UK

Article

Remote Access - The Security Challenges

Remote access for users and remote system administration are examples of the Internet delivering on its promise to make geographic constraints a thing of the past and to radically streamline business processes. At the same time, remote access poses significant security challenges for many organisations. Safecoms’ experience in talking with many IT professionals suggests that remote access is an area rife with misconception and mythology. In this article, we explore the issues and attempt to put the record straight.

Remote Administration Access

By definition, remote administration rights used by system administrators and other privileged users will - if they fall into the wrong hands - generally provide an attacker with an open ticket to gain full read / write access to most or all critical systems on your trusted network. Obviously, the potential consequences associated with such an incident could be catastrophic.

Traditionally, whether the remote admin access was achieved via VPN or thin client, organisations relied on user name and password to secure that access. Is reliance on user name and password a sufficient level of protection for remote admin access today?

Most security professionals would answer that question with an emphatic “no”. However, there are still a lot of organisations that have not implemented two-factor authentication for remote admin access. Their approach appears to be based on a belief that it is very difficult for a hacker to get their hands on an administrator’s user name and password, or to “brute force” a password. In Safecoms’ view, this is one of the “myths and misconceptions” referred to in the introduction to this article.

Tools such as fingergoogle make it very easy to get a list of users’ email addresses for an organisation. Armed with this information, the hacker will then use a tool such as googlesweep to rapidly track those users who have visited technical news group postings on the Internet, and from this will generally be able to work out which users are administrators. Given that in most organisations the format for user names is the same convention as that used for email addresses, it is therefore not hard to come up with a list of user names of administrators. By then using a brute force tool such as Hydra, a hacker will generally be able to crack the password fairly quickly. Additionally, it should be noted that a lot of hackers have developed their own brute force tools: one white hat hacker that we know claims to be able to crack around 80% of passwords inside two hours. Of course, if an organisation has system settings that lock you out after a certain number of failed attempts, the process will take longer: however, it is ultimately only a matter of time, and if the prize is big enough the hacker will invest that time.

As well as the relative ease with which user name and password protections may be cracked through google research and brute force tools, system administrators are by no means immune from having their passwords discovered through social engineering or carelessness. Whilst one would hope that someone with system administration privileges would be more aware and on their guard than most, there are some well documented instances where admin passwords have been socially engineered or simply stumbled upon. One such instance involved a UK branch of an international bank. A critical system crashed late at night. The onsite engineer did not have the necessary specific privileges necessary to fix the problem, so he telephoned a senior system administrator who was at home asleep. The system administrator dictated his user name and administrator password to the engineer over the phone (not recommended practice, but in the real world these things do happen) and, given its complexity, the engineer wrote it down on a scrap of paper as it was dictated. Once the fix was made, the engineer forgot all about the little scrap of paper - which was noticed the following evening by a cleaner who was actually an impoverished computer student earning some beer money by cleaning in the evenings....

Safecoms’ recommendation is that given the severity of the potential consequences if remote administrative access does fall into the wrong hands, and the relative ease of brute forcing a password and the constant possibility of social engineering or human carelessness, remote administration access should always be secured through two factor authentication. This is a relatively straightforward and low cost step to implement (see further below) and any organisation that fails to do so is taking a significant and unnecessary risk.

Remote User Access

There are two main security issues to be considered when looking at remote user access:

  1. what authentication protections should be in place to prevent access by unauthorised persons?
  2. how should remote access be structured and controlled to ensure an appropriate level of protection against malware and “authenticated hackers” (i.e. unauthorised people who have somehow managed to gain authenticated access)

Authentication Protection

Should two-factor authentication be implemented for all remote user access, as well as for remote admin access? Obviously, there is no universally correct answer to this question - each organisation needs to make its own risk assessment and draw its own conclusions. However, the important thing is that the risk assessment is conducted with full knowledge of the likelihood that an unauthorised individual can obtain the log on credentials of a legitimate user, with accurate knowledge of the costs associated with implementing two factor authentication, and with a clear understanding of the potential consequences of unauthorised access.

The first point to note is that if it is acknowledged that there is a genuine risk of authentication credentials for administrators falling into the wrong hands (as a result of brute forcing or social engineering), then most organisations would regard it as a racing certainty that the authentication credentials of some “general” users are likely to be compromised. A large proportion of most user populations still use very weak / easy to guess passwords, and numerous well publicised surveys have demonstrated how straightforward it is to socially engineer log on credentials out of people.

Regarding cost of implementation, Safecoms’ experience suggests that many people have a false impression of the costs associated with two-factor authentication. For example, we were recently discussing this issue with one client and their impression was that implementing two factor authentication for 20 or so users with full access rights would be around $50,000. In fact, the total cost was around $8,000. Of course, implementing two factor authentication for the entire user population of a large organisation does become a relatively costly exercise. However, it may be nowhere near as expensive as you might think, particularly when compared with the costs, legal liabilities and losses that could flow from an unauthorised person gaining full remote access rights to the network.

Another objection often raised to the implementation of two-factor authentication for remote users is the issue of “complexity” from the users’ perspective. Safecoms’ view is that this is something of a “furphy”. Let’s be realistic: anyone who is capable of using a computer is capable of going through the log on process associated with two factor authentication. They might find it a minor inconvenience, but if the reasons behind it are spelt out in clear terms from a risk management perspective, any such objections should be fairly easy to overcome.

