It's very common for organisations to allow external service companies to access to their systems, typically vendors and support specialists who assist with the maintenance, installation and troubleshooting of IT systems.
Now cybercriminals are targeting vendors with network access privileges as an easy way to infiltrate enterprises; for example, last year's Target hack in the US that compromised 40 million credit card numbers was traced back to network credentials stolen from a vendor. Unfortunately, the Target breach isn't an isolated case. According to the 2013 Trustwave Global Security Report, up to 63 percent of data breaches are linked to a third-party component of system administration.
Yet many organisations still lack awareness of how third-party service companies are remotely accessing their systems, putting themselves at significant risk. With vendors and service providers often using free or basic remote access tools, and sharing the same generic credentials across technicians, hackers are getting easy access to remote systems by simply guessing passwords or using a brute force attack. In fact, the Trustwave report found that, “Organisations that use third-party support typically use remote access applications, like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers' systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators,” and the Verizon Wireless 2013 Data Breach Investigation Report found that 76 percent of network intrusions exploited weak or stolen credentials.
And external hackers are not the only issue: if credentials are shared and rarely changed, vendors' ex-employees are then able to remotely access your systems long after they leave the company.
This makes taking back control of third-party remote access imperative: once you know how your systems are being accessed, staying secure will become much easier using a combination of strategies and technologies.
The first step is to consolidate tools. By forcing every third-party and internal employee to use one, consolidated, company-owned solution for remote access, you will greatly improve your ability to monitor and block dubious activity. As part of this, it is important to shut off remote access from unapproved tools. For example, RDP port 3389 is a favorite target for hackers, and web-based solutions increasingly used by vendors wanting a cheap way to access your systems can pose a significant risk. The free versions are also commonly used by tech support call scammers, so blocking them provides a security bonus.
Once tools are consolidated, businesses can look at who has access, assigning roles using granular permissions. By selecting a third-party remote access solution that includes permission settings by vendor or team, you can designate who can access what systems, and when, instead of the traditional ‘on' or ‘off' VPN approach. This ensures that no user has more access than they need, as most third parties will only need to work on one or a small group of systems on your network and even then, they may not need full access.
Adding security layers to systems is also important. Requiring two-factor authentication for anyone who logs into your remote access solution will reduce the chance of stolen vendor credentials, while boosting your regulatory compliance.
However, preventing attacks is just one side of the story: what should a business do after an incident has occurred? Most companies don't know straight away when they have been hacked and according to the Verizon report, the majority of breaches take months to discover. To more quickly identify any unapproved activity through third-party channels, enterprises should capture a secure audit trail of all remote access activity and set up alerts for unusual actions. Firms should ensure the trail is captured in a secure place within the business network, rather than the vendor's. It will then be difficult to cover up if the third-party has made a mistake.
It is time to take back third-party remote access control. By implementing these guidelines alongside a strategy that encourages visibility, businesses can keep on top of security, ensuring that valuable company data is protected.
Contributed by Stuart Facey, VP International at Bomgar