Secure remote access: how to protect your infrastructure from intruders and employee security errors
If you set up remote access to the infrastructure, it is important not only to provide all employees with the connection to the services they need, but also to take care of security. Global network hackers have recently taken advantage of the widespread shift to remote work due to the pandemic. Instead of vulnerabilities in the firewall and corporate network perimeter, a huge number of vulnerabilities have appeared at home workstations. Here I will share with you how to protect yourself and set up secure remote access.
TeamViewer and other software for remote access
An easy way to set up remote access is to establish connection through such software as TeamViewer. However, the capacity of such solutions is limited. And most importantly, it is not secure:
- ДThere is a separate entry point for each employee: it is impossible to verify the connection and guarantee its quality;
- Third party software may contain vulnerabilities;
- Low password security requirements. An intruder can scan the pool of available TeamVeawer addresses and find a password.
TeamViewer is often hacked. There was a case when its address pool became compromised: users' computers were blocked and information was stolen. Once we even came across a situation when an employee connected to TeamViewer and started sending payments in an online banking system. The intruder had been waiting for an opportunity and when the payment was sent the details were hacked and replaced. Fortunately, the bank blocked the payment and the company avoided any damage.
Remote access software vendors do not readily interact with users regarding any security issues. It is impossible to identify the people who connect to the desktop through such systems.
TeamViewer and other software for remote access can be used only for computer assistance and under supervision. Turn them on for the duration of work, turn them off immediately after the end of work and do not leave them working at any other time.
With a client-server connection, you can set up access to your workplace directly, not through third-party servers. Most often, this is done with the help of Microsoft Windows terminal servers. The security of the client-server connection depends on the configuration of access control. Main connection options:
- Open access to server and terminals
- Access by IP
- Access via VPN
Open access to server and terminal
The fastest way to set up a client-server connection is to provide open access to the terminal and workstations. Any computer can connect to the server and work with it as if it were in the office.
Open access to the server is not secure. There are only about 4 billion devices on the Internet, and even fewer in the active state. It takes as little as two months to scan the network for all possible protocols and ports. If an attacker scans the network from dozens or hundreds of devices instead of one, the time is reduced by several times.
In addition, if the infrastructure access is open through the well-known port rdp tcp/3389, attackers can execute arbitrary code on the server side. Over the last few years, vulnerabilities allowing to do so were found in the rdp protocol.
Uncontrolled access to the infrastructure is used to make money:
- The intruder installs software in the system that will monitor user activity and steal financial information. It is not a difficult task: companies often neglect password policies, and an accountant can set the password like "12345" or his/her favorite dog's birthday.
- Then the attackers encrypt important information and extort money for decryption.
- As an alternative, they install software that mines cryptocurrencies and increases the load on the server. This is the least evil for business.
A limited number of people should have access to the corporate environment.
Controlled access to server and terminal
There are several options to set up secure access to the company's servers.
Access by the list of IP addresses of employees. To set up such access, you can purchase a static IP address for employees or set up a connection by the subnet addresses of the home operator. An attack on your server can only be conducted from the subnet of a particular employee — it is much better and more convenient than opening the doors to the entire Internet.
Access by a dynamic list (Port Knocking). This is a dynamic access based on an employee's actions. You can write a script that will perform sequential actions to gain access to the system. For example: "ping the IP address three times, then — with a different packet size, then knock on a different port — then access will be provided".
VPN access. This is a virtual private network, which can be set up by technical specialists. There are numerous VPN technologies. The choice of a VPN solution depends on what is more important for the company: performance, price or versatility.
The idea of Zero Trust is that there are no direct obstacles for users to access the system, but the system is as secure as possible.
For a small corporate client, Zero Trust may include two-factor authentication, password picking protection concept, mandatory certificates, and regular vulnerability checks.
The Zero Trust approach is very reliable, but its quality setup requires a lot of money. For small companies this is not an affordable solution.
