Cybersecurity and Remote Access

The conversation regarding IT security is shifting. Until recently, most of the major hacking incidents were conducted by financially-motivated hackers out to steal proprietary data. They often targeted large retail companies that store thousands of credit card records, such as the highly-publicized T.J. Maxx data breach in 2007. But today hacktivism and cyber terrorism are growing as real threats to both public and private organizations. Because hacktivists are motivated by creating disruption versus financial gain, public utilities have been pushed further into the spotlight as potential targets.

Listening ports can be identified through a relatively simple scan.

According to the recently published Verizon 2012 Data Breach Investigations Report: “The most significant change we saw in 2011 was the rise of ‘hacktivism’ against larger organizations worldwide. The frequency and regularity of cases tied to activist groups that came through our doors in 2011 exceeded the number worked in all previous years combined... “Although activist groups accounted for a relatively small proportion of the 2011 caseload, they stole over 100 million records. That’s almost twice the amount pinched by all those financially-motivated professionals we discussed earlier. So, although ideological attacks were less frequent, they sure took a heavy toll.”

Earlier this year, the director of the National Security Agency, Gen. Keith Alexander, cautioned in White House briefings that hacktivist collectives such as Anonymous could pose a threat to power grids. While hackers accessing and shutting down a power grid is the biggest threat, any disruption to a public utility could obviously wreak havoc, including the loss of life or widespread economic damage. Unfortunately, while many utility companies have invested heavily in the security of their infrastructure, they don’t always invest in updating outdated or legacy technology, leaving some older doors wide open for cyber-attacks on their network.

Open Gate

A technology that is especially vulnerable is the remote access or remote support tools that utilities use to provide tech support to remote workers and stations. The same Verizon report states that remote access services are the number-one hacking vector, accounting for 88 percent of all breaches involving hacking techniques. This is up from 71 percent the previous year, demonstrating that hacking via remote access is on a steep rise. The report specifically calls out legacy systems, such as VNC (virtual network computing) and RDP (remote desktop protocol), as remote access services that hackers often use to gain entry into a network.

Many utility providers have been using these tools for years to support technicians in the field or to fix unattended systems located in remote stations. These first-generation remote access tools allow IT support technicians and administrators to establish a direct connection with the end system, allowing them to remotely see the user’s screen and control the mouse and keyboard as if they were standing in front of it. Most of these legacy systems leverage an inbound or peer-to-peer connection, which means a port on the end-user’s system is listening for a rep to connect. This open port can become the back door that a hacker uses to infiltrate a network, as listening ports can be identified through a relatively simple scan.

Eliminating the ability to provide remote support isn’t a viable option for utility companies. It’s essential that the IT support team has the ability to remotely connect to and instantly fix systems in the field when issues occur. Such systems include laptops and mobile devices used by field employees involved in outage restoration -- a first-order priority for utilities.

The challenge is to provide remote tech support in a way that doesn’t expose the network to a potential cyber-attack.

A first tier support rep shouldn’t have all the permissions that an advanced tech or manager has.

Today’s remote support technology is much more secure than that of early generations, with many options in the market. Some key factors to consider:

·         Assess the solution’s architecture. While software-as-a-Service (SaaS) offerings eliminate the open port issue of the peer-to-peer tools, they instead route data and system access through a third-party server hosted by an external vendor. Depending on the vendor’s level of security, this might add another point of vulnerability to the network.

A third alternative is an appliance or on-premise remote support solution that sits behind the organization’s own firewall, and uses client connections that terminate at the appliance. This approach keeps data and system access in-house, but also eliminates the need for open listening ports on Internet-connected systems, closing those back doors to hackers.

·         Avoid using tools that give support technicians all-or-nothing access. With many older peer-to-peer tools, once you login, you’re in. The access levels are simple and binary, so reps either have full access to the end system or none at all. A secure solution will allow administrators to set granular access permissions at the individual and team level. A first tier support rep shouldn’t have all the permissions that an advanced tech or manager has.

·         Beware poor shared-license practices. Most support technicians only need to use their remote support solutions sporadically throughout the day, so license sharing makes economic sense. With a named-seat licensing model, support organizations tend to use generic shared login credentials (Tech 001, Tech 002, etc.) that are easy to guess by external hackers and are rarely changed after technicians leave the company. Consider a solution that offers concurrent licensing, but also requires all technicians to have their own login and password, so administrators can track who is doing what. Integrating the remote support solution with the company’s enterprise identity management system -- e.g., active directory -- allows access permissions to be centrally managed and controlled.

·         Capture and audit all activity occurring during remote support sessions, and review reports to analyze activities and trends. Monitoring and reporting can help administrators identify abnormal remote access activity that might be conducted by a hacker, and immediately take action.

Securing a utility network against hackers is an ongoing, ever-evolving battle. No organization can ever be 100 percent safe, but it’s wise to close and lock the door on the most common attack pathway.  Assessing remote access services allows utilities to identify vulnerabilities and update technologies and practices where needed.

ABOUT THE AUTHOR: Scott Braynard is v.p. of public sector for remote support software provider Bomgar.