2013 Trustwave Global Security Report: Remote Access Still the #1 Pathway for Hackers

There is no 'if' you will be attacked, only 'when'

Chris Christiansen, Program Vice President Security Products and Services, IDC.

It’s obvious that cyber-crime is no longer just fodder for futuristic, suspenseful movie plots, such as War Games or Sneakers. The future is here. And though we may not be Bruce Willis saving the US financial system from cyber-terrorists, we are all obligatory players in what is quickly becoming an online battlefront. 

Today, Trustwave released their 2013 Global Security Report, analyzing more than 450 incident response investigations, along with data from two million vulnerability scans, 400 web-based data breaches, and more than 20 billion e-mails.  The threat to each and every business is undeniably real, with cyber security threats, “increasing as quickly as businesses can implement measures against them.” Although Retail and Food and Beverage organizations were the primary target, Trustwave found that, “nearly every industry, country and type of data was involved in a breach of some kind.” Welcome to the War of the Cyber World.

It’s no surprise that in this ongoing battle, remote access was again the number-one method of infiltration for data breaches in 2012, accounting for 47% of the analyzed attacks.  Gaining unauthorized control of a remote access solution allows almost limitless possibilities to any hacker. And with many businesses outsourcing some or all of their IT operations, the risks are even greater. The Trustwave report found that in 63% of the incidents investigated, a major component of IT support was outsourced to a third-party vendor. 

Remote Access #1 Attack Pathway TrustwaveAttack Pathways, Trustwave 2013 Global Security Report

Organizations that use third-party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.

2013 Trustwave Global Security Report

It’s imperative that organizations using third-party support are aware of the security vulnerabilities that can come with it. To support their large client bases, IT outsources often choose remote administration and support solutions that remain “always on,” leaving access to client systems vulnerable. And these organizations often use generic logins and passwords that are shared among multiple users and re-used across different clients.

Whether you’re using an IT outsourcer or internal team to provide support, password security is an obvious, yet substantial issue. Case in point, last year, the South Carolina Department of Revenue experienced a huge data breach when an attacker logged into their remote access service using stolen employee credentials, resulting in the compromise of 3.8 million social security numbers and information belonging to 699,900 businesses, along with 3.3 million bank accounts and 5,000 credit card numbers.

That’s why one of six recommendations by Trustwave for increased security in 2013 is identifying users. They advise that, “Every user-initiated action should be should be tagged to a specific person.” This means avoiding remote support solutions where reps share generic logins and passwords for the sake of reducing licensing costs.  Instead, use solutions that offer concurrent licensing, which has the cost benefits of license sharing, while requiring each individual to have their own, unique username and password.

Finally, the Trustwave report noted that businesses are slow to “self-detect” data breaches, with the average time from initial breach to detection being 210 days. Because a hijacked remote access account is technically a legitimate doorway into  your network, if you can’t monitor who is doing what, you won’t detect an intruder. That’s why it’s imperative to use a remote access tool that captures all of the actions taken by each user and periodically review the audit trail for abnormal activities.

Cyber war is still in its infancy, and we are only beginning to see the breadth of its reach. We here at Bomgar recognize that and are building the most secure remote access and support product possible.   Whether you are using a third-party support vendor for some or all of your IT operations or have your own internal team, it’s important to analyze whether the remote access and support solutions being used are conducive to security or compromising your security.

Nathan McNeill, at Bomgar

Stay Up To Date

Get blog posts delivered directly to your inbox whenever we post! You may unsubscribe at any time.