Click here to load reader
Upload
oana-bota-achim
View
34
Download
3
Embed Size (px)
Citation preview
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
Remote Access Security Strategy: Best Practices
As the utilization of remote control software has evolved from primarily that of a tech support tool
to a broadly used method of accessing diverse devices across complex environments, numerous
security vulnerabilities have been created. These vulnerabilities are the primary routes of infiltration
by data thieves and other malicious actors. In order to minimize risk while enjoying the benefits
of remote control and remote access, organizations of all sizes and in every industry need to
implement a security strategy for remote access. This paper presents four best practices central to a
solid remote access security strategy: putting security first, consolidating tools, prioritizing flexibility
and embracing defense-in-depth.
S E C U R I T Y PA P E R
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
Data breaches and cyber-attacks have become routine occurrences for organizations of all
sizes across every industry segment. According to research by the Ponemon Institute, the
average total cost of a data breach rose to $3.79 million in 2015.
The Ponemon data shows an increase of over 23% in the past two years for the cost of a data
breach. Regardless of company size, location, or industry classification, the cost of a data
breach is enormous – and growing.
In response to the prevalence of remote access and remote control software being used as
part of malicious data breaches, the United States Federal Bureau of Investigation (FBI) and
the Retail Cyber Intelligence Sharing Center (RCISC) have issued alerts and recommendations
related to remote access and remote control security.
Recommendations and requirements for remote access security vary by industry and region.
Standards like the Payment Card Industry Data Security Standard (PCI DSS) are global,
while the Health Insurance Portability and Accountability Act (HIPAA) in the United States
or Commission Directive 94/46/EC (EU Data Protection Directive) in Europe are specific to
particular geographies. Regardless of industry or region, key security strategies and best
practices that are common to most if not all organizations can be identified.
Whether you are implementing a remote access and remote control strategy for the first
time or revising an existing strategy to reflect new realities, you should consider these best
practices to achieve rock-solid security.
Overview: Remote Access SecurityRemote control software makes it possible for IT professionals to connect to laptops, desktops, servers and other devices in order to
manage networks and provide support. With remote control software, organizations save tremendous time, money and resources by
eliminating the need for their IT staff to travel, reducing system down-time and improving IT efficiency.
Businesses continue to use this technology to streamline processes, cut costs, operate globally and support their increasingly mobile
workforce. Remote control software has transitioned from a “technical support tool” to an integral component of any IT infrastructure.
The bottom line: without remote access and remote control software, IT budgets would skyrocket, system reliability would suffer and
end-users would be dissatisfied.
With a clear business case and the power to make life easier, it is no wonder remote control software is a standard tool for IT
organizations. And, given the importance of remote control software to the modern organization, it is also no wonder that criminals
have chosen remote access and remote control software as their primary vehicle for breaching company networks. In fact, more than
half of all cyber-attacks use remote access as the attack vector.
56% of cyber-attacks use remote
access as the attack vector
56%
Put security first
Consolidate your tools
Prioritize flexibility
Embrace defense-in-depth
1
2
3
4
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
Industries compromised by data breaches in 2014
ABOUT NETOP
Netop develops and sells
market-leading software
solutions that enable swift,
secure and seamless transfer
of video, screens, sounds and
data between two or more
computers. Used by half of the
Fortune 100, Netop’s secure
remote access and live chat
solutions help businesses
provide better customer
service, reduce support
costs and meet security and
compliance standards.
Put Security FirstOrganizations that align their IT security strategy with their overall strategic business
objectives can substantially reduce their risk and achieve short and long term return on
investment. Your approach to remote access and remote control security should be a small
part of a more comprehensive IT security strategy – and that strategy needs to be tightly
integrated into your everyday business practices. Security should not be an afterthought, or
a reaction to external threats. Security should be a proactive process, a mind-set, a set of
practices ingrained into your corporate identity. While this sounds like a daunting task, the
risks avoided and the possible gains in efficiency make the task well worth your while.
The most immediate benefit of improving remote access and remote control security is
minimization of risk. While it is impossible to calculate the true value of a prevented data
breach, the financial impacts of lost data are easily identified. Research by Ponemon
estimates “The average cost paid for each lost or stolen record containing sensitive and
confidential information increased from $145 in 2014 to $154 in this year’s study.”
In addition to financial risk, organizations must contend with reputational risk as well. The
Verizon 2015 PCI Compliance report indicates that 69% of consumers are less inclined to do
business with a breached organization. Fortunately, a comprehensive IT security strategy
can significantly mitigate the risk of a data breach saving organizations thousands or even
millions of dollars in lost revenue.
Comprehensive IT security goes beyond risk mitigation to provide significant short term
return on investment. By following best practices suggested for IT security, organizations
can improve process management and create efficiencies within their organization. By
aligning security strategies with business objectives, organizations reduce administrative and
operational burdens. For those organizations in regulated industries, compliance monitoring
and reporting is also greatly improved.
