[BreachExchange] Remote Access: The Hidden Weak Spot for Cyberattacks

Destry Winant destry at riskbasedsecurity.com
Thu Oct 4 19:59:24 EDT 2018


Many of today’s massive data breaches are linked to compromised
credentials belonging to remote workers, third parties, and outsourced
IT contractors. While tele-work and outsourced services have become
common place in the commercial and public sector, organizations still
have work to do when it comes to establishing security practices to
support these new business models.

A recent alert by the Federal Bureau of Investigation (FBI) and
Department of Homeland Security (DHS) illustrates that cyber
adversaries have identified remote access as a weak spot that can be
exploited. The FBI has seen a significant rise in cyber-attacks that
exploit remote access methods such as remote desktop protocol (RDP) to
gain unauthorized access to accounts and subsequently exfiltrate
sensitive data. Given this trend, what can organizations do to limit
their exposure to these types of attacks, while supporting agile
business models?

Remote work and outsourced services have reshaped the business
landscape over the past decade. According to Global Workplace
Analytics the number of remote workers has grown by 140 percent since
2005, while 70 percent of professionals now work remotely at least one
day a week. At the same time, the percentage of organizations that
have outsourced their IT is the highest in five years, primarily
driven by cost savings, the need to focus on core business operations,
and in-house resource limitations.

To enable remote workers, IT outsourcers, and partners to safely
access corporate resources, organizations have historically relied on
Virtual Private Networks (VPNs). The problem with VPNs, however, is
that once inside, the user has access to the entire network. This
introduces a significant level of risk. In addition, VPNs can be
operationally complex and expensive to maintain. They are also
inconvenient for users, requiring a series of manual, time-consuming
steps to enter credentials and initiate a session. The advent of
Cloud, BYOD, and virtualization technologies have expanded an already
difficult attack surface to protect.

While authentication with a username and password is required to
establish a VPN connection, attackers can compromise these connections
and inject malware onto the remote system. By hacking remote access
sessions, malicious actors can compromise identities, steal login
credentials, and exfiltrate other sensitive information. To minimize
the risk associated with remote access threats, organizations should
implement the following four measures to strengthen their security

• Establish Access Zones - As in network segmentation, organizations
can establish so-called Access Zones. These are a collection of
attributes and security policies that define the identities, access
rights, and privileges shared by a group of users. For example, an
organization can define an Access Zone for their outsourced IT
contractor that defines the specific resources they need to access for
their work and blocks access to any other infrastructure resources.

• Grant Access to Specific Resources, Not the Network - Unlike a VPN
that gives users visibility into the entire network, privileged access
management solutions can be used to limit access to assets on a
per-resource basis. These proxy-based technologies give an
organization’s privileged internal IT admins access to as much of
infrastructure as necessary, while limiting access by an outsourced
team or remote workers to only the servers and network hardware their
role requires. In combination with Access Zones, this security
practice significantly reduces the risk of lateral attacks.

• Grant Least Privilege - Considering the high percentage of
privileged access misuse, it is essential to limit access and
privilege using a Zero Trust Security approach. This entails
establishing granular, role-based access controls via Access Zones to
limit lateral movement, as well just enough, and just-in-time
privilege to applications and infrastructure. For example, if an
outsourced IT provider is contracted to maintain an Oracle database,
their access can be limited to this single resource. For advanced
security, controls can be placed on the range of commands they are
allowed to perform. Should additional privileges be required, these
can be requested via a workflow ticket. The approval of the ticket
would grant immediate, but temporary privilege to run additional
commands on the database.

• Use of Risk-Based Multi-Factor Authentication - To further enhance
security, organizations should combine risk- and role-based access
controls, user context, and multi-factor authentication (MFA). This
approach enables intelligent, automated, and real-time decisions for
granting privileged access to users who are remotely accessing
servers, on password checkout, or when using a shared account to log
into remote systems.

By implementing these measures organizations can limit their exposure
to remote access-based cyber threats, while supporting agile business
models such as remote work and outsourced IT. Addressing these
security challenges is central for supporting digital transformation
initiatives, while protecting corporate assets.

More information about the BreachExchange mailing list