Security Experts:

Remote Access: The Hidden Weak Spot for Cyberattacks

Many of today’s massive data breaches are linked to compromised credentials belonging to remote workers, third parties, and outsourced IT contractors. While tele-work and outsourced services have become common place in the commercial and public sector, organizations still have work to do when it comes to establishing security practices to support these new business models. 

A recent alert by the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) illustrates that cyber adversaries have identified remote access as a weak spot that can be exploited. The FBI has seen a significant rise in cyber-attacks that exploit remote access methods such as remote desktop protocol (RDP) to gain unauthorized access to accounts and subsequently exfiltrate sensitive data. Given this trend, what can organizations do to limit their exposure to these types of attacks, while supporting agile business models? 

Remote work and outsourced services have reshaped the business landscape over the past decade. According to Global Workplace Analytics the number of remote workers has grown by 140 percent since 2005, while 70 percent of professionals now work remotely at least one day a week. At the same time, the percentage of organizations that have outsourced their IT is the highest in five years, primarily driven by cost savings, the need to focus on core business operations, and in-house resource limitations. 

To enable remote workers, IT outsourcers, and partners to safely access corporate resources, organizations have historically relied on Virtual Private Networks (VPNs). The problem with VPNs, however, is that once inside, the user has access to the entire network. This introduces a significant level of risk. In addition, VPNs can be operationally complex and expensive to maintain. They are also inconvenient for users, requiring a series of manual, time-consuming steps to enter credentials and initiate a session. The advent of Cloud, BYOD, and virtualization technologies have expanded an already difficult attack surface to protect.

While authentication with a username and password is required to establish a VPN connection, attackers can compromise these connections and inject malware onto the remote system. By hacking remote access sessions, malicious actors can compromise identities, steal login credentials, and exfiltrate other sensitive information. To minimize the risk associated with remote access threats, organizations should implement the following four measures to strengthen their security posture:

• Establish Access Zones - As in network segmentation, organizations can establish so-called Access Zones. These are a collection of attributes and security policies that define the identities, access rights, and privileges shared by a group of users. For example, an organization can define an Access Zone for their outsourced IT contractor that defines the specific resources they need to access for their work and blocks access to any other infrastructure resources.

• Grant Access to Specific Resources, Not the Network - Unlike a VPN that gives users visibility into the entire network, privileged access management solutions can be used to limit access to assets on a per-resource basis. These proxy-based technologies give an organization’s privileged internal IT admins access to as much of infrastructure as necessary, while limiting access by an outsourced team or remote workers to only the servers and network hardware their role requires. In combination with Access Zones, this security practice significantly reduces the risk of lateral attacks.

• Grant Least Privilege - Considering the high percentage of privileged access misuse, it is essential to limit access and privilege using a Zero Trust Security approach. This entails establishing granular, role-based access controls via Access Zones to limit lateral movement, as well just enough, and just-in-time privilege to applications and infrastructure. For example, if an outsourced IT provider is contracted to maintain an Oracle database, their access can be limited to this single resource. For advanced security, controls can be placed on the range of commands they are allowed to perform. Should additional privileges be required, these can be requested via a workflow ticket. The approval of the ticket would grant immediate, but temporary privilege to run additional commands on the database.

• Use of Risk-Based Multi-Factor Authentication - To further enhance security, organizations should combine risk- and role-based access controls, user context, and multi-factor authentication (MFA). This approach enables intelligent, automated, and real-time decisions for granting privileged access to users who are remotely accessing servers, on password checkout, or when using a shared account to log into remote systems.

By implementing these measures organizations can limit their exposure to remote access-based cyber threats, while supporting agile business models such as remote work and outsourced IT. Addressing these security challenges is central for supporting digital transformation initiatives, while protecting corporate assets. 

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).