Many organizations depend on a variety of external vendors to support their IT infrastructure, network and systems. In many cases, they overlook remote third-party access as a privileged access point that requires narrow security controls.

“Most organizations granting remote privileged application or operating system-level access to third-party users leave gaps that introduce significant security risks“
Gartner research How to Secure Remote Privileged Access for Third-Party Technicians

Facts

• Malicious remote access represents “a significant hazard with networked POS devices,” accounting for 62% of incidents within POS environments. (Source: 2017 Trustwave Global Security Report).
• 95% of breaches featuring the use of stolen credentials leveraged vendor remote access to hack into their customer’s POS environments. (Source: Verizon 2017 Data Breach Investigation Report)
• 27% of breaches were discovered by third parties. (Source: Verizon 2017 Data Breach Investigation Report)

Key challenges

• Allowing remote privileged access to third-parties (vendors, service providers, consultants, etc.) to increase productivity and enabling IT to perform at its best.
• Logging and recording remote privileged sessions to ensure security of external remote access.
• Preventing IT administration issues such as improper sharing of privileged accounts, orphaned accounts and improper full-superuser.

How much do you know about privileged access?

According to Gartner’s research “Twelve Best Practices for Privileged Access Management”, privileged accounts are typically classified in three basic categories:

• Administrative accounts: User accounts with elevated privileges who have access to all standard users and privileged operations.
• System accounts: Accounts built into systems or applications. For example, root on Unix/Linux systems or Administrator on Windows systems.
• Operational accounts: User accounts with elevated privileges to manage software installation and remotely support other systems. Operation accounts encompass two kinds: shared accounts and service or app accounts.

So, why is it important to secure privileged access?
The threat landscape reinforces that the primary focus for IT security professionals should be remote access management. Mismanagement of remote privileged access might violate data security compliance standards (PCI-DSS, ISO 27001, ISO 27008) while putting your organization at risk of a cyber attack.

Of course, you can mitigate the risks associated with remote privileged access.

Key Recommendations

1. Make an inventory of your vendors and audit their privileged accounts

Do vendors have 24/7 access into your network? If yes, this is an external “always-available entry point“ into your network for hackers.

Understanding who your external users are and their entry points into your network are prerequisites to securing your remote vendors’ privileged access:

• IT service providers provide outsourced IT services and complete admin tasks (create accounts, reset passwords, etc.).
• External business and IT consultants work on IT projects.
• Services vendors provide business services like financial management, web dev, CRMs, etc.
• Supply chain vendors manufacture inventory/stock items and provide services and infrastructure to support the delivery of goods.

2. Implement strong remote access control measures for vendor technicians

Implementing strong remote privileged access controls should be a two-step approach:

First, enforce strong authentication for remote privileged access and support
Most vendor technicians and network administrators who require elevated privileges will update, audit, and support systems from remote locations. To prevent stolen identity and access privileges, you should consider implementing strong authentication methods.

To secure your vendors privileged identity, adopt these methods for strong authentication:

• Multi-factor authentication. This requires two or more forms of authentication for higher-risk access. Multi-factor authentication uses one piece of information the user knows (log-in credentials), as well as something the user possesses (pass-code received by phone or email). Two examples of multi-factor authentication you could use:
  • Windows Azure Multi-Factor Authentication. A level of authentication in addition to a user’s account credentials that satisfies compliance standards.
  • Smart card authentication. Using this method, all information is processed on the card itself rather than being transmitted to another device. The attacker must both possess the card and know the PIN number to compromise the data.
• Authentication against RADIUS. RADIUS is a client/server protocol often used to centrally validate remote users and authorize their access to network resources. RADIUS integrates well with VPN, RAS, Active Directory and Token based authentication solutions.
• Digital certificates. Issued by a trustworthy authority, digital certificates are used for authenticating and securing communications, especially on unsecured networks. They work by assigning a public key to a user who has the corresponding private key.

The second step to implementing strong remote privileged access controls is using intricate rights controls for vendors’ technicians. How? By configuring granular rights and permissions for complete access control over privileged users and privileged user groups.

Second, use intricate rights controls for vendor technicians
Once a user has been set up with secure access credentials to a device or application, controlling their access privileges is critical. The more granular the authorization settings, the better security you are allowed.

Enforcing PCI requirements 7 and 8 outside the PCI zone is still a good idea. Elevated privileges should be granted following the principle of least privilege: minimum access privileges should be granted based on a business-need-to-know basis for the limited period needed to complete a specific task. By following this principle, you’ll be effectively restricting vendors remote privileged access to data within their area of responsibility and limits the damage that can result from accident, error, or unauthorized use.

