In this excerpt of Chapter 7 from The Black Book on Corporate Security, authors Howard Schmidt and Tony Alagna analyze how "unmanaged" remote access can serve as an attack vector.
There are many different types of remote access solutions for mobile
employees. There is SSL VPN, which is a Web-based VPN device. There
are also different types of Webmail as well as Outlook Web Access. Also,
some bigger companies like Citrix have secure gateways. Classic IPsec
VPNs, as well as different types of portals and intranets and extranets, can
also be used for mobile computing.
The quality that all remote access has in common, regardless of the
method used, is that it is an endpoint machine and is as vulnerable as any
other system on the Internet. In some cases, they are managed machines
— a corporate issued asset that is managed by the corporate IT that has all
of the corporate security provisioned security programs.
Corporate resources can now be accessed from anywhere, with most places
far from trustworthy. The danger here is extreme, because mobile computing
environments plug into random places and in unmanaged systems.
Vendors are aware of this security threat, and they're increasingly recommending
the deployment of different types of security and scanning technologies.
The problem is that most security technologies are not readily
deployable. Antivirus is a very large application, so it is not practical to
have anyone who is logging-in remotely to download this software and
then scan the hard drive for half an hour before they can access e-mail.
Antivirus-type technologies in the "unmanaged space" must be behavioral,
small, fast and transactional. Some are emerging in the marketplace.
However, the vulnerability in this mobile communication model is obvious.
Besides the general threat of malicious code, these machines have no
physical access restrictions. Anybody can load whatever they want on it
(the risk of a keystroke-logger, regardless of whether it has network connectivity,
is huge). A person can walk up five minutes before it was used
and five minutes after it was used and capture everything that was done on
that machine between those two time points.
Insider Notes: Corporate resources can now be accessed from
anywhere, with most places far from trustworthy. The danger
here is extreme, because mobile computing environments plug
into random places and in unmanaged systems. Vendors are
aware of this security threat and they're increasingly
recommending the deployment of different types of security
and scanning technologies.
The threat of malicious code is even greater in this unmanaged machine
space. Sometimes the people using IPsec VPNs feel safe because this technology
prevents split-tunneling (the ability for two or more applications to
be communicating simultaneously while the VPN connection is going).
Preventing split-tunneling only creates an illusion of safety.
A reverse-connecting Trojan functions in the same way in this environment
as it does in a corporate environment, by initiating its connection
sequence inside out. So, if users can see the Internet, then so can the malicious
code. Even without Internet access, malicious code can be scripted to
steal or perform actions whenever it comes back online. Malicious code is
basically winning in every environment regardless of the situational defenses.
All situational defenses can do is minimize the types of attacks; it
cannot stop attacks.
Read Chapter 7, Defending the digital you
