Remote access security strategy best practices

Remote Access Security Strategy: Best Practices

www.netop.com/remotesupport


As the utilization of remote control software has evolved from primarily that of a tech support tool

to a broadly used method of accessing diverse devices across complex environments, numerous

security vulnerabilities have been created. These vulnerabilities are the primary routes of infiltration

by data thieves and other malicious actors. In order to minimize risk while enjoying the benefits

of remote control and remote access, organizations of all sizes and in every industry need to

implement a security strategy for remote access. This paper presents four best practices central to a

solid remote access security strategy: putting security first, consolidating tools, prioritizing flexibility

and embracing defense-in-depth.

S E C U R I T Y PA P E R



Data breaches and cyber-attacks have become routine occurrences for organizations of all

sizes across every industry segment. According to research by the Ponemon Institute, the

average total cost of a data breach rose to $3.79 million in 2015.

The Ponemon data shows an increase of over 23% in the past two years for the cost of a data

breach. Regardless of company size, location, or industry classification, the cost of a data

breach is enormous – and growing.

In response to the prevalence of remote access and remote control software being used as

part of malicious data breaches, the United States Federal Bureau of Investigation (FBI) and

the Retail Cyber Intelligence Sharing Center (RCISC) have issued alerts and recommendations

related to remote access and remote control security.

Recommendations and requirements for remote access security vary by industry and region.

Standards like the Payment Card Industry Data Security Standard (PCI DSS) are global,

while the Health Insurance Portability and Accountability Act (HIPAA) in the United States

or Commission Directive 94/46/EC (EU Data Protection Directive) in Europe are specific to

particular geographies. Regardless of industry or region, key security strategies and best

practices that are common to most if not all organizations can be identified.

Whether you are implementing a remote access and remote control strategy for the first

time or revising an existing strategy to reflect new realities, you should consider these best

practices to achieve rock-solid security.

Overview: Remote Access SecurityRemote control software makes it possible for IT professionals to connect to laptops, desktops, servers and other devices in order to

manage networks and provide support. With remote control software, organizations save tremendous time, money and resources by

eliminating the need for their IT staff to travel, reducing system down-time and improving IT efficiency.

Businesses continue to use this technology to streamline processes, cut costs, operate globally and support their increasingly mobile

workforce. Remote control software has transitioned from a “technical support tool” to an integral component of any IT infrastructure.

The bottom line: without remote access and remote control software, IT budgets would skyrocket, system reliability would suffer and

end-users would be dissatisfied.

With a clear business case and the power to make life easier, it is no wonder remote control software is a standard tool for IT

organizations. And, given the importance of remote control software to the modern organization, it is also no wonder that criminals

have chosen remote access and remote control software as their primary vehicle for breaching company networks. In fact, more than

half of all cyber-attacks use remote access as the attack vector.

56% of cyber-attacks use remote

access as the attack vector

56%

Put security first

Consolidate your tools

Prioritize flexibility

Embrace defense-in-depth

1

2

3

4



Industries compromised by data breaches in 2014

ABOUT NETOP

Netop develops and sells

market-leading software

solutions that enable swift,

secure and seamless transfer

of video, screens, sounds and

data between two or more

computers. Used by half of the

Fortune 100, Netop’s secure

remote access and live chat

solutions help businesses

provide better customer

service, reduce support

costs and meet security and

compliance standards.

Put Security FirstOrganizations that align their IT security strategy with their overall strategic business

objectives can substantially reduce their risk and achieve short and long term return on

investment. Your approach to remote access and remote control security should be a small

part of a more comprehensive IT security strategy – and that strategy needs to be tightly

integrated into your everyday business practices. Security should not be an afterthought, or

a reaction to external threats. Security should be a proactive process, a mind-set, a set of

practices ingrained into your corporate identity. While this sounds like a daunting task, the

risks avoided and the possible gains in efficiency make the task well worth your while.

The most immediate benefit of improving remote access and remote control security is

minimization of risk. While it is impossible to calculate the true value of a prevented data

breach, the financial impacts of lost data are easily identified. Research by Ponemon

estimates “The average cost paid for each lost or stolen record containing sensitive and

confidential information increased from $145 in 2014 to $154 in this year’s study.”

In addition to financial risk, organizations must contend with reputational risk as well. The

Verizon 2015 PCI Compliance report indicates that 69% of consumers are less inclined to do

business with a breached organization. Fortunately, a comprehensive IT security strategy

can significantly mitigate the risk of a data breach saving organizations thousands or even

millions of dollars in lost revenue.

Comprehensive IT security goes beyond risk mitigation to provide significant short term

return on investment. By following best practices suggested for IT security, organizations

can improve process management and create efficiencies within their organization. By

aligning security strategies with business objectives, organizations reduce administrative and

operational burdens. For those organizations in regulated industries, compliance monitoring

and reporting is also greatly improved.

