Over the last 24 hours, the marketplace has been astir with the news of Symantec officially recommending that their customers disable pcAnywhere for all but the most mission-critical applications. For many this is the first time they have considered that the remote control technology they are using could be a backdoor for hackers. What they likely don’t realize is that long before the Symantec breach, legacy remote control applications like pcAnywhere were ALREADY the #1 way hackers compromised networks. According to the 2011 Global Security Report from Trustwave SpiderLabs:
“In 63% of our investigations in which a method of entry could be determined, the attacker simply leveraged an available remote access application.”
That finding is echoed by the 2011 Data Breach Investigations Report by the Verizon Business RISK Team. Their report states:
“Remote access and desktop services are once again at the #1 spot in the list of attack pathways. A whopping 71% of all attacks in the hacking category were conducted through this vector.”
The Verizon report even specifically calls out pcAnywhere by name (along with Microsoft’s RDP) as the primary products implicated in these breaches. The calls to replace legacy remote control technology with the next generation didn’t just start in 2010 or 2011 either. In 2009, Gartner released a report titled “PC Remote Control Security: Risks & Recommendations.” The report very clearly states that legacy remote control products can have serious security issues. On top of all the security issues, the report additionally says:
“Legacy remote control tools are incapable of supporting increasingly complex environments, and companies must find new ways to provide support services to users.”
Remote access has become an indispensable tool to a majority of companies, with the ability to increase productivity and savings in incredible ways. The question is not whether to support users and systems remotely, but how to do it correctly and securely. So what is the right way to do remote support? It really comes down to four things:
-Architecture – The product needs to be centrally administered and managed with the data in the control and oversight of the company using the technology.
-Authentication – It should integrate with Active Directory, LDAP, RADIUS, Kerberos, and other authentication mechanisms including multi-factor authentication. This eliminates the problem of everyone in IT “knowing the password” and inevitably sharing it and storing it where they should not. It also eliminates the possibility that a former employee would still have access.
-Access Controls – Very granular access should be possible around what exactly you can and can’t do with the product. Granular permissions can ensure that individuals don’t have more access than they need and are only allowed to do certain things on certain systems.
-Audit – Full session logs and even full video recordings of each session should be captured, stored, and available. The company should be able to produce reports at any moment on (1) who connected to whom, (2) what systems and IP addresses they used, and (3) what they did (including full audit trail and video recording of session).
With these considerations in mind and armed with the products that support them, IT will be able to do their job without their tools inadvertently opening up the #1 attack pathway into the enterprise.