In a recent Defcon presentation three researchers demonstrated that scanning the Internet — the entire Internet — is now a practical exercise. That idea alone should force us all to re-frame our thinking about how we measure the effectiveness of our infrastructure’s defensive posture — but that is not a topic for this post. As part of their work, the team demonstrated the scale of unauthenticated remote access set up on business and personal endpoints accessible from the Internet. As families acquire more and more Internet endpoints, it appears that some in each household want to access or manage some of them remotely. This might be as simple as accessing the “office Mac” from an tablet on the couch, or as crazy as unauthenticated remote access to that home office endpoint while traveling. The use case doesn’t matter as much as the behavior itself. If people are setting up unauthenticated remote access (or using default or ‘easily-guessable’ passwords) on the endpoints they also want to bring to work, we all have a problem…
Regardless of how ill-conceived, BYOD experiments, even formal BYOD programs seem to be a fever without a cure. When a financial services workforce uses non-company endpoints we inherit all the risks associated with their all-too-often unprofessional and uninformed management practices. Now we have evidence that one facet of that behavior is the installation and use of unauthenticated remote access software. There are a number of popular approaches. The Defcon presentation appears to have focused on VNC (virtual network computing), but there are other popular packages used to support convenient remote access – Wikipedia lists dozens.
We need to train our workforce that they need to limit their exposure (and the organization’s via BYOD) to the risks associated with remote access software. At the very highest level, they need to understand that for any endpoint used for financial services work:
- Don’t run software (whatever it is) that is not really needed
- If your really need it, learn how to manage it and configure it to deliver only the features you need — in the context of end user-managed BYOD environments, running software you don’t understand is not risk-reasonable in the context of performing financial services business (our regulators require and our customers and partners expect that we perform our business activities using risk management practices stronger than simple ‘hope’)
- If you need remote access exercise the principle of least privilege
- Install and configure the software so that by default it is not turned on (if it is not running it will not support unintended remote access)
- Turn on your remote access software only when you need it, and then turn it off again as soon as is practical afterword
- Configure the remote access software to include a risk-reasonably short session timeout
- Permit only uniquely-authenticated users having a strong, unique, time-limited password
- Restrict remote access to your endpoint as much as possible
- Turn off all remote access you can get away with
- Use multiple layers of protection to implement defense in depth
- Run an endpoint firewall configured to reject all inbound communications attempts except those you explicitly authorize
- Don’t grant apps permissions that you don’t understand
- Don’t grant apps permissions that would enable access to business data or business communications
- Run one or more anti-malware packages
- Use security-centric web proxies
- Configure your browser(s) in their most paranoid settings
- Turn on your search engine’s ‘recommendation’ or anti-hostility service
- If your operating system supports it, perform your work in the absence of administrative rights (don’t make yourself equivalent to root or the local administrator)
In addition to end user education, and before permitting even the most limited BYOD experiment, financial services enterprises should have their infrastructure configured to resist the use of virtually all known remote access software on those non-company devices. The port-blocking and protocol recognition will not be perfect, but it will stop the unauthorized use of the most casual installations. As a result, we also need to have our SIEM infrastructure configured to alert and then staff to deal with those alerts. In addition, and using the same signature and/or correlation logic configured in the SIEM, those with widespread IPS infrastructure can block BYOD remote access attempts (at least in some scenarios).
All of the security measures required to deal with BYOD fever will add expense that needs to be introduced into the BYOD economic equation. All of the new risks also need to be introduced into the overall enterprise risk management pool. The impacts will be different for various organizations. For some, it seems reasonable to assume that the new costs and risks will far exceed any real benefits that could possibly be delivered in a financial services enterprise environment.
REFERENCES:
“Thousands of computers open to eavesdropping and hijacking.” By Lisa Vaas on August 15, 2014, http://nakedsecurity.sophos.com/2014/08/15/thousands-of-computers-open-to-eavesdropping-and-hijacking/
“Mass Scanning the Internet: Tips, Tricks, Results.” By Robert Graham, Paul McMillan, & Dan Tentler, https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham
“Comparison of remote desktop software.” From Wikipedia, http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software
“Principle of Least Privilege.” From Wikipedia, http://en.wikipedia.org/wiki/Principle_of_least_privilege
“Defense in depth.” From Wikipedia,
http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29