Despite being a relatively small piece of an organization’s overall IT infrastructure, remote
access and remote control have an outsized impact on liability and risk. As a result,
organizations significantly reduce their risk by focusing mitigation efforts on the well-known
threat vectors associated with remote control tools. Investments made in remote access and
remote control security provide substantial bang-for-the-buck.
43%
13%
12%
7%
Retail
Food & Beverage
Hospitality
Finance & Insurance
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
Consolidate Your ToolsTo support an increasingly heterogeneous mix of operating systems, software applications, mobile and embedded devices, it is
common for organizations to use three, four, or five different remote control products. Unfortunately, juggling several different tools
introduces substantial security risks and decreases operational efficiency.
With multiple remote control products deployed, organizations increase the complexity of their IT infrastructure. Increased
complexity results in a variety of threat vectors for organizations regardless of their size or industry. Those threats include:
Perimeter Security Is Compromised The firewall is typically an organization’s first line of defense. With the proliferation of interconnected devices in
modern networks, defending a single network perimeter has become nearly impossible. As a result, organizations
must create security zones that utilize multiple firewalls, DMZs, VLANs and other segmentation strategies. Remote
access and remote control tools require specific configurations to pass through these zones. With multiple remote
access tools, you have multiple configurations that must be managed and potentially multiple exceptions – or
holes – in your firewall.
The Number of Attack Surfaces Is Increased Using multiple remote access and remote control tools means multiple threat vectors are present. Maintaining
perimeter security is easier when you minimize your attack surfaces. Remote access and remote control tools that
listen on known ports can easily be scanned by criminals and targeted for exploit. Consolidating tools allows you
to focus your security and reduce your attack surface.
Security Controls and Processes Are Fragmented For regulated organizations, compliance with standards often means a documented set of security controls.
For instance, PCI DSS requirements 7, 8, 9 and 12 relate to access control measures and documentation of
those security policies. With multiple remote access and remote control tools, security controls become easily
fragmented. While establishing initial controls may be achievable, the sustainability of maintaining those controls
over the course of time becomes increasingly difficult. For large enterprises, change management practices are
negatively impacted by each additional tool that is deployed.
Comprehensive Monitoring and Logging Is Difficult While there is no silver bullet to solve all your security needs, comprehensive logging and audit capabilities will
dramatically improve your security posture. Deploying multiple remote control tools, especially when those tools
lack central controls, makes comprehensive logging virtually impossible. Again, for regulated industries, logging
and audit capabilities are often requirements to achieve compliance.
Security Sustainability Is Reduced Maintaining security controls during times of change can be difficult. Changes in technology, personnel and
business practices have wide ranging impacts on an organization. Data breaches are often the result of criminal
activity, but they also result from human error and glitches in technology. By consolidating and centralizing remote
access tools, an organization can reduce the potential for technical errors and ensure better controls are in place
to mitigate human errors. For large organizations, the automation of security controls and change management
practices is greatly enhanced by the reduction in scope that consolidation provides.
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
DON’T FORGET ABOUT IT
When considering the
consolidation of your remote
access and remote control
tools, think beyond the
traditional scope of the IT
Help desk. Segmenting your
network to comply with
security requirements does not
mean you must use separate
tools. The efficiencies you
gain through consolidation
increase as the number of
tools decreases. Be sure to
consider your physical and
virtual infrastructure and seek a
single solution that can support
traditional computing devices,
mobile devices, embedded
devices and the new crop of
Internet of Things (IoT) devices.
Prioritize flexibilityStrategic business objectives related to reducing cost and maximizing efficiency naturally conflict with security standards designed to
minimize risk and restrict access. Aligning these disparate objectives involves careful planning and requires flexible tools.
The efficiencies created by consolidating remote access and remote control tools are completely lost if you must choose a lowest-
common-denominator security solution for the entirety of your organization. But putting security first does not mean using the highest
security possible in every situation. Rather, organizations must make risk assessments to determine when security is needed and
what level of security is justified.
Security does not come in a one-size-fits-all package. Your remote access and remote control tool must allow for the varied security
needs of different devices, unique users and discrete network segments. Prioritize flexibility when selecting a remote control tool by
looking for configuration options in these areas:
Connectivity A comprehensive remote access and remote control tool should provide for LAN
based and Internet based connectivity. With Internet based connection services,
having the ability to host the connection service yourself increases your control
and may improve your security posture.
Encryption Not all encryption standards and methods are equal. Look for solutions that
provide verified methods like AES and TLS. Because encryption can tax system
resources and decrease efficiency, choose a solution that provides multiple
encryption options, allowing you to deploy the appropriate level in the appropriate
circumstance.
Authentication Having multiple choices for authentication dramatically increases the number of
use-cases for your remote access and remote control tools. Look for solutions that
integrate with AD, and support multi-factor options.
User Roles and Permissions Once a user has been provided with secure access to a device or application,
options for controlling their rights and permissions is critical. The more granular the
controls are, the more secure your organization can become.
