Another day, another security breach. Today, it’s a number of breaches that may or may not tie together, but all seem to have one thing in common: poor remote access security.
Most notably, the US Department of Homeland Security has issued an advisory regarding the "Backoff" point-of-sale malware, which has been associated with several PoS data breach investigations. The advisory states:
Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request...
Similar attacks have been noted in previous PoS malware campaigns and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.
Apart from this advisory, the Delaware Restaurant Association notified its 1,900 member restaurants about a possible breach of consumer payment card data, which the association says “appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup.” And Krebs on Security is reporting that the Jimmy John’s sandwich chain is investigating breach claims.
While some of these remote desktop access connections exist for employees to access their work computers from home, others are set up so IT administrators, outsourcers, and vendors can remotely manage and support desktops and other systems. It’s especially critical that these connections are secure as they typically include admin-level permissions that hackers can exploit.
But even if an end-user is simply using a tool like RDP to access a single desktop, his or her credentials can be used to install malware on that system. Once that individual PC is compromised, hackers can use it as a launching point to seek access to more critical systems.
In its advisory, the Department of Homeland Security provides a number of guidelines for improving remote access security, including:
For those using remote access for technical support, you can take security even further with a few additional recommendations:
Security has many layers, and no one solution is going to fully protect you from a data breach. But if you can lock down the initial entry pathway just a bit more, you can significantly up your chances of keeping hackers out and your sensitive data in.Boatner Blankenstein is Senior Director of Solutions Engineering for Bomgar, a remote IT support provider for enterprises. View Full Bio