3. Thwart lateral movement by remote privileged accounts

Contrary to what you may think, the most critical phase of a cyber-attack is not the exploit phase, but the lateral movement phase when the attacker seeks out for valuable assets, gains extra privileges, and moves around your network. It is worth mentioning that during this phase an attacker is most vulnerable to detection, thus you need to take the proper security measures to thwart attacks.

If we look at figures provided by Verizon 2017 DBIR, the number of breaches caused by external actors varies between 32%-96% depending on the industry. Vendors’ technicians remotely accessing your network might put you at risk as well.

How to prevent lateral movement? We have previously covered the implementation of strong remote access control measures for vendor technicians. In addition:

• Don’t use default admin passwords.
• Require and enforce strong and unique passwords throughout the entirety of your network, including third-parties and vendors in the supply chain.
• Filter remote access to your network by only allowing connections from white-listed IP addresses.
• Regularly patch all terminals and servers.
• Ensure all remote connections are encrypted.
• Tokenize sensitive information.
• Segment your network using firewalls.
• Regularly update anti-virus.
• Set up controls to monitor data transfer.

4. Monitor remote privileged sessions

Keep a close eye on the privileged accounts of your vendors’ technicians, record their remote sessions and periodically monitor their activity.

“Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames”.

Source: Payment Card Industry (PCI) Data Security Standard v 3.2

Every digital interaction in your IT environment leaves a forensic residue. Extensive audit trails including remote sessions recording provide sufficient information to help you spot suspicious remote access and take the proper security measures to secure your network.

Logging and recording remote privileged sessions is highly important to ensure security of external remote access. Of course, reviewing individual logs would be very time consuming. There is an easier way to identify unauthorized activity:

“Log files are a great source of information only if you review them. You have to use the information collected and analyse it on a regular basis; for a high-risk application, this could mean automated reviews on an hourly basis.”

Source: ComputerWeekly.com - Michael Cobb, CISSP-ISSAP, co-author of the book “IIS Security”

5. Regularly review, update and enforce security policies for vendors

With access control measures in place and enforced, organizations should revise their official security policy and vendor contracts and be flexible in making the necessary adjustments to bridge security gaps.

Design security policies, procedures, practices and organizational structures to request, manage, and audit access for third-party accounts — including, but not exclusive to, those with remote privileged access.

Ask vendors to comply with your security policies
Security officers should require vendors to comply with the organization’s security policies and standards, and update collaboration contracts / agreements to stipulate that security compliance is mandatory.

For accountability purposes and better remote access administration for privileged accounts, your vendors should delegate a contact person with which your security officers will communicate, with regards to administration of privileged accounts.

External privileged access to an organization’s IT environment should be allowed only:

• After formal requesting and granting of permission.
• Through a set of access controls.

Non-compliance with the organization’s security policies should expose vendors to disciplinary actions up to and including termination of collaboration contract and/or legal actions, as stated by applicable laws and regulations.

Audit your vendors security
Security compliance requested by contractual language does not mean your responsibilities end there. How will you know that vendors have passed the compliance test? Do they really adhere to the organization’s security policies? Security officers should audit vendors regularly to make sure they satisfy policy.

Conclusion

Security Officers and IT managers need to carefully handle external privileged access in an increasingly complex IT environment. It’s hard, but not impossible, by using the proper blend of access controls, security policy enforcement, auditing and monitoring and, as a last option, disciplinary actions.

About Impero Connect

Impero Connect empowers security professionals to provide vendors’ technicians granular access to their systems while controlling and monitoring remote access. Impero makes no compromises when it comes to securing remote access for third-parties.

Would you like to find out more about how Impero supports you in securing the remote privileged access for vendors? Explore our website or contact us and we will gladly answer any questions you might have.

You can also start a free trial right here:

References

2017 Trustwave Global Security Report – Trustwave
2017 Data Breach Investigation Report – Verizon
Gartner Research ”How to Secure Remote Privileged Access for Third-Party Technicians”
Gartner Research ”Twelve Best Practices for Privileged Access Management”
Payment Card Industry (PCI) Data Security Standard v 3.2
SANS Institute InfoSec Reading Room, “Controlling Vendor Access for Small Businesses”
Impero Connect-Security Overview
Impero White Paper “Stronger Retail Network Security in 2017”
Computer Weekly article, “Best practices for audit, log review for IT security investigations”