I don’t think anyone would dispute that the way we do business has changed pretty radically over the last few years, especially when it comes to remote working. Companies of all sizes have become accustomed to the idea of their employees not all working at the same office locations, and indeed often not working from physical offices at all.
There are good reasons to embrace this transformation: a study last year by the International Workplace Group found that flexible working can improve productivity by as much as 85%. But, from a security standpoint, it raises challenges that you must be ready to address.
Many of those challenges are to do with support. Even if your employees are all based on-site, remote support is nowadays the norm for 90% of the SMB businesses I come into contact with. It’s popular because it’s highly efficient in terms of both costs and human resources – but when I talk to infosecurity professionals about remote support, one telling phrase crops up time and time again: “necessary evil”.
The precise nature of that “evil” depends on whether we’re talking about internal or external access. By that I mean that there are certain threats to consider, and security stances to adopt, when it’s your own IT staff running remote-support software; the considerations are different if you’re outsourcing that support role to third-party agents, who have their own security systems and practices, and may well be personally unknown to anyone within your business.
Internal support Risks
It hardly needs saying that remote-access software can never be perfectly secure, but there are things you can do to minimise the risks – and things you can’t do. “If you’re going to deploy it, there are two scenarios you should seek especially to avoid,” says Andy Swift, head of offensive security at Six Degrees.
The first is maintaining multiple support applications within your environment. Hopefully you can see the danger with that right away: it’s all about size mattering – attack surface size, that is. Every remote-access application you maintain gives a potential threat actor another unique attack vector to probe. In other words, each extra application you run increases the number of ways an intruder might get in. “Select one support software application and use it ubiquitously across your entire infrastructure,” Swift advises.
The second situation that Swift warns against is one he’s often encountered during penetration tests, namely “software builds that have differing configuration standards across an infrastructure”. Like running a wide range of support software, Swift explains that a diverse ecosystem of platforms and configurations “offers would-be attackers a window of opportunity to infect not only the host but the entire network”. Again, his mitigation advice is pretty simple: “Maintain consistent software security configurations throughout your entire infrastructure.”
Oliver Pinson-Roxburgh, cofounder of business security specialist Bulletproof, also has first-hand experience of a number of issues with remote support.
“Businesses expose themselves unnecessarily by not limiting access to the remote-support software,” he warns. He’s seen setups where anyone on the network can get access to the support software, if they know it’s there – “which they will if they’ve had any support issues on their PCs,” he points out.
That possibility becomes particularly concerning when admins use weak or shared passwords, which they do more often than you’d hope. “As soon as someone knows the password, they will be able to connect to anyone’s PC with nothing more than a bit of Googling,” Pinson-Roxburgh explains. He’s even seen deployments that don’t require a user to actively accept a remote-access request – “so you might not know that someone is watching or accessing your files,” he says.
And then there’s the danger posed by systems that aren’t regularly patched, if at all. Matt Aldridge, principal solutions architect at Webroot, reveals that “time and time again, we see entire networks compromised because servers are exposed directly to the internet running remote desktop or remote-access solutions, and they are not properly protected or patched”.
“Multifactor authentication is absolutely essential,” he advises, “as is regular patching and monitoring.” Joseph Carson, chief security scientist at Thycotic, agrees that traditional security controls aren’t enough when talking about this kind of technology. Any organisation that adopts a remote-support stance has to match it with an appropriate security stance. “They must adapt with strong solutions such as identity and access management, privileged access management, encryption and multifactor authentication,” Carson says. His recommendation was that businesses should adopt the principle of least privilege – a philosophy that gives all employees, programs and devices the bare minimum of rights and access permissions they need to carry out their work.
On a related note, let’s not forget the risks of misconfiguration. You only have to flick through the tech news headlines to see story after story about data breaches that are made possible by simple configuration errors. The same risks apply to remote-support software: Paul Bischoff, a privacy advocate at Comparitech, warns that misconfigurations “can open back doors for intruders to hijack computers, and give attackers a huge range of vectors to deliver malware, steal data and gather intelligence about company computer systems and infrastructure”. After all, we’re talking about a type of software whose entire raison d’être is to give you easy access to other computers on the network.
The IT Pro Podcast: How do we fix security?
We discuss why firms keep making the same security mistakes with guests Graham Cluley and Stu Peck
I’m sure I don’t need to spell out, either, that if a compromised system has root access, then in terms of consequences it’s pretty much game over. That’s why Thomas Richards, principal consultant at Synopsys, recommends that the support software – and all systems it runs on and connects to – should “undergo a penetration test and threat model to identify any additional risks”.
The principle of least privilege applies here too. “Only authorised IT support personnel should have access to the software,” Richards continues, “and all logins and actions within the software should be logged for auditing purposes.” Ideally, users should only be able to accept remote connection requests when they have an IT support ticket open, or when they’re on the phone with a support agent who is able to verify the action and name of the employee.
Same old story
The move to remote access and support may feel like a very modern idea, and certainly it’s something that forward-thinking businesses are readily adopting right now. However, remote-access software has been around for decades.
“It’s a real old-school threat vector,” Duncan Godfrey, senior director of security and compliance with Auth0, says. “Pen testers’ eyes light up when they find an open Remote Desktop Protocol [RDP] port, because they know their job just got easier.” If my memory serves me, RDP was introduced with Windows Server 2003, so the hacking community has had around 17 years to learn all about this particular part of the network attack surface.
“For security professionals it’s a headache,” Godfrey adds. “The software is typically very prone to vulnerabilities, and it’s very easy to set up remote access – for legitimate reasons or otherwise.” Indeed, during the few weeks while I was researching and writing this article, a major new proof-of-concept exploit was released that impacted the remote desktop gateway of Windows Server 2012, 2012 R2, 2016 and 2019. In January, fixes for no fewer than five RDP vulnerabilities were distributed via Windows Update, while February brought four more RDP fixes, two of them rated as critical.
It’s not all doom and gloom
Many of the experts I spoke to focused on the risks of remote support, but Chris Parker, the founder of WhatIsMyIPAddress.com, is keen to shed a more positive light on the subject. After all, while the dangers can’t be discounted, it’s important to keep sight of the bigger picture.
In this case, as Parker points out, “remote support allows system and software issues, which account for most problems, to be swiftly and efficiently resolved”. And when it comes to such things as systems being vulnerable to uninvited access, lack of adequate connection encryption and insider risk in all its forms, he warned against excessive hysteria. “Choosing a weak remote-access tool with no meaningful end-to-end encryption doesn’t make remote access risky in general,” he observes. “Just as using ‘password123’ to secure your server doesn’t mean that password-protection itself is risky.”
He also points out that, these days, any professional remote-access package “will automate the connection process to the extent that system users don’t need to do much, and won’t be able to control who has access.” And as for the insider threat, he argued that remote-support tools are a red herring: “If someone has general access to a system then they’re already capable of causing untold damage,” he explained. “Adding remote access into the mix doesn’t significantly change that.”
Andy Hague, CEO of Cyberfort Group, similarly warns against pointing the finger specifically at remote-access systems. “IT professionals should be well aware of the security risks associated with running remote-support software internally,” he says. “What too many seem to overlook is the human factor. People pose a much higher risk than any software, including remote support. Regardless of how much money is ploughed into the latest security solutions, if organisations fail to instil a top-down culture of IT security basics across the business, cyber-risks will remain.”
Hague’s advice, therefore, is that “business leaders need to focus on promoting trust, and implementing policies and processes to help mitigate the threats. They also need to devise a simple incident response model, so all employees can react to the unforeseen”.
I mentioned earlier that internal and outsourced support raise different security issues. You might well have assumed that outsourced security would be the more challenging option: after all, this involves dealing with support agents who are likely unknown to anyone within the company, and whose own security practices may be opaque at best.
In fact, the third-party approach isn’t as risky as it may seem. Ideally, an established provider with a strong track record should already have all the necessary security systems and processes in place, and that puts you in a stronger position than if your own staff are having to implement it all from scratch.
The important thing is to make sure your provider does indeed live up to the expected standards. As Matt Aldridge tells me: “It is essential that a lot of questions are asked of any provider before signing up with them.” His recommendations start with the requirement that “all remote access is fully audited and reported, and there should also be requirements on training levels and background checks on supplier personnel”.
It’s not just about checking up on the specific services you’re buying in, either. “Most IT support companies hold the keys to the kingdom for multiple organisations,” Andy Swift points out, “and this makes them prime, high worth targets, for cybercriminals.” Your provider should, therefore, also be able to quantify what it’s doing to keep its systems safe from attackers. Duncan Godfrey suggests that any remote-support candidate should be quizzed over key compliance regimes, and asked whether the provider has an infosec officer (or dedicated security team) who can explain the processes that are in place. Other things to look for are basic security requirements such as ISO 27001:2013 and Cyber Essentials Plus certification. “It should be a big red flag if they don’t offer these up freely,” Swift says.
Amid all these big-picture issues, don’t forget that trust is also needed at the desktop level, Aldridge adds. “It’s crucial that support personnel with privileged access can strongly authenticate their interactions, so users can be sure they really are who they claim to be.”
Clarifying the contract
While the risks of outsourced remote support can be minimised, there’s no denying that it does bring particular challenges. The fact that you and your employees will probably never actually meet the support personnel you’re dealing with makes it hugely important that properly audited background checks are carried out, and this is something that should be unambiguously written into your agreement. Don’t be afraid to walk away if such assurances are dismissed as unnecessary, or offered only as a chargeable extra.
The contract should also stipulate multifactor authentication, and appropriate access control. “Checks should be in place so that only the support personnel assigned to your company have access to your internal network,” Thomas Richards recommends, “and both the remote company and software they use should undergo a penetration test and threat model to identify any additional risks.”
Even if the provider’s security credentials seem impeccable, and the contract provides all the reassurances you seek, there’s another issue that might influence your final decision. As Alyn Hockey, vice president of product management at data security provider Clearswift, explains, it’s hugely important to pick a partner who’s familiar with your systems, and with the general processes and priorities of your business. “The chosen support company must be aligned with your values and systems, and be able to dovetail with those quickly and easily,” he says. Look for examples of work carried out with companies of similar sizes and in comparable industries as a good place to start your alignment assessment.
Finally, there’s the question of how you can keep an eye on what your support partner is actually doing. Pinson-Roxburgh of Bulletproof says his company has sometimes been engaged by customers to monitor a third-party support provider, to provide assurances that “their third parties were not just logging in and making unapproved changes”.
Worryingly, he mentions that he has identified occasions where businesses had “outsourced IT functions without their customers’ knowledge” and even spotted someone logging in from a different country, without the scrutiny of a security professional questioning the access.
Policy breaches can be closer to home too. “I have seen cases where, in order to get around stringent remote-access controls and requirements,” Pinson-Roxburgh continues, “IT professionals have put wireless access points into data centres and server rooms so they wouldn’t have to get physical access to provide support.” It goes without saying that this creates a massive security hole, with no oversight from the security team. Clearly, detailed monitoring is a vital part of any outsourced remote-support solution.
By now you might be going off the very idea of remote support – but Chris Parker of WhatIsMyIPAddress again urges us to keep all of this in perspective. “Most SMBs already rely heavily on cloud storage systems and remote workers,” he says. “And if they’re happy to work that way, then adding remote support to the mix – as long as it’s handled correctly, of course – doesn’t present any significant additional threat.”
“Outsourcing remote support should act as an extension to your existing team,” agrees Andy Hague. “So in theory the risks should remain the same.” Just bear in mind that the outsourced agent will have the same access to your users and data as an insider.
Remember too that your work isn’t done once the contract is signed. “You still need to conduct regular vendor reviews and checks,” Duncan Godfrey cautions. “While it is easy to fall into bad habits and push these back when under pressure, this will keep you ahead of any possible negative change.”
At the end of the day, it’s about managing risk. “It is important to remember that no outsourced supplier can ever be 100% secure,” Matt Aldridge concludes – as, of course, nothing can be. “Both people and technical solutions can introduce risks as well as mitigate them.” To that extent, outsourced remote support is no different to in-house: it all comes down to what is an acceptable risk, and how much control you as a business have over monitoring and minimising that risk footprint.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.