Despite being a relatively small piece of an organization’s overall IT infrastructure, remote

access and remote control have an outsized impact on liability and risk. As a result,

organizations significantly reduce their risk by focusing mitigation efforts on the well-known

threat vectors associated with remote control tools. Investments made in remote access and

remote control security provide substantial bang-for-the-buck.

43%

13%

12%

7%

Retail

Food & Beverage

Hospitality

Finance & Insurance



Consolidate Your ToolsTo support an increasingly heterogeneous mix of operating systems, software applications, mobile and embedded devices, it is

common for organizations to use three, four, or five different remote control products. Unfortunately, juggling several different tools

introduces substantial security risks and decreases operational efficiency.

With multiple remote control products deployed, organizations increase the complexity of their IT infrastructure. Increased

complexity results in a variety of threat vectors for organizations regardless of their size or industry. Those threats include:

Perimeter Security Is Compromised The firewall is typically an organization’s first line of defense. With the proliferation of interconnected devices in

modern networks, defending a single network perimeter has become nearly impossible. As a result, organizations

must create security zones that utilize multiple firewalls, DMZs, VLANs and other segmentation strategies. Remote

access and remote control tools require specific configurations to pass through these zones. With multiple remote

access tools, you have multiple configurations that must be managed and potentially multiple exceptions – or

holes – in your firewall.

The Number of Attack Surfaces Is Increased Using multiple remote access and remote control tools means multiple threat vectors are present. Maintaining

perimeter security is easier when you minimize your attack surfaces. Remote access and remote control tools that

listen on known ports can easily be scanned by criminals and targeted for exploit. Consolidating tools allows you

to focus your security and reduce your attack surface.

Security Controls and Processes Are Fragmented For regulated organizations, compliance with standards often means a documented set of security controls.

For instance, PCI DSS requirements 7, 8, 9 and 12 relate to access control measures and documentation of

those security policies. With multiple remote access and remote control tools, security controls become easily

fragmented. While establishing initial controls may be achievable, the sustainability of maintaining those controls

over the course of time becomes increasingly difficult. For large enterprises, change management practices are

negatively impacted by each additional tool that is deployed.

Comprehensive Monitoring and Logging Is Difficult While there is no silver bullet to solve all your security needs, comprehensive logging and audit capabilities will

dramatically improve your security posture. Deploying multiple remote control tools, especially when those tools

lack central controls, makes comprehensive logging virtually impossible. Again, for regulated industries, logging

and audit capabilities are often requirements to achieve compliance.

Security Sustainability Is Reduced Maintaining security controls during times of change can be difficult. Changes in technology, personnel and

business practices have wide ranging impacts on an organization. Data breaches are often the result of criminal

activity, but they also result from human error and glitches in technology. By consolidating and centralizing remote

access tools, an organization can reduce the potential for technical errors and ensure better controls are in place

to mitigate human errors. For large organizations, the automation of security controls and change management

practices is greatly enhanced by the reduction in scope that consolidation provides.



DON’T FORGET ABOUT IT

When considering the

consolidation of your remote

access and remote control

tools, think beyond the

traditional scope of the IT

Help desk. Segmenting your

network to comply with

security requirements does not

mean you must use separate

tools. The efficiencies you

gain through consolidation

increase as the number of

tools decreases. Be sure to

consider your physical and

virtual infrastructure and seek a

single solution that can support

traditional computing devices,

mobile devices, embedded

devices and the new crop of

Internet of Things (IoT) devices.

Prioritize flexibilityStrategic business objectives related to reducing cost and maximizing efficiency naturally conflict with security standards designed to

minimize risk and restrict access. Aligning these disparate objectives involves careful planning and requires flexible tools.

The efficiencies created by consolidating remote access and remote control tools are completely lost if you must choose a lowest-

common-denominator security solution for the entirety of your organization. But putting security first does not mean using the highest

security possible in every situation. Rather, organizations must make risk assessments to determine when security is needed and

what level of security is justified.

Security does not come in a one-size-fits-all package. Your remote access and remote control tool must allow for the varied security

needs of different devices, unique users and discrete network segments. Prioritize flexibility when selecting a remote control tool by

looking for configuration options in these areas:

Connectivity A comprehensive remote access and remote control tool should provide for LAN

based and Internet based connectivity. With Internet based connection services,

having the ability to host the connection service yourself increases your control

and may improve your security posture.

Encryption Not all encryption standards and methods are equal. Look for solutions that

provide verified methods like AES and TLS. Because encryption can tax system

resources and decrease efficiency, choose a solution that provides multiple

encryption options, allowing you to deploy the appropriate level in the appropriate

circumstance.

Authentication Having multiple choices for authentication dramatically increases the number of

use-cases for your remote access and remote control tools. Look for solutions that

integrate with AD, and support multi-factor options.

User Roles and Permissions Once a user has been provided with secure access to a device or application,

options for controlling their rights and permissions is critical. The more granular the

controls are, the more secure your organization can become.

