Poorly configured remote administration software utilized by IT teams to cope endpoints or servers from a distance is frequently the primary target of attackers, based on a brand new study that analyzed hundreds of information breach investigations. The software is usually poorly deployed, outdated or contains cached administrative credentials that would give cybercriminals the keys to the dominion.
Based at the host names and the IP addresses, it was clear many pcAnywhere installations are configured at organizations or sites without much inside the way of technical expertise.HD Moore, chief architect of Metasploit, CSO of Rapid7
“Historically, attackers go after large corporate entities and get in the course of the perimeter into the datacenter to get the crown jewels of the organization, but attackers began to learn that shooting the large elephant is becoming tougher,†said Nicholas Percoco, senior vice president of Trustwave SpiderLabs. “Now they are going after smaller remote locations because they can accomplish an analogous thing with a bit more effort.â€
The problem plagues large firms with a centralized IT staff and smaller businesses that outsource IT management to a 3rd-party enterprise. Trustwave, which analyzed 300 breach investigations and a pair of,000 penetration tests in 2011, found remote management software was among the many typically used attack vectors. The report echoed the 2011 Verizon Data Breach Investigations Report, which recommended companies mitigate weaknesses in remote access services and monitor privileged activity.
Trustwave found corporate IT support administrators using the identical or similar passwords in any respect the remote locations. The corporate found little use of 2-factor authentication and domain credentials that were sometimes located in a cache folder, giving attackers easy accessibility to a machine. Â
Administrators incorrectly deploying freely available open source remote management software also created some weaknesses. Pen testers found outdated VNC software deployed on point-of-sale systems and servers containing sensitive data. The software contained a VNC authentication bypass vulnerability, a flaw that was patched years ago, Percoco said.
“I've seen instances where attackers have infiltrated a single environment, honed their craft in one location after which developed custom malware to simply compromise other systems,†Percoco said.Â
The problems plaguing remote management software were recently delivered to the leading edge when Symantec announced that a 2006 breach of its systems exposed the source code of its Norton pcAnywhere software. Symantec urged enterprises to disable the software after which, after updating vulnerabilities; the corporate issued a technical document urging users to ascertain tighter security controls around its use. It's unclear if some enterprises are heeding the warning or in the event that they even realize the software is running at their endpoints. a up to date study conducted by vulnerability management and penetration testing vendor Rapid7, found thousands of IP Addresses with an open port standard by pcAnywhere. A lot of those were production systems, including some in listening mode on point-of-sale systems.
“Based at the host names and the IP addresses, it was clear many pcAnywhere installations are configured at organizations or sites without much within the way of technical expertise,†said HD Moore, chief architect of Metasploit and CSO of Rapid7.
Moore said remote management tools pose no serious problems in the event that they are configured properly. Common pitfalls include exposing Terminal Services on a system with weak accounts, he said, or establishing VNC in a way that requires a weak password and no mandatory encryption. Sometimes administrators introduce tools and fail to maintain them updated with the most recent security patches.
“The most suitable choice at the moment is a mix of Terminal Services (Remote Desktop) combined with a powerful local security policy that limits access to administrators and requires those administrators to have complex passwords,†Moore said.
Companies consistently fail at maintaining simple and intermediate controls and that is a standard theme in data breach computer forensics investigation reports, said Scott Crawford, managing research director of security and risk at Enterprise Management Associates, an IT industry analyst firm based in Boulder, Colo.
“Managing access privileges is definitely one of the common missteps, but software defects and poorly deployed remote access capabilities are being targeted again and again,†Crawford said.
Crawford said companies are failing to invite third-party IT service providers how their remote capabilities are deployed, in the event that they had been tested and secured, and whether or not they are installed directly at the endpoint. Other organizations have systems with legacy remote management software often installation by an IT administrator in the past and not getting used .
Organizations deploying their very own remote management software can choose from loads of enterprise-grade products. Ridgeland, Miss.-based Bomgar Corp., sells remote support software commonplace at large organizations or major IT service providers. Other vendors include Herndon, Va.-based Xceedium and Santa Clara, Calif.-based Citrix Systems Inc., which sells a whole lot of remote access and management software to consumers and enterprises, including GoToAssist and GoToMeeting.Â
Like a lot of its competitor enterprise-grade remote support software, Bomgar has recording capabilities to produce businesses with an audit trail when the software is in use. Remote management software in enterprises must be closely controlled, maintained and audited, said the company CEO Joel Bomgar.
“It's not completely hacker-proof and no solution is, but there aren't any ports listening at the Internet,†Bomgar said.
Bomgar said greater than half his company's customers are doing IT support on behalf of somebody else. The software is designed to enable those remote IT teams establish a safe ad-hoc VPN and work within a safe tunnel with the server or workstation, he said.
Nessun commento:
Posta un commento
Comments links could be nofollow free