight or on a weekend. By capturing a full audit trail of all remote access activity, you can set up a warning system to
alert you to unauthorised access before the damage is done.
Remote access is a necessary function for IT professionals, and becoming more important as IT functions are increasingly outsourced, employees become more mobile, and networks are more dispersed. Balancing security mandates with privileged users’ needs to quickly access and work on various systems with security is no easy task.
Putting the right policies and tools in place to manage remote access, now, can save your company considerable time, money and potentially its reputation down the line.
Boatner Blankenstein is senior director of solutions engineering at Bomgar