SECURING YOUR REMOTE DESKTOP CONNECTION

Similar documents
V ISA SECURITY ALERT 13 November 2015

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Franchise Data Compromise Trends and Cardholder. December, 2010

A Decision Maker s Guide to Securing an IT Infrastructure

Josiah Wilkinson Internal Security Assessor. Nationwide

See page 16. Thomas A. Vallas

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Global Partner Management Notice

SecurityMetrics Vision whitepaper

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

A brief on Two-Factor Authentication

Did you know your security solution can help with PCI compliance too?

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Data Security for the Hospitality

Alert (TA14-212A) Backoff Point-of-Sale Malware

SecurityMetrics Introduction to PCI Compliance

How To Protect Your Data From Being Stolen

MITIGATING LARGE MERCHANT DATA BREACHES

CONTENTS. PCI DSS Compliance Guide

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Implementation Guide

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Compliance Top 10 Questions and Answers

Third Party Risk Management Basics. Webinar. 26 February 2015

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

New PCI Standards Enhance Security of Cardholder Data

Introduction. PCI DSS Overview

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

8 Steps for Network Security Protection

Security Management. Keeping the IT Security Administrator Busy

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

8 Steps For Network Security Protection

How to complete the Secure Internet Site Declaration (SISD) form

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Payment Card Industry Data Security Standard

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

RemotelyAnywhere. Security Considerations

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Qualified Integrators and Resellers (QIR) Implementation Statement

Corporate and Payment Card Industry (PCI) compliance

74% 96 Action Items. Compliance

Payment Card Industry (PCI) Compliance. Management Guidelines

Data Security Basics for Small Merchants

The Self-Hack Audit Stephen James Payoff

Achieving Compliance with the PCI Data Security Standard

A Rackspace White Paper Spring 2010

VoipSwitch Security Audit

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

How To Protect Your Credit Card Information From Being Stolen

DMZ Gateways: Secret Weapons for Data Security

GFI White Paper PCI-DSS compliance and GFI Software products

Achieving PCI-Compliance through Cyberoam

SecurityMetrics. PCI Starter Kit

Guide to Remote Access Management

Lucas POS V4 for Windows

Locking down a Hitachi ID Suite server

Research Information Security Guideline

Using GhostPorts Two-Factor Authentication

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Becoming PCI Compliant

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

2012 Data Breach Investigations Report

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Best Practices (Top Security Tips)

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Frequently Asked Questions

Catapult PCI Compliance

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Two Approaches to PCI-DSS Compliance

Transcription:

White Paper SECURING YOUR REMOTE DESKTOP CONNECTION HOW TO PROPERLY SECURE REMOTE ACCESS 2015 SecurityMetrics

SECURING YOUR REMOTE DESKTOP CONNECTION 1 SECURING YOUR REMOTE DESKTOP CONNECTION HOW TO PROPERLY SET-UP REMOTE ACCESS INTRODUCTION Remote computer access is now part of everyday work, allowing employees to access work files from home, airplane terminals, customer service centers, abroad, or anywhere there s an Internet connection. Some remote access applications include: Windows Remote Desktop Apple Remote Desktop pcanywhere (Symantec) Laplink Gold GoToMyPC LogMeIn TeamViewer Join Me UltraVNC TightVCN RDP While remote computer access is a convenient and important technology, it s unfortunately also one of the most hacked business resources in recent years. In 2014, SecurityMetrics PCI forensic investigators again confirmed that remote access was the top avenue attackers utilized to gain access into merchant systems. 80% of investigated merchants were attacked through insecure remote access applications. Of those compromised through remote access, 94% had cardholder data exfiltrated from their system by an attacker.

SECURING YOUR REMOTE DESKTOP CONNECTION 2 TOP REMOTE ACCESS VULNERABILITIES It s not the remote access application itself that s inherently insecure; it s the manner in which remote access is configured. If not properly secured, remote access puts merchants at risk. It allows attackers to bypass the firewall and most other system security measures to gain access to all systems within that network segment, which often includes the payment environment. This is just one of the many examples of how an attacker could infiltrate a vulnerable remote access application: SCANNING... Passwords: 123456 abcdefg pass123 ENTER REMOTE ACCESS PASSWORD: ****** PASSWORD SUCCESSFUL WELCOME! 1. Scan the Internet for open remote access ports 2. Use an online password list to brute force remote access credentials 3. Test remote access credentials 4. If credentials are successful, gain complete access to the system 5. Download malware onto the system 6. Capture sensitive data (e.g., credit cards, patient information, etc.)

SECURING YOUR REMOTE DESKTOP CONNECTION 3 Attackers will routinely scan large ranges of IP addresses looking for open ports that typically relate to the use of remote access tools (i.e., if attackers see that an IP address has ports 5800 and 5900 open, they assume that Virtual Network Computing (VNC) is installed. If they see that ports 5631 and 5632 are open, they assume the system is configured for pcanywhere). The attacker then tries a number of typical usernames that are commonly found on most systems, such as admin or administrator, and then runs password-cracking tools in order to obtain the system administrator s or other user s password. Once attackers have obtained remote access credentials, they have system access and the ability to attack an environment, perhaps by uploading malware or copying sensitive data. IF A REMOTE ACCESS APPLICATION CONFIGURATION ONLY REQUIRES THE USER TO ENTER A USERNAME AND PASSWORD, THE APPLICATION HAS BEEN CONFIGURED INSECURELY.

SECURING YOUR REMOTE DESKTOP CONNECTION 4 IMPROVING REMOTE ACCESS INSTALLATION Remote access, and other applications, are often installed and used without changing the application s default password. Using default passwords to access these applications increases the likelihood of compromise. Often, merchants are unaware that default settings continue to be used after installation. Data security weaknesses introduced to a merchant s system by third-party providers/vendors, such as IT Support and point of sale (POS) vendors is a growing concern. Merchants trust that the third-party provider will configure their systems securely. But if the third-party provider fails to change default passwords and implement two-factor remote access authentication and there is a data breach, the merchant is at fault. Implementing these changes will later be discussed. In one SecurityMetrics forensic investigation, it was discovered that a third party IT vendor purposely left POS system default passwords in place to facilitate easier future system maintenance. Default passwords might make it easier for IT vendors to support a system without having to learn a new password each time; but convenience is never a valid reason to forego security, nor will it defray liability. Most default passwords and settings are well known throughout hacker communities and are easily found via a simple Internet search. When defaults aren t changed, it provides attackers an easy gateway into a system. Disabling vendor defaults on every system with exposure to a cardholder data environment protects against unauthorized users. In October 2015, Visa announced new requirements for device installation and integration. Acquirers must require all newly boarded Level 4 merchants to use only PCI certified QIR professionals by March 31, 2016, and acquirers must ensure that all existing Level 4 merchants use certified QIR professionals by January 31, 2017.

SECURING YOUR REMOTE DESKTOP CONNECTION 5 STRENGTHENING PASSWORDS AND USERNAMES If a username and password aren t sufficiently complex, it will be that much easier for an attacker to gain access to an environment. They may try to brute-force attack a system by entering multiple passwords (usually via an automated mechanism that allows them to enter thousands of password options within a matter of seconds) until one works. Secure passwords should have a minimum of eight characters, and must contain numeric and alphabetic, and special characters. In practice, the more character formats used, the more difficult a password will be to guess. This also applies to attackers trying to use an algorithm to obtain a password: the longer, more complex the password, the longer it will take to discover. Consider using a passphrase as your password. Passphrases are good because they are complex and easy to remember. For example, pick a phrase like I like almonds in the morning and add in some numbers and special characters. Your passphrase might look like ilaitm183$ Instead of common usernames such as admin, administrator, company name, or a combination of the two, merchants should utilize fictitious names or a combination of characters, symbols, and numbers that don t fit the standard username. IN 2014, NONCOMPLIANCE WITH PCI DSS REQUIREMENT 8 (ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS) CONTRIBUTED TO A MERCHANT S COMPROMISE OR LOSS OF DATA IN 67% OF INVESTIGATED CASES.

SECURING YOUR REMOTE DESKTOP CONNECTION 6 ENABLING TWO-FACTOR AUTHENTICATION Two-factor authentication is the most effective solution to secure remote access applications and is a requirement under PCI DSS. Unfortunately, merchants often fail to implement two-factor authentication. Configuring two-factor authentication requires two of the following three factors: Something only the user knows (e.g., a username and password) Something only the user has (e.g., a cell phone, bar code, or an RSA SecureID token) Something the user is (e.g., a fingerprint, ocular scan, voice print, or other biometric) A few examples of effective two-factor authentication remote access authentication include: 1. The remote user enters their username and password, and then must enter an authentication code that is sent to them on their cell phone. 2. Access to the remote access application is blocked to the outside. The remote user must call in to the location and speak with an authorized manager who recognizes them by voice. The onsite manager then opens a remote session. The remote user must then enter their username and password. SYSTEM SECURITY SHOULD NOT BE BASED SOLELY UPON THE COMPLEXITY OF A SINGLE PASSWORD. NO PASSWORD SHOULD BE CONSIDERED UNCRACKABLE. PASSWORDS SHOULD ROUTINELY BE CHANGED AT LEAST EVERY 90 DAYS.

SECURING YOUR REMOTE DESKTOP CONNECTION 7 SECURING YOUR REMOTE ACCESS It s critical to look at how to effectively govern company use of remote access technologies. When implemented and managed properly, remote access can be secure. Here are a number of additional best practices recommended to protect your organization against hackers: Limit those who can access the system remotely. Only provide remote access to those whose job requires it. Don t share remote access credentials, and ensure everyone has a unique username and password. Keep firewalls updated. This helps ensure inbound rules provide adequate protection. Maintain PCI compliance. If you aren t already, implement and maintain PCI standards for continuing data security protection. Get everyone on the same page. Periodically review data security practices to ensure employees protect sensitive patient data. Store and monitor logs. Monitoring log activity can help identify suspicious activity alerts, such as if someone tried logging in at 3 a.m. over 300 times. Run vulnerability scans. These scans allow organizations to find and fix both internal and external vulnerabilities in a timely manner. Don t allow guest accounts. Guest accounts allow anonymous computer and system access. Disabling these accounts protects against unauthorized users. Limit login attempts. Set your remote access to lock out a user after six failed login attempts, with administrators able to unlock accounts. Merchants should also keep third-party vendors access to a minimum and monitor it regularly. This can be accomplished by a second authentication factor that requires the third-party to telephone the site and speak with an authorized manager who knows the vendor. The on-site manager may then authorize a temporary remote session for the vendor. When the vendor s work is complete, the on-site manager will then terminate the remote access.

SECURING YOUR REMOTE DESKTOP CONNECTION 8 CONCLUSION Insecure remote access continues as the top vulnerability, but can be prevented through a few additional security measures. Because of the prevalence of high-quality password-cracking tools, creative usernames and complex passwords are essential, but not enough. Strong two-factor authentication must also be implemented to ensure a safer remote access atmosphere. Change default or insecure usernames and passwords for necessary services enabled on firewalls in order to make it more difficult for an attacker to gain access to your systems. If a third party IT company is accessing the cardholder environment, it s still the responsibility of the merchant to ensure compliance. Check with third party companies to verify that any remote access applications have been securely configured. ABOUT SECURITYMETRICS SecurityMetrics has helped over 800,000 organizations comply with PCI DSS, HIPAA, and other mandates. Our solutions combine innovative technology that streamlines compliance validation with the personal support you need to fully understand compliance requirements. CONSULTING@SECURITYMETRICS.COM 801.705.5656

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information