Logging Every organization has unique needs when it comes to logging and audit trails.
While there is risk in collecting too much data, not collecting enough can be
disastrous. Having the ability to choose which events to log, where those logs are
stored and how those logs can be retrieved allows you to customize a solution
specifically for your needs.
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
MAC/IP Address Checks The target Device will only accept invitations from a remote user whose address
appears in a predefined MAC/IP list. This sets a base level security. However, because
IP addresses can be forged, this criteria should never be used as a stand-alone
security alternative.
Closed User Groups Assign serial numbers to all users and target devices where only matching numbers
may connect. A user module with any other serial number would be rejected. This is a
step toward best-in-class security.
Authentication Any remote control application should be able to integrate with the authentication
scheme currently deployed across your network – whether this is a Windows Domain,
LDAP server, or RSA SecurID server. Integrating with the existing authentication
scheme provides a secure method for a service representative to identify itself to the
target Device. For organizations with regulatory burdens (like PCI DSS) ensure multi-
factor authentication options are available.
User-controlled Access With this feature, a pop-up window appears on the target device asking the end-user
whether they want to accept an incoming request from the remote user; a remote
control session cannot be established until they accept. A typical set-up feature in
service desk environments, this is an effective security measure.
AVOID KNOWN THREAT VECTORS
When considering tools to
deploy as part of your defense
in depth strategy, make sure
you identify known threat
vectors. Popular remote control
tools like Microsoft’s RDP and
the open source VNC may
be a great option for part of
your enterprise, but are likely
insufficient for the high security
requirements of certain
devices or users. Other popular
products like pcAnywhere,
LogMeIn Pro and TeamViewer
have had well publicized
security breaches over the past
several years. While no vendor
can promise 100% security,
your remote access and remote
control tool – and the Vendor
who supplies it – should help
you reduce your attack surface,
not increase it.
Embrace Defense-in-DepthPasswords can be stolen. Encryption can be broken. Systems can, and will, be compromised. There is no such thing as perfect
security. Fortunately, your security doesn’t need to be perfect to prevent criminals and hackers from breaching your network. By
layering your defenses, imperfections in one area can be covered by another. The more layers you add, the more protection you
receive. Defense in depth is a well-known approach to network and IT security that provides consistent benefits.
Embracing defense-in-depth for your remote access and remote control strategy means selecting a tool that provides options
above and beyond good encryption and strong passwords. Look for a solution that provides
Remote Access Security Strategy: Best Practices
www.netop.com/remotesupport
SummaryAs the utilization of remote control software has evolved from primarily that of a tech support tool to a broadly used method of
accessing diverse devices across complex environments, numerous network security vulnerabilities have been created. These
vulnerabilities are the primary routes of infiltration by data thieves and other malicious actors. In order to minimize risk while enjoying
the benefits of remote control and remote access tools, organizations of all sizes and in every industry need to implement a security
strategy for remote access. Organizations should consider these four best practices as central aspects of a solid remote access
security strategy: putting security first, consolidating tools, prioritizing flexibility and embracing defense-in-depth.
About Netop Netop develops and sells market-leading software solutions that enable swift, secure and seamless transfer of video, screens,
sounds and data between two or more computers. Used by half of the Fortune 100, Netop’s secure remote access and live chat
solutions help businesses provide better customer service, reduce support costs and meet security and compliance standards.
Netop is also the world leader in classroom management software, helping teachers in more than 75 countries use technology more
effectively in their classrooms.
Headquartered in Denmark, Netop has offices in the United States, China, Romania and Switzerland. The company sells its solutions
directly and through official Netop partners to public and private clients in more than 80 countries.
Read more at: www.netop.com
Reference List
2015 Cost of Data Breach Study: Global Analysis. (2015, May 27). Ponemon Institute, LLC:
http://www-03.ibm.com/security/data-breach
2015 Trustwave Global Security Report. (2015, June 9). Trustwave:
https://www2.trustwave.com/rs/815-RFM-693/images/2015_TrustwaveGlobalSecurityReport.pdf
Alert and Recommendations: Securing Merchant Card Payment Systems from the Risks of Remote Access. (2015, July 7). Financial Services
Sharing and Analysis Center:
https://www.fsisac.com/article/alert-securing-merchant-card-payment-systems-risks-remote-access
Internet of Things Poses Opportunities for Cyber Crime. (2015, September 10). Federal Bureau of Investigation:
https://www.ic3.gov/media/2015/150910.aspx
M-Trends 2015: A View From The Front Lines. (2015, February 24). Mandiant, a FireEye Company:
https://www2.fireeye.com/WEB-2015RPTM-Trends.html
Payment Card Industry Data Security Standard version 3.1. (2015, April)
Verizon 2015 PCI Compliance Report: Insight for helping businesses manage risk through payment security.
(2015, March 24). Verizon: http://www.verizonenterprise.com/pcireport/2015/