Old Remote Access Tools + Weak Credentials = Hackers
by Liz Shulof |
Earlier this week, eWEEK published an article noting that weak passwords are a top IT security risk for 2013 and recommending companies, “hunt down systems with default passwords.”
“In the past year, about 90 percent of successful breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential, which is a trend that will continue, said Wade Baker, managing principal for the company's RISK team. The company analyzed data gathered from incidents it investigated in 2012 to identify the causes of data breaches.
‘Taking all the attacks that happened to larger corporations and government, about 90 percent had weak or stolen credentials,’ Baker said. ‘We see no reason that that trend will change in 2013.’”
Often these weak or default passwords are associated with a remote access solution, giving hackers a wide open door into an organization’s entire network. In their most recent Data Breach Investigation Report, the Verizon team found:
“Remote access services (e.g., VNC, RDP) continue their rise in prevalence, accounting for 88% of all breaches leveraging hacking techniques—more than any other vector. Remote services accessible from the entire Internet, combined with default, weak, or stolen credentials continue to plague smaller retail and hospitality organizations. Often these victims share the same support and/or software vendor. Scripted attacks seeking victims with known remote access ports (TCP 3389, RDP or VNC), followed with issuance of known default vendor credentials, allow for targets of opportunity to be discovered and compromised in an automated and efficient manner.”
The threat of a data breach via remote access crosses all industries and company sizes. A couple of months ago, the Verizon team broke down their data into a number of industry snapshots, and nearly every single one mentions hackers exploiting weak passwords for an internet-facing remote access service. For example:
Healthcare: “In the majority of cases (roughly three out of four), the attacker gained initial access by exploiting default or guessable credentials, usually via Internet-facing remote access services.”
Accommodation and Food Services: “In the vast majority of these cases, the breach can be traced back to financially-motivated, organized criminal groups exploiting weak, guessable, or default credentials via third-party remote access to their POS systems,” and “The vector for these attacks is almost always a remote access connection provided to a third-party vendor for managing the POS system.”
Retail: “Retailers [are] prime targets for financially-motivated criminal groups exploiting weak, guessable, or default credentials via third-party remote access services to POS systems.”
Once hackers gain access through these tools, it doesn’t take long for them cause damage. Just look at the recent breach at the South Carolina Department of Revenue, in which an attacker logged into their remote access service using employee credentials stolen via a phishing attack. Using a Citrix portal, the attacker used the employee's access rights to log into more sensitive systems, ultimately gaining access to 44 systems, which contained social security numbers for 3.8 million residents and information belonging to 699,900 businesses, along with 3.3 million bank accounts and 5,000 credit card numbers.
So what can IT organizations do to protect themselves?
First, stop using shared or generic credentials for Internet-facing remote access services. For example, many IT organizations try to save money by sharing remote support licenses and using logins, such as Tech001, Tech002, etc. Instead, use a solution that offers concurrent licensing (like Bomgar) so you can reap the cost benefits of license sharing, while requiring each individual to have their own, unique username and password.
Second, implement two-factor authentication for remote access. By requiring users to have a smart card or token in addition to their password, your data will remain safe even if an employee’s credentials are stolen via a phishing attack.
Third, maintain an audit trail of all remote access activity and check it regularly. Use a remote access tool that captures all of the actions taken by each user and periodically review the audit trail for abnormal activities.