The theft of source code for Symantec's pcAnywhere has put remote access programs in the spotlight. But the security implications posed by remote management products are not new. In fact, data released over the last year shows that remote access services account for 88 percent of hacking attacks. So what precautions can organizations take to make sure they aren’t an easy target?
For almost 30 years, remote access software has allowed IT professionals to connect to desktops and servers to manage networks and provide support. Companies taking advantage of remote access technology have saved tremendous amounts of time, money and resources by eliminating the need for IT staff to travel, reducing system down time and improving the efficiency of the IT organization.
Without remote access software, IT department budgets would grow exponentially, system reliability would suffer and end users would be dissatisfied. Historically, attackers went after large corporate entities, but they have increasingly learned that this is becoming more difficult. Now they’re opting for smaller remote locations because they can accomplish the same thing with only a little more effort. Therefore, it’s imperative that businesses, large and small, take the time to evaluate their remote access software. Companies are routinely exposing systems inside their networks to outside attackers, and more often than not the only security is a poorly chosen password.
Remote access software offers many benefits, but unless used properly it can leave IT systems vulnerable to different exploits—for example, access through firewall ports opened for remote access, theft of passwords from an established remote access session or brute force attacks on password-protected hosts.
Companies are beginning to realize that juggling several different remote access tools does not necessarily make life easier or more secure, as each product needs its own firewall configuration. This is leading many organizations to reconsider their remote access product portfolio.
The Symantec security breach has only reinforced this apprehension regarding the security of remote access applications. But does that mean that all remote access software is inherently a big security risk and IT departments should avoid using it? No. The benefits greatly outweigh the potential risks, and IT departments can take measures to minimize these risks, such as changing the default ports and using role-based access profiles. That is why organizations should put security first.
Establishing a connection between the support device and the user being supported involves network traffic and thus the risk that an intruder can detect that packet information and eavesdrop on a remote access session. Obviously, the risk is greater when using an Internet connection compared with a LAN connection, and this risk is heightened further when access is granted through third-party servers. In this scenario, an outside company stores log-in information, traffic and logging data, giving that company the control to access and manipulate confidential information and putting the customer at further risk of outside attacks to the provider’s systems.
How to Avoid Attacks
Accessing the host through the Internet does have its advantages—one doesn’t have to reconfigure firewalls, routers or proxies, making it easier to provide support for employees outside the network, as well as for home users and mobile employees. So, to ensure that security is not compromised by flexibility, IT teams should look for a solution that enables Internet-based remote access through their own servers. This way they are in control of the security and their data.
IT must choose a remote access provider that offers end-to-end security, so that all data remains completely safe. Although encryption is often the first port-of-call when talking about security, it is actually just the first step in setting up a professional secure remote access solution. IT must also manage how users of remote access connect to each other and what users are allowed to do once connected. By writing a remote access policy, IT defines the type of security expected of the remote access tool as well as to those who have access rights.
For communication between different types of systems, ensuring proper encryption key exchange and use of well-known, highly scrutinized encryption protocols and standards are paramount. Any weaknesses in the implementation or technology used could lead to an attacker discovering the encryption keys and breaking them to intercept and potentially modify sensitive data.
Managing User Access Effectively
Once connected, a guest can perform various tasks on the remote computer: reboot, edit registry, delete files, copy files, print, chat with the user, run applications and more. Exactly what the guest can do varies widely among remote access products. But more important is the degree to which the IT team can specify various access roles.
Different remote access users need different access profiles. Data center managers would probably want to look at being able to limit functions like locking the keyboard and mouse, executing commands (delete, copy files), running programs, managing services, entering command prompt and editing the registry.
A final caveat on managing user access rights: a number of high-end remote access products will allow IT to manage user access rights, but look for a solution with central management. A centrally managed user access rights solution will enable the team to change the settings for thousands of computers without having to configure each host individually. This also provides more flexibility in administering user rights, as authorizations can be changed “on the fly” as a further level of protection.
Document What Happened
Documentation is the final frontier of a solid, secure remote access system. With extensive logging and video recording of sessions, IT will know exactly what happened and when. Did the help desk employee delete that important sales file while assisting the sales clerk with his Internet connection? Who remotely accessed the confidential medical records on Saturday night? These are questions the organization needs to be able to answer.
Data leaks not only potentially expose customers’ personal information and confidential company data, but they also open a whole other can of worms for the company, including significant financial penalties. This is often an overlooked feature, but it is vital to ensuring compliance with security regulations. Session recording is another critical component, as support personnel can trace the actions of each guest on each host machine.
Three Fundamental Rules to Follow When Choosing Remote Access Software
Whether you are looking to consolidate your remote control solutions or are new to the world of remote access, the number of products on the market can overwhelm you. It is easy to get confused, but in a nutshell, to find a solution that is rock-solid and future-proof, look for one that does the following:
- Provides comprehensive security that can be adjusted to meet the needs of IT professionals and their users, no matter how demanding the security environment;
- Supports a mixed environment within the current IT framework; and
- Has a versatile, open architecture and centralized deployment, ensuring that the solution can grow at the same pace as the business
Remote access software provides faster resolution of computer-related problems, brings efficiencies to system maintenance and generally leads to higher levels of operational stability and reliability. Yet because of the changing face of IT, including the increased need for high levels of security, the heterogeneous state of most enterprise IT architectures and growth in the number of end users, business requirements for remote access software are changing.
Therefore, with careful research and attention to features that represent the best in remote access technology, IT departments can select an application that stretches the limits of remote access and not only increases productivity and customer satisfaction, but enhances the flexibility of the IT organization and improves the company’s risk profile.
About the Author
Kurt Bager is CEO of Netop.
Netop helps companies save money by efficiently gaining access to remote technology assets, consolidating support resources and shortening issue resolution times. A pioneer in remote access technologies, Netop is used by half of Fortune 100 companies and sold in more than 80 countries. The company is headquartered in Denmark with subsidiaries in the United States, Great Britain, China, Romania and Switzerland. Learn more at www.Netop.com.
Photo courtesy of Ian Munroe