Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series

Remote Maintenance

By Stephen Northcutt

When we hear the term remote access, remote maintenance, we typically think of authorized administrators with the ability to login from systems while on the road or at home for support reasons. Remote maintenance can also extend to vendors and support technicians that need access to the device to assist in configuration or troubleshooting. In many cases, the remote maintenance tools that are authorized to vendors and support technicians grant a higher level of privilege to the operator than that which is granted to the administrator. This privilege includes unrestricted access to the operating system versus a standard configuration interface.

The most well known remote access tool is GoToMyPC. "It enables secure browser-based access to any Internet-connected PC. Transmitting keyboard, mouse and display updates over a highly compressed, encrypted stream, this award-winning service yields a 'good as being there' experience over broadband and impressive performance over dial-up. GoToMyPC enables screen sharing, file transfer and remote printing."[1] A review can be found here[2].

Some people have concerns since their data passes through the GOTOMYPC network. Other options include Access remote[3] and open source tools Real VNC[4] and Ultra VNC[5]. In a recent discussion on the GIAC[6] Alumni list, the favorite was the Juniper[7] product.

The support of remote maintenance is a requirement for many organizations, as well as the support organizations they rely on. Unfortunately, it can reveal weaknesses in the overall security of the network as well. If your support organization has access to the server or appliance platform for maintenance and troubleshooting, what prevents your attacker from accessing the same resource? Some support organizations might require static password authentication to access the remote maintenance services on your devices, and some might even require the use of public key cryptography to restrict access to only authorized individuals. Few support the ability to remotely maintain and expire support passwords, or utilize key revocation mechanisms that would stop a disgruntled employee from abusing their previously authorized access.

In the course we author and teach, SANS Security Leadership Essentials For Managers[8], we discuss remote access in the Methods of Attack section because this is such an important part of a hacker's attack. The Wall Street Journal discusses the remote access/remote maintenance of the hackers in the TJX attack. "After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say."[9]