Curt Frierson, EVP, Technology and Education
Objective: The Emerging Technology Series is designed to assist financial institutions in evaluating the risks associated with new technologies. Organizations are often drawn by the features and functionality that cutting-edge technology can provide; however, it is important to understand the risks associated with any technology before implementing it into a production environment. Any addition to your technology infrastructure carries with it risk which must be planned for and managed. Understanding the risks involved will help align your institution’s technology decisions with business objectives. Although this guide will help highlight some of the more common risks financial institutions may face in implementing this technology, it is not intended to be a comprehensive guide to assessing risk within your network. A formal Risk Assessment should always be performed prior to implementation which addresses threats to your specific environment.
Introduction: Remote access- The two words that should strike fear in the heart of anyone charged with ensuring the security of an information system. Remote access extends the corporate network outside of its secure perimeter, allowing users to connect any device to the organization’s internal resources. From the typical end-user’s perspective, however, remote access signifies technology in its most magnificent form. To them, remote access is a shining example of how technology is finally living up to its promises of making our lives easier. They see it as a way to get work done, without actually having to be at work; a way to keep a toe in the proverbial water, while relaxing by the pool. What a brilliant concept!
The problem with this notion is that the lure of remote access leads many Executives and Network Administrators to blindly adopt it without fully understanding the risks or implementing controls to address them. Many financial institutions are allowing their employees and vendors full remote access into their systems. In some situations, there actually is a genuine need for this type of access. Typically, however, it is implemented as a matter of convenience. This article will shed light on some of the more serious risks associated with remote access and provide some ways to implement it without living in a constant state of terror.
What It Does: Remote access does basically what its name suggests- provides access to a network from a remote location. Remote access can come in many varieties, from limited access to a single resource, such as email, to full access to all network resources available to internal users. For the purposes of this article, we will discuss full remote access. Full remote access is often implemented to allow a third-party to support (work on) an organization’s network remotely. Full remote access is also implemented to allow employees to use the applications, data, and other network resources that are available to them while physically in the office. From inputting a loan application to checking last night’s backup, employees can do basically anything that they can do from their office computer. Clearly, this capability provides a high level of convenience, but it can also be used as a competitive advantage. For example, the CEO of Acme Corp may be more willing to open that $250,000 line of credit with your institution if you can open the account while sitting in his office.
How it Works: As previously stated, remote access can come in many varieties. The most common methods used in financial institutions are Virtual Private Networks (VPNs) and remote access applications, such as GoToMyPC, PCAnywhere, Citrix, and VNC.
VPNs operate by authenticating the user and assigning the remote computer an address to communicate on the internal corporate network. The remote user initiates the VPN session from his/her machine, which travels across the Internet, through the firewall of the corporate network, to an awaiting VPN server. The VPN server resides inside the corporate network and listens for incoming requests for access. It forces the user to provide a valid username and password before assigning the remote computer an IP address. Once the IP address is established on the remote computer, it can communicate as if it were directly connected to the Local Area Network (LAN). All communication from the remote computer to the office network is encrypted so it can travel securely over the Internet. The functional differentiator with VPN is that the remote computer has direct access to all of the resources on the network it is connecting with. This means that applications installed on the remote computer can communicate directly with servers at the office.
Remote access applications operate similarly to VPNs in that the server component listens for incoming requests from the Internet. Once connected, however, the user is controlling a computer or server that is physically on the corporate network. The remote computer is communicating directly only with the device listening for the connection (i.e., the computer in their office). Any communication to other network devices must be performed by the office computer. This means that the user cannot connect the applications running on their remote computer to the office network. They must use applications installed on the computer they are connecting to in order to access network resources.
Summary: The major security issue with remote access is not necessarily whether remote devices are connecting directly with the corporate network, the strength of encryption, or the authentication method used – although these are important. The biggest risk is that remote access is allowing a device outside the organization’s control to access the corporate network. Typically, financial institutions that allow employees to access the network remotely do not provide their users with company-owned equipment. This situation significantly restricts the ability for the organization to ensure that these remote computers are secured. Most institutions do not even restrict remote access to authorized employees’ computers, much less ensure that certain basic security controls are enforced. This means that anyone with an Internet connection can attempt to authenticate through the remote access connection.
The following chart presents some of the key threats associated with remote access technology in a financial services environment. In addition, some controls are identified to help manage or mitigate the identified threats. Following the chart, additional security controls are presented which can help secure the overall remote access environment. Each of the controls specified in this article should be examined to determine whether they are appropriate for your environment.
|Managing Remote Access Threats|
|Eavesdropping||Eavesdropping (also known as sniffing) presents one of the most obvious risks associated with remote access because users are accessing a private network over a public one (the Internet). The risk is that any information traveling across this connection is at risk of being intercepted. This is typically a low risk because many remote access methods use encryption to protect the information in transit.||
|Data Leakage||When remote access connections are made, they open a tunnel through the firewall. This tunnel is usually encrypted to protect the confidentiality of the data. However, this also renders most of content filtering controls useless because they cannot analyze the data while encrypted. This could allow sensitive information that is not meant to leave the protective boundaries of your corporate network to be moved to an employee’s or vendor’s computer without your knowledge.||
|Viruses and Trojan/Malware||Since remote access allows outside devices to connect to an organization’s private network, the remote computer accessing the network becomes an entry point for malware. Systems under the control of the organization may be well-managed, while employees’ home computers could be ill-equipped to prevent malware. By allowing one of these devices to connect to a corporate LAN, the organization is at risk of malware bypassing perimeter controls and infecting its internal systems.||
|Unauthorized Access||If access is not restricted to specific employees’ systems, the network may be at an elevated risk for unauthorized access. Attackers may guess weak or default passwords. They may also capture passwords through a key logger or through intercepting plain-text communication. While this threat poses an extremely high risk, most remote access methods provide the basis for ensuring secure authentication. Another major risk is that the remote client may not have up-to-date security patches. This leaves the computer at a much higher risk of being exploited and becoming controlled by an external attacker. If this occurs, the external attacker can use the remote access connection to infiltrate the corporate network.||
Additional Security Controls: The following security controls are not unique to one specific threat, but will help establish a secure overall remote access environment.
- Disable Split Tunneling: Split tunneling occurs when a remote device is connected to a VPN and accessing the Internet locally at the same time. This creates a direct path from a likely unsecured Internet connection straight to the corporate network, bypassing perimeter controls along the way. Disabling split tunneling forces all Internet communication to occur over the VPN, thus through the corporate Internet connection instead of the local Internet connection. This allows the controls of the corporate network to secure the Internet access of the remotely connected device.
- Personal Firewall for Remote Devices: A properly configured firewall is the bedrock of any secure network. A firewall should block traffic on any port that is not necessary for authorized use, including inbound and outbound ports. Since these devices will be accessing the corporate network, they should at least have a personal (software) firewall installed on them. This will keep the vast majority of intruders from gaining access to the remote system.
- Administrative Controls: Implement policies and procedures for remote access use that include tools, methods, and procedures to limit security risks by effectively combating threats. Controls should also include periodic testing, end-user training, a methodology for a Risk Assessment, and a formal strategy for addressing security incident response.