Like many organizations today, many community banks use remote login technology, a service or software that allows individuals to log into their computers from remote locations. With such remote access solutions, bank employees have the ability to access a computer or a network from a different branch, while traveling, or when telecommuting from home. Remote control tools also allow external IT service providers and vendors to provide support and service to their applications quickly without the hassles of a site visit. While remote access software is most definitely convenient, it also introduces security issues that need to be top of mind for banks.
This has become even more apparent in light of a recent security event with TeamViewer, the maker of a cloud-based remote control solution. TeamViewer experienced a significant data breach where malicious actors were able to take control of users’ computers through their TeamViewer accounts, and, in some cases, steal personal details such as bank and PayPal account information.
It seems the cause behind this breach is unclear. TeamViewer is claiming it was compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services. These 3rd part breaches were linked to TeamViewer accounts through the “carelessness” of TeamViewer users who they claim used the same IDs and passwords across multiple sites and services; thus, when these recycled credentials were exposed elsewhere, the bad guys simply had to copy/paste stolen username and password information until they found valid credentials. In addition, TeamViewer also claims that many of its users did not take the time to set up and activate dual factor authentication features. Dual factor authentication strengthens credential strength by requiring a token in addition to username and passcode information.
Dispelling 5 IT Outsourcing Myths within Financial Institutions
FFIEC Guidance Around Remote Access Solutions
While remote access solutions are becoming more popular, the FFIEC has clear guidance around remote access to systems. Primarly, the guidance states that financial institutions should disallow remote access by policy and practice unless there is a compelling business justification for its use. A “compelling business justification” is a tough standard, but most banks do use some form of remote control. For instance, many banks work with vendors that require remote access in order to access their services and provide support. If your institution deems remote access a necessity, then here are a few best practices a bank can implement to ensure their system is secure and compliant with FFIEC guidance:
Best Practices for Banks Using Remote Access Solutions
- Maintain a detailed log of who is accessing the system, when the system is being accessed, and from where
- Audit applications on workstations to check for anything that might not look normal
- Do not use a free remote access platform
- Remote access solutions should be initiated by the bank directly, and not a third party
- Ensure there are triggers to deny access and control of the solution
- Passwords for remote access accounts should change every sixty days, or less. For more information on password safety, review our blog, Creating Strong Passwords to Protect Your Community Bank
- Review remote control logs regularly and look for login activity originating from unknown accounts or occurring during off-hours. These reviews can be done monthly or quarterly, depending upon the amount of use.
- Have vendors use applications that remove themselves upon completion of the session.
- Ensure remote users are fully disconnecting when their task is complete
- In firewalls, only white list specific IP addresses from which support is going to come
- Utilize dual factor authentication whenever possible
What Banks Should Look for in a Remote Access Solution
While there are many remote access solutions on the market today, banks should look for solutions that have proven security measures in place. First and foremost, the solution should provide strong session encryption. In order to provide a paper trail, the solution should offer detailed logging of session details. The remote control you choose should also have a handful of additional authentication requirements, including the option to implement dual factor authentication, granular permissions that require the bank to provide specific approval for each individual support representative, and the requirement that all users have a registered account in order to access the network.
While none of our clients using TeamViewer have been hacked, the fallout has served as a reminder that banks must remain vigilant when it comes to the security of all remote access solutions they use. Enforcing security policies and access controls for employees, external IT service providers, and vendors is challenging, but when individuals have privileged access to your bank’s networks and systems, you need to ensure those accounts are managed in a secure, auditable and compliant way.