Protecting your remote users

A few days ago, a customer called me, alarmed, saying that one of his computers had been taken over by someone, and the mouse was moving on its own.  Something like this is bad for any customer, but given that it was a CU in particular situation, it was “really” bad.

After asking a few questions and trying to calm the customer (we protect his perimeter, so of course, we’re the first to call in such cases), I found out that the computer in question was not at the bank at all.  The computer was actually a few thousand miles away, in a private home ~ that particular employee is “very” remote and works from home.   This excluded the possibility that the issue might be our fault (phew) but I wanted to remain on the phone with the customer to find out more and maybe offer some help.

So I started asking about the setting of this employee and found out that she works from home from her own personal computer.  She’s is connected to the internet via a small home router, and the computer is connected to the router via wireless.  The person on the other end of the phone line had no idea what type of wireless and what type of access protection the user was using.   All he knew was that after getting on the internet, the user would logon into the F.I. via an SSL VPN.  He also knew that he had the ability to get onto her computer without her authorization using gotomypc.

A few considerations immediately come to mind here.

First of all, a user that connects to a bank should be vetted in every aspect of his/her connection.

The F.I. should have been fully aware of the type of wireless and the type of wireless security this user had set up.  Actually, better yet, the F.I. should have mandated minimum acceptable standards such as WAP2 Enterprise with AES256.  Possibly, it should also have gotten that computer off the wireless altogether and turned the wireless off, period.  Working from home is already convenient enough, users don’t need to be working from their pool if they’re incapable of checking their own security.

Second, allowing the use of the home computer may not be the best of ideas.  The bank has no way of knowing if that computer was compromised in any way because it has no idea who else uses it and how.  This is inexcusable.  No matter that the AV was running and was fully updated; evidently, that wasn’t enough, as it never is.  If you’re using a computer for bank work, that computer should be kept as pristine as possible and shouldn’t be shared.  I don’t know for a fact that it was; but I don’t know the contrary either.

Third – I personally do not like systems like gotomypc which allow someone to get onto my workstation without my authorization.  If I were in need of help, I’d rather establish a gotomeeting/join.me type session and explicitly authorize access when and how I want.

Why?

Not for lack of trust on the remote support user, but rather because systems that don’t require my explicit authorization are very exploitable.   The password used to access the remote session could’ve been stolen; the computer from which these remote sessions are initiated could’ve been compromised; the sheer fact that someone can access my system stealthily is dangerous because that means there’s an agent running on my computer allowing remote connection.  And I’ve personally never liked that because it’s basically an open door, inviting an exploit.

Finally, the LAN protection offered by a home router is not bank worthy.  For a bank to be “cheap” and not purchase a serious protection for that home user is another inexcusable mistake.  Spending less than $100/month, to have serious, strong protection for that network, possibly monitored as the bank network is, is certainly justifiable in lieu of the threat and possible, catastrophic consequences.  I’m quite certain that if the value of that remote user were not worth $100 of protection, she wouldn’t be working for that F.I. anymore.  So, why risk it?  Why not spend the money?

I stress this last point because I see this being done not only for home users, but also, at times, for branches.

Why is it that many think only the main internet site is exploitable and completely fail to consider that if you armor your front door but leave a giant frail glass window in the back, your house is still very vulnerable?  Or do you think thieves will not walk around to find the vulnerable points and will just leave because you have a strong door?   Apply  the same idea to a network; protecting the main point of entry and leaving the remote sites basically unattended is inviting someone in through the back door.  When you protect a network, you MUST protect ALL its points of entry, not just the front one.

If you’ve managed and monitored security and a strong IPS at the main site, you should have that also at the remote sites, period!  And if you have remote home users, consider that they need the same protection; ensure you have some say over how they set up their network.  See if you can actually split their home network into actual home and work, and set it up in such a way that there’s no interconnection.  Spend $100/month to ensure they get the same protection you get at your main location.  Do NOT leave small holes unattended; hackers WILL find them and WILL exploit them.

Have a good month and stay safe.

Pierluigi Stella

Pierluigi Stella

With a sterling track record of successfully accomplished projects, an extensive technical know-how, and nine years as head of both the technical as well as customer service divisions of Network ... Web: www.networkboxusa.com Details