My "À bientôt" from last post took a longer detour than expected as I've set a goal to finish ITIL as the last-minute 2012 milestone, 2 months after CISSP. In addition, most of my previously so-called private network as well as UC were now migrated fully to the Cloud, which also consumed good chunk of time to get back on the keyboard. Since I fulfilled my own tasks, now it's the time to start a new blogging journey.
Let's start off with a simple question, how often you use remote control software for business as well as personal purpose? I'll give you a sense of how much of these software usage I normally pick up for any given month. 70% of permitted internet traffic. While the use of such software comes in handy when you are out of office and you need to access some important documents which otherwise inaccessible without those software, where do you stand in terms of network security that you have to maintain? Is it too permissive?
There are plenty of remote access software available in the market. TeamViewer, LogMeIn, RemotePC, just to name a few. There are also collaboration applications like GoToMeeting, WebEx used occasionally whether during a tech-support session with vendors or setting up partner meetings. These are, as I said, very useful tool especially since they are free to use in most circumstances and the users require no or very low tech knowledge to use them. When it comes to portability, TeamViewer and WebEx have native apps for smartphones and tablets should the users decide to access from elsewhere.
So what makes their traffic so significant? Simply because they act like beacons, oh I like that term a lot. Their agents installed on computers need to sync with the servers to update all sorts of information like current IP, software updates installed (for LogMeIn), etc periodically. So even if there is no actual usage of them, there will be huge amount of inbound and outbound connections to their servers, did I mention they are using 80 or 443 regardless of additional proprietary port requirement?, which will essentially consume the resources on web proxy or accelerator in your network.
For starters, that puts us at a security crosshair for revealing two IPs at any time, one being local and another external IP which defeats the purpose of NAT firewall in place. Let's think about the scenarios that could happen even if they are remotely possible.
1. Man-in-the-middle attack
Now we know these remote agents are "talking" to their master servers, how resistant are they against MITM? Having read these documents from respective vendors, I feel bit more reassured.
TeamViewer Security Information (last update: 31st May 2012)
LogMeIn Security White Paper (last update: 24th March 2012)
Although they have taken all necessary steps to authenticate and secure the communication channels between the host and the user through their multi-layer architecture, what could happen if that were to be broken? What are at risks? Let me introduce another technology that comes in play when we deal with certificate and SSL before mentioning the risks. There is a security solution meant for DLP purpose, namely SSL decryption. If used maliciously, such technology can pose adverse threats to most of security measures put to defend beacon tunnels. Should the channels be compromised, we would lose both internal and external IPs at least, in worst case, the user's credentials.
2. Password breach
Users are the weakest link in the security chain, as always. Imagine a case of a user whose computer is already infected and has trojans or keyloggers whether by spear-phishing or negligent download. All of the user's credentials will be effectively sent to cybercriminals in indiscriminate manner, be it just remote software account or the account he is accessing on remote computer. What this breach can cause is not just only to his own remote computer but to whole network of which it resides, if it is a part of the corporate network. The attacker can access with same privilege as the user which could later elevate to higher access rights.
Every network is unique based on users and the business requirements. That makes it harder for you say no to everything you know dangerous to your network. In order to protect these remote access softwares, you might already know or have what it takes. Here's how. They are sorted by level of complexity involved, easiest comes first.
- Allow all or block all. (I know this does not count.)
- Segregate your network. If your network has a range of public IPs, dedicate specific IP to each of business unit or requirement. For example, set different IPs for finance, marketing, operations or executives, managers, directors, guests. From there, you can allow or disallow to specific group to use remote softwares.
- Educate the users. Conduct security awareness discussion targeted on the use of softwares and the impending security implications they may introduce to the business. Let the users know the consequence and associated penalties if this is part of the company security policy that they already agreed upon joining.
- Implement application white-listing. Although this approach has much wider benefits especially if your network does not have external users connecting to it, this can eliminate not just these softwares but can restrict the usage of any software in your environment.
- Keep all softwares updated. This includes to all softwares in the organization and can extend to the user's personal computer where they will be using it to access the remote computer. Software covers OS, application, anti-virus, internet security, remote access software. When using the software that can support logging, make sure the feature is enabled by default.
I believe above steps are known to all of you folks out there but do take a moment to reconsider what should we really allow to our network.
In case, if anyone is wondering what will be my milestones in 2013, I will be doing either CISM or CISMP depends on my interest at that point in time and also PMP. If I could juggle my time well, I will get back to programming ground with Python.