Every chain is only as strong as its weakest link: attackers only need to find a single vulnerability. At the same time, the “defenders” must have an overview of an often heterogeneous overall system and secure it equally well. Cyber criminals have been exploiting this starting advantage since the turn of the year 2021: instead of finding individual vulnerabilities at individual companies, widespread monitoring and remote access tools are misused for infiltrations over as large an area as possible.

The Solarwinds incident, in which an update unknowingly distributed hacked code, affected an estimated 20,000 organizations. [1] The underlying strategy has since been adapted for ransomware distribution. As a “means of transport” and possible gateway directly in July, a vulnerability in the “Kaseya” software was exploited to infect thousands of systems. [2]

Intentional backdoors into the corporate network?

Be it the Covid-19 pandemic, the increasing trend towards home offices or the often indispensable external access to special systems: While firewalls & Co. are in use to prevent external access, remote access tools are supposed to “simply” enable it again.

These channels must be well monitored and documented. In the worst case, they leverage the entire IT security. A prominent example was the incident at a waterworks in Florida in February 2021, which took place via insecurely executed TeamViewer access.  [3]

5 tips for secure remote access

The following examples offer some initial pointers for improving cyber security for remote maintenance:

• Inventory & documentation of all external accesses
  Small maintenance tools can become uncontrolled permanent solutions that escape the security radar. All such solutions must therefore be documented and made controllable. Inform employees that these accesses involve risks and require high responsibility.
• Secure protocols, up-to-date encryption and regular updates
  Insecure access points can transmit internal data and account information unencrypted and thus make highly confidential information accessible to third parties. Only up-to-date, secure software solutions may be used for remote maintenance. Regular updates are an essential requirement.
• Specific user accounts & 2-factor authentication
  A common major vulnerability is the use of shared passwords and known remote management access. Shared general access is nearly impossible to control. The use of 2FA for every user is a must, especially when integrating external employees who are not under the company’s direct control.
• Principle of least privilege & need to know
  Each remote maintenance account should allow access only to the critical systems required to perform the activity. Deviations can thus be detected more quickly, and possible propagations can be prevented more efficiently. Essential systems should only be accessible via additional jump servers.
• Monitoring & Logging
  Complete monitoring of external access helps to detect irregularities more quickly and efficiently. Failed attempts at individual access should be actively monitored and lead to a blocking of the accounts.
  Securing remote management tools requires the highest priority.

Complete monitoring of external access helps to detect irregularities faster and to detect them more efficiently. Failure of individual accesses should be actively monitored and lead to a blocking of the accounts.

You want a holistic security concept and technical protection measures against ransomware attacks? We are happy to advise you sales@ikarus.at or phone +43 1 58995-500! 

Worth reading:

Behavioural analytics, anomaly detection and visibility: additional protection against ransomware

Sources: