SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer, Bomgar bhood@bomgar.com Session Description According to the 2014 HDI Desktop Support Practices & Salary Report, remote control tops the list of must-have technologies required to successfully provide desktop support to end users. Unfortunately, many service desks are using legacy remote access tools that put companies at higher risk of data breaches. So, if remote control tools top the must-have list, what can service desks do to support their users without putting their organizations at risk? In this session, Bryan Hood will educate desktop support professional on how hackers are targeting legacy systems and what they need to do to secure their environments. (Fundamental) Speaker Background As a senior solutions engineer at Bomgar, Bryan Hood works closely with both prospects and customers to evaluate their needs for remote support and the security concerns that come along with it. With more than eighteen years of experience, Brian helps drive efficiency, productivity, and security, having previously worked as a senior system engineer and messaging architect for several large corporations, including the US Department of Defense. Brian is a regular speaker and presenter at conferences, events, and trade shows.
Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer Bomgar Corporation And we thought 2013 was The Year of the Data Breach 2014 2013 2012
Anatomy of a Data Breach Research Incursion Discovery Capture Exfiltration Malicious Insider, Criminal, or Foreign Government determines target and point of entry Known Vulnerabilities Phishing and Spear-Phishing Malware Brute Force of Remote Support Tools Map the network Find targets Discover credentials Parallel movement Install malware Install collection points Captured data sent home Anatomy of a Data Breach an example
Anatomy of a Data Breach Research Incursion Discovery Capture Exfiltration Criminal group responsible still not identified, but the malware used was created by a 17 year old Russian. An HVAC vendor s credentials were stolen via spear phishing and used to exploit a vulnerable web server. Likely spent more than 6 months inside the network. Obtained administrative credentials. Used RDP to connect to POS devices. Installed BlackPOS or some variant on Point-of- Sale terminals to capture credit card data at the time of swipe. Created a central network share on a server, and collected the data there. Consolidated and encrypted to send externally. The Critical Components What went wrong! People Privileged Access Vendor Access Service Account Credentials Privileged Accounts Patching and Vulnerability Scanning Secured Remote Control/Access Tools Activity Auditing and Review
The Critical Components Service Desk Concerns People Privileged Access Vendor Access Service Account Credentials Privileged Accounts Patching and Vulnerability Scanning Secured Remote Control/Access Tools Activity Auditing and Review The Problem: People The human element is key. All it takes is a single employee, innocently but unknowingly acting against the company s best interests to defeat its security perimeter. We must keep in mind that social engineering the manipulation of human weaknesses such as trust or curiosity is an ever-present bane to any sufficiently secure infrastructure. Protection via perimeter defense no longer works; data access control and data access intelligence is key.* -Trend Micro Anatomy of a Data Breach In other words Your corporate network is only as secure as your "Dumbest" end-user (a little harsh, OK your most naïve end-user). *http://www.trendmicro.com/vinfo/us/threatencyclopedia/web-attack/110/anatomy-of-a-data-breach
People an example Solution: Ongoing Education is Key Prioritize security awareness education. Businesses should regularly provide security awareness training to all employees, including contractors and temporary workers. Executives and business leaders are also prime targets, so training should be required for anyone who has access to private information. End-users often are considered the weakest link when it comes to security. Training them on security best practices can reduce the risk of data loss and lessen the burden on already-stressed IT security teams. -Trustwave 2014 Security Pressures Report
The Problem: Privileged Access VPN Connections for vendors restrict what end system they connect to, but do little to control what they do once connected Administrative accounts can be easily abused by a malicious insider Privileged Access an example
Solution: Control and Audit Privileged Access When possible, actively escort vendors into the applications and systems they support. For all other vendors, disable accounts by default, and record everything done on the system or application. Limit as much as possible the number of users with administrative privileges and record everything. The Problem: Remote Support Tools Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn/Join.Me offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. https://www.us-cert.gov/sites/default/files/publications/ BackoffPointOfSaleMalware_0.pdf
Why are Remote Support Tools a Target? Easy to find connections on the Internet Some, like RDP use an open listening port (TCP 3389) Weak / shared passwords common often no 2FA Often have limited user management capabilities Some have limited logging; no centralized audit trail Remote Support an example
Solutions: Homeland Security US-CERT Recommendations - The Eye Chart Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force. Limit the number of users and workstation who can log in using Remote Desktop. Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Change the default Remote Desktop listening port. Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur. Require two-factor authentication (2FA) for remote desktop access. Install a Remote Desktop Gateway to restrict access. Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL. Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks. Limit administrative privileges for users and applications. Periodically review systems (local and domain controllers) for unknown and dormant users. https://www.us-cert.gov/ncas/alerts/ta14-212a 1. Consolidate and centralize remote access tools 2. Block access from all unapproved technologies 3. Implement two-factor authentication 4. Set permissions for least privilege 5. Track and audit activity Quick Wins
Questions? Thank you for attending this session. Don t forget to complete an evaluation form!