The added efficiency and convenience of allowing employees remote access to your corporate network to be able to work from home or on the road is something many of us have come to rely on in our busy lives. Working with contractors who may literally be anywhere in the world has opened doors for increased productivity and collaboration. But, with the benefits of remote and mobile technologies, we must be realistic about the risks and challenges.
The Backoff Point of Sale Malware Hacks Remote Logins to Gain Access
The US Computer Emergency Readiness Team (US-CERT) released an alert last week warning businesses of Backoff, a new and growing point of sale malware being used by cyber criminals to access retail and payment systems and customer information. The Backoff malware uses brute force guessing to uncover the passwords of users on remote access systems like Remote Desktop, Splashtop, Pulseway, LogMeIn, and Join.Me.
Currently, Backoff does not seem to be detectable by antivirus systems. The advisory from US-Cert lists indicators that can determine whether your systems may have been affected by Backoff. The document also provides detailed strategies for Remote Desktop Access, Network Security, and Cash Register and PoS Security to protect the network from this malware. The recommendations below, provided by US-CERT to address Backoff concerns, are also best practices you should consider regardless of any particular malware or threat.
Remote Desktop Access Security Recommendations
- Lock the system after a period of time or specified number of failed login attempts. This can prevent a successful brute force or password guessing attack such as what officials have seen used to launch the Backoff malware.
- Limit the number of users who can log in remotely. Target’s new Chief Information Security Officer, in a recent interview reported by the New York Times, referred to the “attack surface” – the more users accessing the system remotely, the greater the opportunity for attack. “You don’t need military-grade defense capabilities to figure out that you have too many connections,” said Mr. Maiorino.
- Change the default Remote Desktop listening port and use firewalls to restrict access. It is not difficult for hackers to find the listening port you have designated for remote access. But, since the majority of systems will continue to use the default port 3389, attackers will target the easy to find, low hanging fruit before they will take extra time to track down your unique settings.
- Increase the frequency of forced password renewal for users and also increase the required length and complexity of passwords. Reducing the required change of password from every 60 days to every 30 days, for example would cut the exposure time in half should a system become affected by malware like Backoff. If access is gained by password guessing, once the password is changed, access is cut off. While a shorter breach window is still a breach, limiting the possibility of exposure is recommended.
- Always use a reliable encryption software and require extra authentication wherever possible to prevent keylogger or credential dumping attacks. If a piece of malware is installed that can record keystrokes or capture login information, two-factor authentication still leaves attackers missing a piece of the login puzzle. Every extra layer that can be required between the user and the system provides one more hurdle for a cyber criminal to overcome.
- Install a Remote Desktop Gateway to restrict access.Remote Desktop Gateway uses the Remote Desktop Protocol (RDP) along with the HTTPS protocol to help create a more secure,encrypted connection enabling you to control access to specific internal network resources. Remote Desktop Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.
- Limit administrative privileges for users and mobile applications to only what is essential. Does remote access need to be full access? If an employee is on-site most of the time, it may be that they only need to be able to perform very basic, limited tasks if the need arises, after hours, or when they are off site.
Additional Network Security Recommendations
- Configure firewalls to communicate only with your network and not with any unrecognized, unauthorized IP address on the internet that could be a hacker siphoning off your data.
- Separate payment processing networks from other networks so access gained to one does not open the door to others.
- Limit unauthorized access using strict access control lists segmenting public-facing systems from data stored on back-end systems.
- Implement system monitoring tools and process to identify data leakage or unusual activity by authorized users (which may indicate compromised credentials).
These recommendations contain good advice for any network administrator and any organization that needs to allow employees remote access. The Backoff malware specifically targets point of sale systems to breach secure payment and customer information. For information about cash register and point of sale security, refer to the alert.
The flexibility and remote access to data and systems we enjoy using tools like Remote Desktop and LogMeIn have become essential to the way we work. This is true in many industries and different types of roles and functions. But to minimize the risk that comes from the addition of so many extra access points into corporate networks, strong BYOD and remote work policies are critical.
The steps suggested by US-CERT are a great start. If your organization needs help assessing the threats you face, identifying risky access points, and creating procedures and safeguards to protect business-critical data, contact us today to discuss your concerns and challenges.