In this excerpt of Chapter 7 from The Black Book on Corporate Security, authors Howard Schmidt and Tony Alagna analyze how "unmanaged" remote access can serve as an attack vector.
This book excerpt originally appeared on SearchSecurity.com.
There are many different types of remote access solutions for mobile employees. There is SSL VPN, which is a Web-based VPN device. There are also different types of Webmail as well as Outlook Web Access. Also, some bigger companies like Citrix have secure gateways. Classic IPsec VPNs, as well as different types of portals and intranets and extranets, can also be used for mobile computing.
The quality that all remote access has in common, regardless of the method used, is that it is an endpoint machine and is as vulnerable as any other system on the Internet. In some cases, they are managed machines — a corporate issued asset that is managed by the corporate IT that has all of the corporate security provisioned security programs.
Corporate resources can now be accessed from anywhere, with most places far from trustworthy. The danger here is extreme, because mobile computing environments plug into random places and in unmanaged systems. Vendors are aware of this security threat, and they're increasingly recommending the deployment of different types of security and scanning technologies. The problem is that most security technologies are not readily deployable. Antivirus is a very large application, so it is not practical to have anyone who is logging-in remotely to download this software and then scan the hard drive for half an hour before they can access e-mail. Antivirus-type technologies in the "unmanaged space" must be behavioral, small, fast and transactional. Some are emerging in the marketplace.
However, the vulnerability in this mobile communication model is obvious. Besides the general threat of malicious code, these machines have no physical access restrictions. Anybody can load whatever they want on it (the risk of a keystroke-logger, regardless of whether it has network connectivity, is huge). A person can walk up five minutes before it was used and five minutes after it was used and capture everything that was done on that machine between those two time points.
Insider Notes: Corporate resources can now be accessed from anywhere, with most places far from trustworthy. The danger here is extreme, because mobile computing environments plug into random places and in unmanaged systems. Vendors are aware of this security threat and they're increasingly recommending the deployment of different types of security and scanning technologies.
The threat of malicious code is even greater in this unmanaged machine space. Sometimes the people using IPsec VPNs feel safe because this technology prevents split-tunneling (the ability for two or more applications to be communicating simultaneously while the VPN connection is going). Preventing split-tunneling only creates an illusion of safety.
A reverse-connecting Trojan functions in the same way in this environment as it does in a corporate environment, by initiating its connection sequence inside out. So, if users can see the Internet, then so can the malicious code. Even without Internet access, malicious code can be scripted to steal or perform actions whenever it comes back online. Malicious code is basically winning in every environment regardless of the situational defenses. All situational defenses can do is minimize the types of attacks; it cannot stop attacks.
Read Chapter 7, Defending the digital you
This was first published in July 2006