The first quarter of every new year brings out a flurry of reports summarizing the previous years activity and as a member of the security community I download and actually read many of them – if for no other reason than to see what other vendors are saying – be they competitors or other wise. One report that recently caught my eye was the Top 10 Vulnerabilities Leading to Compromise from Trustwave.
According to the report, the source for compromise are remote access applications. Commonly used by IT and support organizations as a means to simplify remote management, these applications expose IP address information to cybercriminals. The IP address information is then used as a means to gather other bits of data which combined, can be used as an attack vector. I took a look at nearly 600 (586 to be exact) traffic assessments performed over the last two years and found some very interesting statistics on remote access application use.
One of the most interesting things I saw here is that none of the top 10 use port 80 or port 443. In fact, only 5 of the 28 remote access applications use port 80 or port 443. The remaining 25 all use an uncommon port or will port hop.
The ramifications here are significant because we find smart end-users taking advantage of remote access applications to login to their home machines, which in turn can provide one of the tidbits a cybercriminal may need to begin their attack.
Now the next question is, what tools should an organization use to reign in the use of these applications. A traditional firewall won’t work really. You can lock the port down, but when IT uses the tool, so too can an end-user. URL filtering won’t see it, nor in most cases will an IPS.
One way to attack the problem is a combination of user education, policy and technology.
Thanks for reading.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.