Rent of cloud capacities
To set up secure remote work, you need to prepare in advance. If previously an organization had 20-30 employees without a centralized security system, it would be quite difficult to switch to remote work. When administrators buy and set up equipment in a hurry, errors cannot be avoided. The way out can be renting a cloud. This is not a cheap service, but it allows you to get secure resources quickly.
Protection from insider threats
Work time control
There is no need to specifically control working hours in the office, because of the corporate culture: employees start working day at 9:00, leave for lunch and return from it.
have a lot of work, may not get up from their computer all day. But there aren't that many such people. Everyone else can take care of their own business while they are not being watched. Everyone at home has children, cats, refrigerators — many interesting things that can distract from work. I even know examples when people were drunk all day.
The question arises how to monitor people — you cannot provide a camera for every employee and constantly monitor him/her.
Programs for work timekeeping, such as CrocoTime or Stakhanovets, record what the employee did all day. These reports do need to be reviewed by anyone — they are used as the "security theater". When a person knows that his/her actions are being tracked, he/she will stick to his working hours and try to work productively. This is a useful thing that can be used.
Data theft by employees
I know of cases when after switching to remote work the company's sales fell several times. At the same time, the number of leads has not changed: as before, clients contacted managers, but no transactions were made. What was the matter?
When employees work in the office, they keep an unspoken eye on each other: no one will take pictures of the screen, send sensitive information by email or retell it over the phone.
The value of information that can be stolen by taking a picture of the screen can be great. This is especially true for companies that have expensive leads: in real estate or car business. Even the client's phone number is very valuable in these companies.
A manager who sees the number may process the application at his/her company and receive nothing but salary. Alternatively, they can sell the information to competitors and get bonuses. The company will lose a client and suffer financial and reputational losses.
The only protection against theft of leads is to protect the leads’ contact details from the person who works with them. The CRM system must then hide the phone number from the employee. Such a possibility exists, for example, in 1C-Rarus: Call Center. The phone numbers are not displayed in the system. The phone station makes the call itself. The operator gets depersonalized information: “Incoming call from customer Roman”. There is no information in the CRM system that can be stolen at a profit. Such programs will not protect against top employees, who usually have access to all the information, or against technical staff maintaining the system. However, the risk of losing a client will decrease.
Security of the employee's workplace
People often work from home on their own computers. It is impossible to control what software is installed on them. Often home devices have no antivirus, run on pirated versions of Windows XP, or are infected with Trojans. When the same computer is used to access the workspace, financial information may leak.
You can use thin client to solve the problem of insecure home workstations. This is a small box running on a lightweight operating system with built-in VPN. Such a device is sent to each employee. An employee connects the box to the Internet and immediately gets access to the terminal or VDI (virtual workstation system). It is a convenient and economical option. There is no intermediary layer of the home computer.
How to set up secure remote access
- The classic remote access is configured by setting up a firewall. Most often a VPN is used. The choice depends on your budget, performance and functionality requirements.
- Provide the remote access that is as automated and understandable for any employee as possible. It is desirable that simply running a file is all that the employee needs to do to establish the connection. If an employee has to read long step-by-step instructions, it will complicate the transition to remote work and increase the load on technical support.
- Provide alternative access to the system. This is a backup measure in case of problems with the ISP, OS, or WI-FI. Technical support should have a plan for such cases.
- Make a list of employees and their permissions: to which information system each department should have access. It is convenient to set permissions with the help of VLAN. I have already talked about this in the article "How to set up network segmentation using VLAN".
- Restrict employees' access to infrastructure. Everyone should have access only to the services they work with.
For remote equipment management and virtualization we recommend using a solution by ISPsystem.
What ISPsystem platforms can do
- УRemotely manage servers, network equipment, power supply;
- Support multi-vendor infrastructure in a single window;
- Automate routine operations;
- Provide full monitoring of the system;
- Manage infrastructure access permissions;
- Virtualize computing power.