Another Remote Access-Enabled Breach

The same tools that help our workforce remain productive when outside their brick-and-mortar place of business are being exploited by cyber-criminals to break into business’s computer networks (I wrote about one facet of this issue late last week). Today we learned that this led to the theft of customer credit and debit data at 51 UPS franchises in the United States. Recently we read about it being used to hack into retailers like Target and Neiman Marcus.

In a recent report the Homeland Security Department warned that hackers are scanning Internet-accessible systems for remote access software. They appear to be omnivores, targeting platforms made by Apple, Google, LogMeIn, Microsoft, Pulseway, and Splashtop that help remote workers to access business computer networks over an Internet connection.

When the hostile actors identify targeted remote access software, they install malware and then have means to effectively ‘guess’ login credentials — or in some situations, the endpoint hosts unauthenticated remote access, requiring no password at all. Once the hostile actors acquire a foothold, they have a difficult-to-detect entry point into business networks.

Under any circumstances this is a problem, but for endpoints used by members of the workforce having elevated rights — consider database analysts, finance administrators or executives, investment pipeline or their back office settlement personnel, top-tier executives, and more (for most financial services enterprises the list goes on and on) — the potential for material harm is real and present.

In that context experts recommend:

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This helps to resist unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  • Limit the number of users and workstation who can log in using Remote Desktop. Perform risk assessments to help determine access.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop product/service listening ports (TCP 3389 et.al.).
  • Change the default ‘remote desktop’ listening port(s).
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  • Require strong two-factor authentication (2FA) for remote desktop access.
  • Install and professionally-manage a ‘remote desktop’ gateway to restrict access.
  • Add an extra layer of authentication and encryption by tunneling your remote desktop through enterprise-managed IPSec, SSH or SSL.
  • Require strong two-factor authentication when accessing sensitive networks. Even if a virtual private network is used, it is important that strong two-factor authentication is implemented to help mitigate the risks associated with keylogger or credential dumping attacks.
  • Severely limit administrative privileges for remote users and applications.
  • Periodically review systems (local and domain controllers, and the rest of your directories) for unknown and dormant users.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hostile actors leverage this configuration to exfiltrate data to their IP addresses.
  • Segregate sensitive network segments from other networks.
  • Apply access control lists (ACLs) and other traffic verification technology on router configurations to help enforce defense in depth used to limit unauthorized traffic to sensitive network segments.
  • Create strict firewall rules and ACLs segmenting public-facing systems and back-end database (or other) systems that house sensitive non-public data.
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
  • Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).
  • Actively monitor, respond to, and follow through on security alerts.

REFERENCES:

“Checking In From Home Leaves Entry for Hackers.” By Nicole Perlroth, 07-31-2014. http://www.nytimes.com/2014/07/31/technology/checking-in-from-home-leaves-entry-for-hackers.html?_r=0

“Alert (TA14-212A) — Backoff Point-of-Sale Malware.” 07-31-2014 & Last revised on 08-18-2014 https://www.us-cert.gov/ncas/alerts/TA14-212A

“United Parcel Service Confirms Security Breach.” By Nicole Perlroth, 08-20-2014. http://mobile.nytimes.com/blogs/bits/2014/08/20/ups-investigating-possible-security-breach/

“Another BYOD Security Challenge – User-Managed Remote Access Software.” https://completosec.wordpress.com/2014/08/16/another-byod-security-challenge-user-managed-remote-access-software/

“Another BYOD Security Challenge — User-Managed Remote Access Software.” https://completosec.wordpress.com/2014/08/16/another-byod-security-challenge-user-managed-remote-access-software/

“Keylogger Revealed in the Apple iOS Ecosystem.” https://completosec.wordpress.com/2014/02/25/keylogger-revealed-in-the-apple-ecosystem/

“BYOD = Bring Your Own Demise?” https://completosec.wordpress.com/2013/06/22/byod-bring-your-own-demise/

“Another Reason to Resist BYOD Using Consumer Mobile Devices.” https://completosec.wordpress.com/2013/07/04/another-reason-to-resist-byod-using-consumer-mobile-devices/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: