The “knit your own” remote-access risk
We’ve discussed above how remote-support systems raise different issues depending on whether they’re in the hands of your own IT staff or an authorised third party. But as Paul Ducklin, principal research scientist at Sophos, points out, there’s a third potential scenario – and this could easily be the one that’s responsible for a major breach. We’re talking about users taking matters into their own hands and installing their own unauthorised remote-access solutions.
“Remote-access and remote-support tools are a double-edged sword,” Ducklin explained. “They are enormously convenient, even if you’re supporting someone in the same office as you because you don’t need to trek to their desk every time there’s a problem to fix. But they have been a security nightmare for decades, since long before internet access was commonplace. In the last century, for example, IT departments used to battle with users who would bring their own modems into the office, hook them up to their work phone lines and then dial in from home whenever they wanted.”
This might have been handy for the workers, but for the companies themselves it was a disaster waiting to happen: opportunist criminals started using “wardiallers” that worked their way through all of an office’s phone extensions to find any illicit modems. Many businesses found themselves on the receiving end of remoteaccess connections they definitely didn’t want.
“Those risks are just the same today,” Ducklin warned. “Remote-access portals are hard enough to secure even if you know they are there and you set them up yourself. When users try to ‘knit their own’, things get even worse.”
Paul Ducklin’s three tips for businesses worried about the “knit your own” threat:
Use penetration tests to find rogue access portals on your own network. You might as well be looking, because the crooks certainly are! And it doesn’t have to cost a lot: there are many free tools that small businesses can use.
Get users on your side. If your staff really do need remote access, don’t drive them into setting it up themselves. Ensure they get it in a properly managed and supported way.
Set up decent login protection for remote access. Use two-factor authentication (2FA) if you can – for example, in the form of a one-time login code that’s needed as well as a password. And if you’re a user, don’t dig your heels in if your IT team starts enforcing 2FA – this minor inconvenience could end up saving your job!