Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:20 PM
Connect Directly

9 Steps To Enabling Remote Access, Safely

Security goes beyond encryption, authentication, and monitoring employees. We also need to ensure privileged users aren't betraying trust. Here's how.

As remote workers become more commonplace, their connections represent an increasingly vexing risk factor. For respondents to our InformationWeek Analytics 2010 Strategic Security Survey who said their companies are more vulnerable now than in 2009, 66% cited as the reason more ways to attack corporate networks, including wireless. Yet IT must ensure mobile workers have the access they need to be productive.

Here's one angle CIOs often overlook: Providing this level of 24/7 support translates to a lot of people with high access privileges working remotely--not just business users, but IT support staff as well.

Most of us have no choice but to open systems to the outside world. The challenge is to do so in a measured fashion, and in a way that allows you to track and audit access while protecting data. Here's our hit list of the top nine dangers that come with unfettered remote access, along with mitigation tips for each.

1| Danger: Running afoul of regulations Mitigation: Document the corporate data and intellectual property that you must protect

This exercise is basic--and vital. You can't even begin to audit and protect your organization's data until you know where all the important stuff resides. The results of a data discovery process can be leveraged across many different projects, including compliance, risk assessment, and data loss prevention (DLP) initiatives.

2| Danger: You can't easily correlate account activity and usage Mitigation: Rein in your account and password policy

Want an eye opener? Ask for a report on the number of general accounts in your directory services infrastructure. We're talking about those accounts called "Support" or "Payroll"--you know, the ones all 5,000 company employees seem to know the passwords to. If you're using general-purpose accounts for any authentication activities without carefully controlling access rights, you're playing Russian roulette. To the degree you can, eliminate them.

And while you're cracking down on anonymous accounts, give some thought to your password policy. Implementing strong passwords is arguably the easiest mitigation task on our list to execute. Sure, it might also be the one that generates the most hate mail to IT, but there's no getting around the fact that you can't let users select "password."

3| Danger: Your chief of marketing leaves his iPad at a trade-show booth Mitigation: Two-factor authentication

Generally, it's not that the authentication mechanisms most of us use now are bad--it's just that they're often not enough. For example, when it comes to Active Directory authentication, Kerberos will leverage either RC4 or AES (depending on the operating system) to protect and encrypt the authentication process itself. However, if an employee's credentials are compromised, no level of encryption in the authentication process will save you. That's why two-factor authentication is critical for securing high-value assets.

4 | Danger: An inability to audit remote user and remote support staff activity Mitigation: Log management and session recording

Let's assume that your CEO is on sabbatical. How would you explain multiple connections to your corporate VPN gateway using your CEO's logon credentials, sourced from diverse IP addresses that, according to Internet registry ARIN, originate from various geographical locations? As staff access the network remotely, touching your company's valuable data, and as support personnel connect remotely to various systems for management purposes, you need a way to check for anomalous activity, and a way to audit usage. A scalable log management appliance is one way to solve this problem; we discuss others in our full report, free for a limited time at informationweek.com/analytics/ra.

5 | Danger: Malware blows up your top sales exec's laptop right before a high-stakes presentation Mitigation: SaaS Web security

For anyone who supports road warriors, malware is a major headache--infections always seem to torpedo laptops right before important client meetings. Corporate users protected by on-premises Web security appliances generally enjoy robust protection from malware. However, extending that protection efficiently to remote users has never really been an option, because it simply doesn't make sense to proxy Web traffic for an employee working at a client site in San Diego through the main data center in Boston.However, SaaS Web security vendors often have enough locations that one will be close to remote workers; by proxying outbound Web traffic through a third-party's Web security cloud, you get better performance along with top-tier malware and antivirus protection.

6 | Danger: Your CEO leaves his laptop on a plane, along with your company's 10-year strategic plan Mitigation: Whole-disk encryption

Yes, we know, endpoint whole-disk encryption can be a major hassle to deploy and manage. Unfortunately, it's increasingly a requirement of state and federal data privacy laws, some of which you may be subject to.

Aside from the compliance benefits, deploying whole-disk encryption is simply good business because many of the most egregious data leaks have occurred because of laptop theft and stolen or lost removable media. It's time to bite the bullet.

7 | Danger: Your CTO decides she's entitled to take her source code to her new job Mitigation: Network and endpoint DLP

DLP is a valuable tool for preventing the purposeful and accidental leakage of vital data, especially when it comes to securing and auditing remote access. On the endpoint, you can implement policies that disallow the printing or screen capturing of certain documents or the copying and pasting of specific fields. As sensitive data traverses the network, gateway DLP appliances can peruse each and every packet, looking for data that violates policy, and take action accordingly.

8 | Danger: Out of the blue, someone from Indonesia is accessing your CRM system Mitigation: Behavioral analysis

Without the right tools, it's very difficult to detect when a critical system has been compromised. By the time most organizations figure out what's going on, the damage has already been done. While there are other methods to detect unauthorized access to critical systems, network behavioral anomaly detection (NBAD) tools can be a first line of defense in identifying anomalous events in real time. By baselining the chatter on the wire between client and server, NBAD systems make quick work of alerting administrators when a new connection is being made from an unrecognized IP block. Granted, NBAD systems aren't all that popular, but they can save you grief.

9 | Danger: Someone on your support staff is using his administrative rights to steal sensitive data from a remote location Mitigation: Remote access policy

In the hands of a loyal and ethical support staffer, remote access is a valuable tool. In the hands of a data thief, it can be deadly. Fortunately, CIOs can take a couple of steps to mitigate the threat. Our main advice: Turn off remote desktop access via domain policy. If an administrator or a help desk employee needs remote access to an employee's system, then that employee should approve the remote access request via your Web-based collaboration tool of choice.

Find our full report on secure remote access, free for a limited time, at informationweek.com/analytics/ra

Randy George is an Information-Week contributor. You can write to us at [email protected]

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/30/2015 | 5:40:26 AM
R-HUB remote support
Above mentioned steps helps businesses and organizations to enhance their remote access security and policies. Tools like R-HUB remote support servers provides secured remote access to computers and mobile devices as it works from behind the companys firewall and not outside of it.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...