An attacker seeking to penetrate an enterprise's defenses typically has many "easy" options to choose from: unpatched Windows machines, website cross-site scripting flaws, or social engineering against employees.
So it's impossible to ignore the irony that enterprise remote access services -- technologies constructed to provide authorized employees and partners with managed, secure remote access to corporate networks and data -- have become one of the most exploited IT resources in use today.
For the information security industry, it's disheartening. Many enterprises, large and small, have made huge investments in remote access services, but recent findings suggest these technologies come with a variety of inherent problems and few easy answers.
The most recent and perhaps most powerful evidence of remote access problems comes in the 2012 Verizon Data Breach Investigations Report, the industry bellwether for data breach trends. Verizon found that in 2011, remote access services were involved in 88% of all hacking breaches in its data set, and of all the reported incidents involving malware last year, compromised remote access paved the way for infections 95% of the time.
In the DBIR, Verizon references remote access services such as Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP), but the remote access security problem is far broader. Consider the following:
- Many enterprises permit (or fail to regulate) the use of third-party file storage services to facilitate remote access to data, but when files end up in cloud-based repositories, enterprises lose control. When Dropbox left user accounts wide open last June without realizing it, it's likely many ad-hoc enterprise data repositories were exposed.
- Screen sharing and remote administration software weaknesses are an increasing concern. A 2011 report from Trustwave found remote management software was one of the most commonly used attack vectors. And good luck to anyone using Symantec Corp.'s Norton pcAnywhere software; the ambiguous technical document released last month does little to assuage fears that the product has been completely compromised in the wake of Big Yellow's 2006 source code breach. Plus, recent research by Rapid7 CSO HD Moore found thousands of systems using pcAnywhere with open ports that could be accessed by an attacker.
- VPNs risks can't be ignored either. Trustwave also found a VPN or similar remote access method was exploited in more than half of the data breaches it investigated last year. Few though were as devastating and public as the Gucci network attack, in which a former employee used a VPN connection to wreak network havoc from afar.
Insecure or insecurely used remote access technologies – mechanisms that most security teams assume pose little risk – in reality offer an abundance of options for attackers to infiltrate enterprises.
"The biggest concern is that attackers will exploit that remote access connection as a jumping-off point, a hop along the way, to get deeper into an organization," said Chris Hopen, co-founder of TappIn, a secure file-sharing vendor. Few understand remote access better than Hopen, one of the inventors of the SSL VPN and CTO and co-founder of VPN pioneer Aventail, which was acquired in 2007 by SonicWall.
What's confounding, said Hopen, is that the largest underlying problem with remote access technologies isn't with remote access; it's poor identity validation and weak authentication.
"There have been so many purported solutions to this end-user identity and authentication challenge over the years, with millions and millions of dollars spent," Hopen said. "We've never found a solution people could live with that's cost-effective and adds an enhanced layer of security over traditional passwords. To me, that kicks me in the stomach."
The problem is more acutely felt in small and midsize businesses, especially those that operate point-of-sale (PoS) systems. As Verizon's 2012 DBIR points out, SMBs have proven highly vulnerable because they commonly outsource PoS management to third-party solution providers, many of which fail to properly secure the remote access technologies they use to "help" their customers.
"The message I've been trying to get out there is, if you're a VAR or reseller providing that service, it's to your competitive advantage to have security be in the upper tier of your priorities," said Ed Moyle, co-founder of Amherst, N.H.-based consultancy SecurityCurve and a former PCI DSS QSA.
He said this year's DBIR should serve as an opportunity for solution providers to reach out to their SMB customers to talk about these kinds of security problems and ways to improve them.
Moyle stressed security fundamentals to keep remote access usage in check, such as monitoring for remote access system traffic that isn't being transmitted over HTTP, and restricting admin rights on workstations. "It's not a panacea," Moyle said. "It's something everyone already knows about, but few actually do it."
Hopen said organizations should consider emerging security products that offer enhanced forensic analysis and directory and data monitoring capabilities to better detect when remote access technologies are being used in support of an attack. However, even with better supplemental security products, he said enterprises must shift more of the responsibility for proper use of remote access products to their end users.
"You've got to have better solutions to drive up productivity while mitigating and managing risk," Hopen said, "but I think end users who are given access to these services are a big part of the equation in enhancing and maintaining trust."
Eric B. Parizo is Senior Site Editor of TechTarget's Security Media Group. His rants can also be heard each month on SearchSecurity.com's Security Squad podcast.