When IT support is a security risk

By NetOp

Lost sales and productivity is the result of employees stuck with IT problems preventing them from doing their job. That is why IT support armed with remote control software have saved companies tremendous amounts of time, money, and resources by eliminating the need for IT staff to travel, reducing system down time and improving the efficiency of the IT organization.

What about security?
There are many benefits to gain from remote control software but by its very nature remote control can jeopardize your IT security.

As remote control software works over your local network, or the internet, there is always the risk of sniffing of passwords from an established remote control session, brute force attacks on password protected remote control software, etc. In fact a recent survey showed that 42% of data breaches involved the use of some remote control software (Verizon Business RISK Team 2008 Data Breach Investigations Report).

Does that mean that all remote control software is inherently a security risk and you should avoid using it? No, just like you do not disconnect from the internet because of the risk of virus attacks. The benefits of remote control simply outweigh the potential risk and there are measures you can take to minimize the risk, such as changing the default ports, using role-based access profiles, etc. However, just like you invest in anti-virus software, it is also imperative to carefully consider the security aspects of your remote control solution.

Learn from the paranoid
In the finance industry they do not take security lightly. They are a prime target for cybercrimes of all kinds and data breaches will most likely include confidential data, e.g. credit card information.

At the same time downtime of IT systems can literally cost thousands per second thus being able to provide swift and safe IT support is crucial. That is why the finance industry is looking for secure remote control solutions to overcome their challenges:

• Support geographically dispersed branches and ATMs
• Protect all network traffic against hacking
• Comply with IT security policy
• All actions must be logged and kept for documentation
• Support user without installing anything on the users computer
• Not opening ports in firewall or routers
• Update and service ATMs without visiting them physically

At Netop we have provided Remote Control Solutions to the financial industry for more than 20 years and we would like to share with you what we have learned.  Our learning's can be summed up in 3 rules:

• Put security first
• Ensure gross-platform compatibility
• It's got to be flexible and scalable

Before we take a closer look at each of these rules let us just pause and get some remote control terminology straight. Basically there are two sides to every remote control session: the side providing the support, and the side receiving the support. Remote control vendors use a variety of terms to describe these two sides. For consistency sake in this article, we will use "Guest" to describe the provider and "Host" to describe the receiver.

Rule # 1 - Put security first.

Establishing a connection between the Guest and the Host involves network traffic and thus the potential risk that an intruder can sniff information and eavesdrop on your remote control session. That is why financial institutions are looking for market leading 256-bit AES encryption and dynamic key exchange using the Diffie-Hellman method with key lengths up to 2048 bits.

However, for security conscious financial institutions encryption is mainly the first layer in a 4 layered security model that addresses address who can do what, where and when. And when the remote control session is finished it should be able to document what actually took place in the session.

Who has access?
How does the IT supporter identify himself to the user computer? Remote control products differ on what criteria you can enforce, some use only passwords, others need user acceptance, which is not good for servers. The best solutions will offer you multiple access criteria including integration with directory services, smart cards or token based authentication.

What can a user do?
Once connected a Guest can perform various tasks on the remote computer, reboot, edit registry, delete files, copy files, print, chat with the user, etc. Exactly what the Guest can do varies widely among remote control products, however, more important is the degree to which you can specify various access roles.

The importance of this is highlighted in the aforementioned Verizon report. According to the study, an account intended for use by external consultants to remotely administer systems was compromised by an external entity and used to illegitimately access enterprise information assets.

Financial institutions are looking for remote control solutions that allow for different user rights for IT administrators, customer help desk, internal help desk, ATM support and most importantly external consultants.

Document what happened
Documentation is the final frontier of a solid secure remote control system. With extensive logging and video recording of sessions, you will know exactly what happened and when.  No matter how good your security is, people can still misuse the rights they have, and the only way to handle this is by having a complete audit trail of all remote control actions. This ensures compliance with the strictest IT security policies and national laws for data protection.

Rule # 2 - Ensure gross-platform compatibility

With Microsoft's prominent position in today's IT environment, it is all too easy to think that you just need a remote control product that runs on Windows.

What Windows are you looking at?
What Windows you might ask, as it comes in many varieties for desktops, servers, mobile devices and embedded systems, including Vista (32 and 64-bits), XP, 2000, NT, ME, 98, 95, MS-DOS, Server 2003, 2008, CE, XP embedded, Mobile 5 and 6? Many remote control products only cater to the latest versions of Windows for desktops or servers, but in many enterprises, you will find customized applications running on old Windows platforms. And, increasingly you need to support smart phones and embedded devices.

Few enterprises are 100 percent Microsoft only
You will find Linux servers, Macs in the marketing department and in the financial sector you might easily encounter OS/2. Add the complexity of several local area networks and the need for support over the Internet, and it is not unusual to find IT departments and service providers having to switch between two, three, and even 10 different remote control tools to cover daily maintenance and support tasks.

Consolidate on one remote control solution
Every time an incident cannot be solved using a remote control tool, a help desk service person will need to make a desk-side visit or spend hours in the server room. You incur extra cost, lose efficiency in the IT department and increase user/server down time.

Thus, it makes business sense to consolidate on one remote control solution that can reach across plenty of operating systems, devices, LANs and the Internet.

Rule # 3 - It's got to be flexible and scalable

For financial institutions flexibility is a key word, therefore they are looking for features that support flexibility including:

Central installation and deployment capabilities that provide for an easy, network-wide roll out of the remote control to Host computers with help of deployment and installation utilities.

Centralized security management. A scalable remote control solution relies heavily on a centralized security management system allowing administrators to easily administer authentication rules, user groups and their associated access rights without having to visit each Host computer.

On demand remote control which gives you the flexibility to support computers without a Host installed. With an on-demand solution, a user needing help will be asked to install a small executable, either by clicking on an icon on a web site or through email. Once installed, the executable will allow a temporary remote control session.

Flexible connectivity with an Internet-based connection service where the Guest and the Host need only send out traffic through the firewalls to the connection service in order to initiate a remote control session. This gives the freedom to connect easily to any Host anywhere and, as outbound traffic is normally allowed through the firewalls, you do not need to make any changes to the firewall configuration. For security purposes, it is best not to rely on third party servers with access to your login and traffic information.

Support for the Intel vPro, a set of features built-into the chipset providing additional flexibility. With a vPro supported remote control solution administrators can remote access computers before the operating system is loaded or even if no operating system is available. A computer can be remotely powered on/off to get into the BIOS settings or install an operating system from an image located on the Guest computer.

Scalable telephone book that allows Guests to organize, share and customize

connections giving easy access to all hosts no matter where they are or how many there are.

Reliable, future-proof technology that comes from a provider with extensive experience in the development of remote control solutions.

About Netop Business solutions A/S
Netop Business Solutions A/S (formerly known as Danware A/S ) develops and markets software solutions that enable swift, secure and seamless transfer of screens, sound and data between two or more computers. We have three business areas, Netop Administration, Netop Education and Netop Communication.

Netop Solutions A/S shares are listed on Nasdaq OMX Nordic Exchange and are part of the SmallCap+ index.

About Netop Remote Control Solution
Netop Remote Control is the complete remote control solution for professional users. It offers everything you need for the service and support of computers and networks: from the completion of complex remote maintenance and file transfer, through remote user support to network-wide software and hardware inventory administration. All of this comes under a single, intuitive interface, perfectly protected by encrypted connections, sophisticated authentication and comprehensive rights management.

Contact details:
Per Rank, Director of Sales, EMEA
T: +45 2631 2529, E: pr@netop.com