The first quarter of every new year brings out a flurry of reports summarizing the previous years activity and as a member of the security community I download and actually read many of them – if for no other reason than to see what other vendors are saying – be they competitors or other wise. One report that recently caught my eye was the Top 10 Vulnerabilities Leading to Compromise from Trustwave.
According to the report, the source for compromise are remote access applications. Commonly used by IT and support organizations as a means to simplify remote management, these applications expose IP address information to cybercriminals. The IP address information is then used as a means to gather other bits of data which combined, can be used as an attack vector. I took a look at nearly 600 (586 to be exact) traffic assessments performed over the last two years and found some very interesting statistics on remote access application use.
- At least one remote access application was in use in 96% of the participating organizations.
- A total of 28 variants were found, four of which are browser-based, and the rest are client server.
- On average, 5 variants were found in each of the participating organizations. The ten most commonly found applications are shown in the table below.
One of the most interesting things I saw here is that none of the top 10 use port 80 or port 443. In fact, only 5 of the 28 remote access applications use port 80 or port 443. The remaining 25 all use an uncommon port or will port hop.
The ramifications here are significant because we find smart end-users taking advantage of remote access applications to login to their home machines, which in turn can provide one of the tidbits a cybercriminal may need to begin their attack.
Now the next question is, what tools should an organization use to reign in the use of these applications. A traditional firewall won’t work really. You can lock the port down, but when IT uses the tool, so too can an end-user. URL filtering won’t see it, nor in most cases will an IPS.
One way to attack the problem is a combination of user education, policy and technology.
- User education: find out which employees are using them and why. Explain the ramifications of uncontrolled/unmonitored use.
- Policy: establish a policy that dictates which remote access applications are allowed and across which ports. Explain what the ramifications (reprimand, fired, no bonus, other) are if the policy is not adhered to. The remote access applications that are allowed should be monitored and inspected for threat activity.
- Technology: use technology, preferably ours, to enforce the policy.
Thanks for reading.