“Remote access is probably the key problem to all problems we have within security,” says Doug Howard, chief operating officer at BT Counterpane, a managed security firm in Chantilly, Va. “10 years ago, most of the IT security concerns we have today didn’t exist because you didn’t have people logging into remote systems. Today, in order for anyone to do business, you have to let other people inside our systems whether it be partners, remote workers or suppliers.”
Securing networks that are accessed remotely is as much a business issue as it is a technology one, security experts say. Preventing security breaches is not just about putting layers of technology on the network — but ensuring that the technology is properly managed.
A Management Issue
While remote access is a manageable threat, it’s one that tends to be a low priority for IT, says Jon Oltsik, a senior analyst at Enterprise Strategy Group in Milford, Mass.
“Part of the problem is in the number of remote access methods and the sloppiness of the way things are managed,” says Oltsik. “Companies tend to have multiple ways they allow remote workers to get onto their systems.”
Those workers may have user accounts and laptops they just don’t manage properly. IT needs to get a better handle on what is on an employee’s laptop. “Managing it is as important as providing the access,” says Oltsik. “IT doesn’t look at remote access as an end-to-end solution but as a point requirement, and doesn’t integrate it into security as a whole.”
Both Oltsik and Howard recommend deploying an IDS (intrusion detection system) and/or an IPS (intrusion prevention system), which both examine incoming network traffic and block it or alert a network administrator if the system sees something suspicious.
Companies make an incorrect assumption that once someone is given a remote access account they have the appropriate credentials. But Oltsik says no one accessing the network should be trusted until the proper steps have been taken to ensure they do not pose a security threat. Strong auditing and reporting is also lacking and that’s a function of having too many different accounts in too many places, making it difficult to get an adequate big picture, the experts say. A classic example is when a female employee gets married and changes her name — her old account is then deleted in one place on the network but not another. If someone knows about that vulnerability, they can exploit it.
Besides redundant accounts, another challenge is that users may be accessing internal applications or Web applications that reside on different servers with different system administrators, says Oltsik. That creates another challenge when trying to audit everything from a single place.
A Balancing Act
Howard cautions that as IT looks for ways to decrease remote access security risks by adding more technology to the mix, the complexity for the end user increases. For example, he says some companies will use two-factor authentication (a security technique that combines something you have with something you know), which means when someone remotely logs in with a user name and password, they will also have a physical token that generates a number that must be input as a second step. That adds more complexity for the end user, but also adds more security to the process. Yet, tokens have shown to be very successful and most corporations use two-factor authentication for accessing the network remotely.
Another potential hassle for the remote worker — but one both Howard and Oltsik say is critical — is to check the remote computer’s antivirus settings before letting anyone onto the network. If those systems are outdated, a laptop could be infected and a virus could spread to the network.
“It’s a somewhat tedious process because if users are trying to connect remotely,” says Howard, “they’re trying to do it fast and if they get a message saying, ‘Go update your antivirus software,’ it’s frustrating for them.”
The demand for remote connections will only increase, and the potential for unintended malicious access will continue to be a serious concern for enterprise security teams. “We’ve done a good job of allowing people to access networks remotely, but not at securing that access,” says Oltsik. “Remote access has grown organically and now it’s time we take a step back and figure out what to do strategically and consolidate as we need to.”