In this post, we get insights from Gary Glover, CISSP, QSA, PA-QSA, CISA, Vice President of Assessments, of SecurityMetrics. Here he discusses his presentation “Cybercriminals Love Your Remote Access: A Hacking Remote Access Demonstration” from the Europe Community Meeting in Barcelona.
Insecure remote access is a common point for criminals to attack, however many times merchants aren’t even aware they are using remote access programs. Can you provide insight into what a remote access program is and give examples of some common applications?
Gary Glover: Remote access is the ability to access company networks and computer systems from outside of the edge firewall, like from home or when traveling. Remote access can be used by IT staff to administer geographically distributed systems from a central location or employees can get access to needed files on company systems when out of the office. Most often we see it being used in remote admin functions of data center systems or merchant stores.
How can organizations implement remote access applications in a secure manner?
Gary Glover: Remote access is used all the time and can be configured in a very secure manner. The main principle is to use multi-factor authentication on any exposed remote access service or application. This would require someone from the outside of a protected network to provide not just a secure password, but also a second security factor (not just another password from memory) that could only be physically obtained by the individual requesting access. This could be a one-time authentication token from a FOB on your key ring or Google authenticator application running on the cell phone in your hand. The best multi-factor authentication systems will ask for both the password from your head and the second factor data at the same time and not after processing your username and password first.
Can you discuss the attack fundamentals you discuss in your presentation?
Gary Glover: We will be attacking a fully updated Windows 10 system that has exposed the MS Remote Desktop service (RDP) directly to the Internet (amazingly we still find this out there on a large number of systems). The RDP service exposed is protected by username and password, not multi-factor authentication. We will scan for the presence of a machine with the RDP port open and then we will attack the system and brute force the username and password for an administrator account. At this point we will own the system and can do anything we want including installing malware, which we will do and scrape system RAM for sensitive data. The malware we will use was obtained from a forensic investigation we conducted in the past.
What are common ways criminal install malicious malware onto POS systems?
Gary Glover: Commonly the attacker gets remote access to a system either in a sensitive area or in a non-sensitive area and then “pivots” into more sensitive systems and network zones once a foothold is gained inside a corporate network. The next most common method is tricking less savvy users into clicking on a web link from an email where malware is installed on the system via code running on the malicious site, this is commonly called Phishing. Malware can propagate inside a network and move around to other exposed systems. Physical access can also be used to install malware via USB.
What should organizations to do better protect their payment card data from this type of attack?
Gary Glover: Carefully check any remote access methods you are using and make sure they implement secure principals from the PCI DSS. Then put in a program to periodically make sure the remote access system is working as planned. Additionally, train employees on protecting company systems from email phishing or other social engineering attacks.
What are you most looking forward to at this year’s Europe Community Meeting?
Gary Glover: I really look forward to catching up with old friends and customers and rubbing shoulders with other QSAs. The community meeting has always been a great place to be introspective and look at our processes and those of other QSAs so that we can make sure we are all delivering consistent services to the Payment Card Industry.