Finding The Hidden InfoSec Story

What’s that Plumber Doing in the Bedroom?

Photo Credit: MoToMo via Compfight cc

The increasing sophistication of technology makes it hard for IT professionals to keep up and be experts in all things technology.  From monolithic central IT systems through to new and distributed computing models, it’s harder—and often more expensive—to manage and support everything internally. As such, more outsourcing and use of third-party service providers is taking place. An Ovum research study in late 2013 found that 88 per cent of companies surveyed in Western Europe allowed at least one third party access their network remotely. For one of those businesses surveyed, more than 100 outside companies had access to their IT network.

From a security perspective, this access has to be managed and controlled. However, many organisations don’t have full policies and procedures in place to enforce this control. There are many reasons for this – from lack of visibility of who is actually accessing the network to third-parties using their own remote access tools. Last year’s attack on US retailer Target, which allegedly started when an HVAC vendor’s remote access connection was compromised, has more people thinking about this topic, but it’s a tricky one for many to visualise.

To better explain, let’s use a plumber scenario to create a security visual. If you are anything like me, you can fix a leaky tap but the intricacies of plumbing are beyond you. In this case, bringing in a plumber with specific knowledge is a given. However, consider this: you invite the plumber into your house and then leave him alone to get on with the job.

If that plumber needs to return to your house regularly while you’re off at work or running errands, you may just give him a key to the door. But how do you know what he’s doing once inside? The final result may be the fix that is required, but it may also leave time for an unscrupulous person to wander through the house and see what else is going on.

This is exactly the same situation that can exist for remote support when vendors are allowed full remote access to your network. They may be there to update the HVAC system, but may also be free to access other parts of the network. The real trouble starts if that technician uses weak login credentials for that remote access connection. In our scenario, it would be like the plumber leaving the key in the front door so that anyone who walks by the house can just go on in. It would take a long time for a criminal to walk door-to-door looking for a key in a lock, but it only takes minutes for hackers to scan the Internet for unsecured remote access ports and brute-force a generic password.

This situation can also be reversed too. For our plumber, he wants to be sure that he can prove he carried out his allotted work to the best of his ability. However, he also can benefit from showing that he only completed that work. If his job is to fix pipes under the kitchen sink and suddenly the upstairs bathroom springs a leak, how can he prove that his actions did not have an impact there?

For IT support professionals, fixing a customer’s IT problem can have the same requirement. Is there an audit trail for that fix, and how did it get completed? Is there a record of what IT support touched and when? I have seen a support rep at one outsourcing company use a video of his support call to prove that his changes were not responsible for a system failure, which enabled both sides to get to the root of the problem faster.

Trust is an important requirement for working relationships. However, it’s important to have records and proof on what took place. This protects both parties, but also flags where processes can be further improved as well.

For enterprises, it’s important to remember they ultimately bear the responsibility for any actions that third parties or outsourcing companies carry out on their behalf. It’s therefore equally important to ensure that the enterprise’s security policies are actually followed. Secondly, the enterprise has to be in control of any remote access into their network, and be able to limit and cut off that access after if no longer needed. It should also be possible to limit access to only what is required, rather than the whole network.

In our plumbing analogy, this would be like only allowing access to the kitchen rather than the whole house, as the job is only limited to that room. Even better, instead of giving the plumber a key to the front door, make him use a unique pin code that only works during certain hours of the day, along with a retina scan (two-factor authentication!). Finally the plumber can wear the equivalent of a GoPro camera to record everything he’s doing; but the video file should be automatically sent to you so he can’t tamper with it. This can be useful for both parties: the plumber has proof of the quality and accuracy of his work, while the customer can watch what he does and possibly replicate it in future.

In the IT world, capturing an audit trail and video recording of all remote support sessions can improve security for both parties and be used to skill up the internal team where needed.

As companies continue to develop their use of outsourcing providers across their IT, it is important to remember that all those involved want to do the best job possible. By considering security and remote access, enterprises and their partners can ensure that this is maintained.

Author: Stuart Facey

Share This Post On