Using remote access securely

A data-breach-investigations report issued by Verizon earlier this year found 71 percent of all hacking attacks on business take place using remote access or desktop service.

"Remote access and desktop services, in combination with the exploitation of default and/or stolen credentials, is a huge problem in the retail and hospitality industries," the Verizon report states. "Opportunistic attacks are carried out across many victims who often share the same support and/or software vendor."

According to researchers, as soon as an intruder discovers a particular vendor's authentication method and schema (be it for TCP port 3389 for RDP; or TCP port 5631 and UDP port 5632 for pcAnywhere), he will be able to exploit it across a multitude of that vendor's partners and customers.

"Oftentimes, in lieu of conducting a full port scan for these remote service applications, attackers will customize their scripts to exclusively look for these ports and search a broad swath of the Internet," the report states. "This speeds up their capability of searching for and finding services unprotected by router/firewall ACLs and allows them to quickly check for default credentials as well. This of course relies on remote access authentication schema being uniform across all of that particular vendor's customers --but hey, who are we kidding? They always are."

Jim Walsh, CISO for point-of-sale products vendor MICROS Systems, knows all too well how attractive a chain restaurant or hotel is to a hacker. MICROS, the largest POS company for the hospitality industry, is used in almost all major restaurant and hotel chains around the world.

[See also: Security at the point of sale and Retail security:Critical strategies]

"If someone can get into one of our customer's systems, they've pretty much figured out how to get into the other 5,000 of them. That makes them an even greater target."

Prompted seven years ago by what Walsh said was a sudden upswing in high-profile breach events, MICROS went looking for secure ways to support customers remotely, and also launched an education initiative to start educating clients on how best to protect themselves. Here he shares with CSO how he mitigates the risk of hackers breaking into his customer's networks.

CSO: Briefly explain the scenario of MICROS customer support several years ago.

Jim Walsh: Not too many years ago POS applications like ours were storing full track card holder data that was not encrypted. In fact, historically the card holder industry required us to store that information, just until a few years ago. It was not uncommon for that information to be stored and to be there and to have a number of years-worth of data, so there was a lot of low-hanging fruit for attackers. With remote applications sitting there, always on and in listening mode, and in a lot of cases well-known, generic-user names and passwords were being used, it was pretty easy to get into these systems.

The last half dozen years there has been an explosion in data theft and compromises. Most notably for us, that's card-holder data thefts, because our products are all payment processing applications. A lot of our customers were being compromised.

One of the things we saw that was a common denominator in these compromises was poorly-managed remote access tools. A lot of our customers had remote desktop or a tool, like pcAnywhere, always on and always in listening mode. It gave the attackers a pretty easy method of ingress into their payment processing network.

So what did you do?

We saw a lot of our customers being hit and remote access was part of the reason why. So we decided to look at new tools to facilitate remote access. Although pcAnywhere has served us well, and is still an approved tool if it's deployed, configured and maintained in a manner that is in keeping with our remote access policy and manual, we were looking for new remote access tools that would allow us to access securely.

The reason we chose the tool we are using now, a tool from Bomgar, was mainly for security reasons. First and foremost, it is not an "always on" application. It's only on when you need it to be on. It does not provide, by any means, an easy method for an attacker to gain access to a customer's network.

How does your current remote support system work?

If you are a customer and call us for support, in order for us to connect to your system, we would connect to a Bomgar session. We would give you the link you and would join our session and type in a one-time session password.

After you join, you have to answer a few questions and only then can our people connect to your system.

Also, we have over 5,000 of our own people routinely connecting to these customers systems and this system also means none of our own people can connect to a client's system without the client's knowledge and consent. As a security officer, it makes me feel a lot better knowing our people can't get into a customer's system unless the customers knows about it and lets them in.

What does this system require of your clients?

It doesn't require loading anything on the customer's system, they just need internet access. There were similar tools that work similarly and are web-based, but those tools didn't give us control over things like the access log, which is important, especially with PCI DSS.

The tool we use gave us appliance and software that is resident on our networks so we have control over the tool, the application and the logs. We also interfaced it to our CRM (customer relationship management) system that we use worldwide. We've rigged the tool so you can't start a remote access session without first going into the CRM system and creating a case. We did that because wanted to make sure for every remote connection to a customer system, there is a support case that goes along with it. Our people shouldn't be connecting to a customer system without a support case, so you can't start a session without going into the CRM first.

Once you do that, there is the collaborative information exchange between the two systems which allows us to better manage the access logs and review the data. For example we auto-populate the Bomgar session details with the CRM details, the case number, who is the agent and that sort of detail.

Do you suggest your clients follow any particular security standards or use any particular products to best mitigate risk?

We don't manage our customer's networks. They take our POS system and they deploy it in their IT environment, and they are in control of it. Historically, they would load a tool and have it sit there and run all the time. We didn't have any control over that.

But in the last five years, we have actively worked to educate the customers that doing that is not the right thing to do anymore. You're setting yourself up to be compromised.

We put out lots of security documents. One was a recommended security policy in terms of remote access; what are the approved methods of remote access. Essentially we don't take the stance that it's our role to enforce things like PCI DSS, but we do take an education stance and try and guide our customers properly. If they don't follow our guidance, it's not uncommon to get them to sign some kind of disclosure document to attest to the fact that we did tell them to do certain things to protect themselves and they chose not to.

Has it helped?

It has. Some jump quickly and do what we recommend, others will just not do it until they are breached. But the majority have come a long way and are much better off than they were five years ago. But there are still some customers out there who just stick their heads in the sand.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityVerizon Wireless

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place