Logging Every organization has unique needs when it comes to logging and audit trails.

While there is risk in collecting too much data, not collecting enough can be

disastrous. Having the ability to choose which events to log, where those logs are

stored and how those logs can be retrieved allows you to customize a solution

specifically for your needs.



MAC/IP Address Checks The target Device will only accept invitations from a remote user whose address

appears in a predefined MAC/IP list. This sets a base level security. However, because

IP addresses can be forged, this criteria should never be used as a stand-alone

security alternative.

Closed User Groups Assign serial numbers to all users and target devices where only matching numbers

may connect. A user module with any other serial number would be rejected. This is a

step toward best-in-class security.

Authentication Any remote control application should be able to integrate with the authentication

scheme currently deployed across your network – whether this is a Windows Domain,

LDAP server, or RSA SecurID server. Integrating with the existing authentication

scheme provides a secure method for a service representative to identify itself to the

target Device. For organizations with regulatory burdens (like PCI DSS) ensure multi-

factor authentication options are available.

User-controlled Access With this feature, a pop-up window appears on the target device asking the end-user

whether they want to accept an incoming request from the remote user; a remote

control session cannot be established until they accept. A typical set-up feature in

service desk environments, this is an effective security measure.

AVOID KNOWN THREAT VECTORS

When considering tools to

deploy as part of your defense

in depth strategy, make sure

you identify known threat

vectors. Popular remote control

tools like Microsoft’s RDP and

the open source VNC may

be a great option for part of

your enterprise, but are likely

insufficient for the high security

requirements of certain

devices or users. Other popular

products like pcAnywhere,

LogMeIn Pro and TeamViewer

have had well publicized

security breaches over the past

several years. While no vendor

can promise 100% security,

your remote access and remote

control tool – and the Vendor

who supplies it – should help

you reduce your attack surface,

not increase it.

Embrace Defense-in-DepthPasswords can be stolen. Encryption can be broken. Systems can, and will, be compromised. There is no such thing as perfect

security. Fortunately, your security doesn’t need to be perfect to prevent criminals and hackers from breaching your network. By

layering your defenses, imperfections in one area can be covered by another. The more layers you add, the more protection you

receive. Defense in depth is a well-known approach to network and IT security that provides consistent benefits.

Embracing defense-in-depth for your remote access and remote control strategy means selecting a tool that provides options

above and beyond good encryption and strong passwords. Look for a solution that provides



SummaryAs the utilization of remote control software has evolved from primarily that of a tech support tool to a broadly used method of

accessing diverse devices across complex environments, numerous network security vulnerabilities have been created. These

vulnerabilities are the primary routes of infiltration by data thieves and other malicious actors. In order to minimize risk while enjoying

the benefits of remote control and remote access tools, organizations of all sizes and in every industry need to implement a security

strategy for remote access. Organizations should consider these four best practices as central aspects of a solid remote access

security strategy: putting security first, consolidating tools, prioritizing flexibility and embracing defense-in-depth.

About Netop Netop develops and sells market-leading software solutions that enable swift, secure and seamless transfer of video, screens,

sounds and data between two or more computers. Used by half of the Fortune 100, Netop’s secure remote access and live chat

solutions help businesses provide better customer service, reduce support costs and meet security and compliance standards.

Netop is also the world leader in classroom management software, helping teachers in more than 75 countries use technology more

effectively in their classrooms.

Headquartered in Denmark, Netop has offices in the United States, China, Romania and Switzerland. The company sells its solutions

directly and through official Netop partners to public and private clients in more than 80 countries.

Read more at: www.netop.com

Reference List

2015 Cost of Data Breach Study: Global Analysis. (2015, May 27). Ponemon Institute, LLC:

http://www-03.ibm.com/security/data-breach

2015 Trustwave Global Security Report. (2015, June 9). Trustwave:

https://www2.trustwave.com/rs/815-RFM-693/images/2015_TrustwaveGlobalSecurityReport.pdf

Alert and Recommendations: Securing Merchant Card Payment Systems from the Risks of Remote Access. (2015, July 7). Financial Services

Sharing and Analysis Center:

https://www.fsisac.com/article/alert-securing-merchant-card-payment-systems-risks-remote-access

Internet of Things Poses Opportunities for Cyber Crime. (2015, September 10). Federal Bureau of Investigation:

https://www.ic3.gov/media/2015/150910.aspx

M-Trends 2015: A View From The Front Lines. (2015, February 24). Mandiant, a FireEye Company:

https://www2.fireeye.com/WEB-2015RPTM-Trends.html

Payment Card Industry Data Security Standard version 3.1. (2015, April)

Verizon 2015 PCI Compliance Report: Insight for helping businesses manage risk through payment security.

(2015, March 24). Verizon: http://www.verizonenterprise.com/pcireport/2015/

Technology

Remote access security strategy best practices