Regarding the potential consequences of unauthorised access, to some extent this is dependent on the level of remote access granted to users. Where remote access essentially provides the user with their full set of user access rights as if they were sitting in their office, an attacker who manages to authenticate as an authorised user will have full read / write access to everything on the network consistent with that user’s permissions. Granted, they will not have the level of access associated with someone with administrator privileges, but in the overwhelming majority of organisations most users have very liberal access rights and the unauthorised user therefore has very significant scope for accessing confidential information, damaging the integrity of important data and (depending on how tightly individual access rights are managed) obtaining system level information that could be used to mount denial of service attacks.

Where remote access is limited to the email system, a lot of organisations take a relatively relaxed view about the associated risk on the basis that they are not overly concerned whether an unauthorised person is able to see the contents of emails. However, a lot of confidential information is sent via email. How concerned would the CFO be if a hacker was able to log in and view all of the email in the inbox and sent items of a senior member of the accounts department? Those of a more relaxed disposition might also like to bear in mind two other points: firstly, unauthorised viewing of emails could result in legal liability for breach of Privacy legislation, and secondly, it’s not just a question of unauthorised parties reading email traffic - there’s also the issue of them writing emails and sending them out in the name of a user.

Safecoms’ opinion is that most organisations should take a long hard look at implementing two-factor authentication for all remote users, even where remote access is limited to email. If costs are prohibitive (but do check this out - many people are pleasantly surprised when they find out the real costs) one “compromise” solution is to use controls, such as Access Control Lists, or Active Directory to set granular remote access rights for different groups of users, and to limit two-factor authentication to those groups with broad access rights.

However, if following a proper risk assessment the decision is taken that two-factor authentication does not need to be implemented for remote users then Safecoms recommends a three pronged risk mitigation strategy:

  1. apply the “principle of least privilege” rigorously to the granting of any remote access rights
  2. ensure that all users with remote access rights receive awareness training about the need to keep passwords secret, and commonly used social engineering techniques
  3. ensure that security settings are applied that require passwords to be “strong”, that they are changed at regular intervals (maximum of 45 days), and that three invalid authentication attempts result in lock out

Structuring and Controlling Remote User Access

In a lot of organisations, remote user access is achieved by setting up a VPN connection that simply allows all protocols from the remote computer to the internal network. Authorised users are given their VPN user name and password and can then install the VPN client on any computer they happen to find convenient. This effectively allows the user to inadvertently bypass a number of critical security controls that the organisation has in place.

As an example, consider the typical case of a user who installs their VPN client on the “family” home PC. A lot of “family” PC’s are virus ridden and have numerous missing security patches. This PC is now connected directly into the organisation’s trusted network, bypassing all the usual perimeter controls. The risk of malware being introduced into the trusted network through this route is very high. Similarly, that un-patched family PC is potentially open to exploitation by a hacker (particularly when connected to a cable network), who can use it as a soft entry point into the trusted network.

There is a simple and straightforward solution to this issue that has been implemented by several of Safecoms’ clients who supply their users with laptops - install the VPN client on the laptop, but do not give the user the VPN client password, and do not give them administrator rights. This ensures that only controlled devices are able to connect directly into the trusted network.

Another issue with the VPN model is that a hacker who manages to obtain the VPN username and password for a remote user (which, as we noted earlier, must be taken as being probable) is able to run his complete arsenal of hacking tools directly into the trusted network via the VPN. Of course, if two-factor authentication has been implemented for remote access then this issue is very unlikely to arise: however, a large number of organisations are still using VPN remote access without two-factor authentication.

An increasingly large number of organisations now believe that they can protect themselves against this kind of risk by implementing VPNs with built in IPS functionality. Safecoms’ opinion is that this line of thinking creates a false sense of security, for the following reasons:

  1. the functionality of these devices only work on a limited number of protocols. It will not pick up any number of attacks using other protocols
  2. our practical experience based on testing the effectiveness of IPS for a number of our clients reveals that it typically allows a large number of “stealth” attacks to slip through under the radar
  3. wide spread miss-configuration of IPS devices means that even “noisy” attacks are not picked up

In view of these risks with the VPN model, Safecoms recommends that organisations should look at implementing remote access through thin client technology (or using VPNs to access a terminal server) rather than implementing a conventional VPN. Because the thin client model does not use a direct connection into the network, this approach effectively eliminates the risk of malware entering the trusted network and also ensures that “authenticated hackers” are not able to run their tools around the network.

Pulling It All Together

A lot of ground has been covered in this article. In summary, our recommendations are:

  1. for remote administration access, two-factor authentication is essential. The risks associated with not having this in place are just not worth taking
  2. for remote user access, a risk analysis should be carried out to determine whether two-factor authentication should be implemented. It is essential that business managers are involved in that analysis, and that they understand the likelihood of an attacker being able to gain remote access as an authenticated user, the legal and financial consequences associated with such an incident, and the costs of implementing two-factor authentication for some / all users
  3. in most situations, remote access is best implemented via a thin client model rather than a VPN
  4. beware the claims about IPS. It is limited in its effectiveness

Nick Gifford
Managing Director

Safecoms has a lot of practical experience of designing and implementing effective remote access strategies for different profile organisations. If you would like to find out more about this topic or talk to a Safecoms expert in this field about your organisation’s issues and challenges, please call the Safecoms team on 02 8234 4000 or email us at info@safecoms.com.au