The Green Sheet Online Edition
July 27, 2015 • Issue 15:07:02
Help merchants reduce third-party remote access threats
Remote access makes doing business extremely convenient for merchants. Yet with this ease, comes vulnerability. Insecure remote access is the number one attack pathway used by hackers today. Keep reading if you're concerned about your portfolio's security.
With an Internet connection and remote access technology, small business owners and their third parties can easily access the business network from anywhere. However, insecure remote access gives hackers a pathway to compromise organization networks and access credit card data.
Remember Target Corp.'s massive data compromise in 2013? That incident reportedly began when a hacker accessed one of Target's systems via a remote access account belonging to an HVAC company. Thus, hackers gained a foothold on an internal system and then leapfrogged to other systems inside the retailer's network. This resulted in the theft of 40 million consumers' credit and debit card data and affected over 70 million people.
How do hackers do it?
Many businesses open their networks to vendors for a streamlined process, better service and improved support. Few implement security policies and procedures governing third-party access. In the majority of recent hacking cases, specific businesses weren't necessarily targeted; the hackers likely scanned the Internet for vulnerable remote access systems and then attempted to compromise them.
If not properly secured, remote access allows attackers to bypass firewalls and most other system security measures and remotely access the POS or other systems in the payment environment. It's simply that easy for hackers, especially because while rules tend to be in place for employees using remote access, the rules aren't always applied to external parties.
Your merchants are using remote access technologies. It's up to you to ensure they are educated to manage this tool securely. Here are five best practices you can recommend to your merchants to encourage remote access security:
- Limit those who can access the system remotely. Only provide remote access to those whose jobs require it. Don't share remote access credentials, and ensure everyone has a unique username and password.
- Don't use default remote access passwords. Many remote access systems come pre-installed with a default password easily found online. Not changing a default remote access password just makes a hacker's job easier.
- Require two-factor authentication. Using a single factor (a password) makes it easy for attackers to gain access. A two-factor authentication process greatly reduces the risk of a successful attack. (Note: user IDs are not considered a factor of authentication.)
- Keep firewalls up to date. This will help ensure inbound rules provide adequate protection.
- Train employees. Periodically review data security practices to ensure employees protect sensitive data.
Remote access is here to stay. Security-wise, if merchants wish to continue to use remote access and remain Payment Card Industry Data Security Standard compliant, they have some work to do.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security Assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over 10 years. For more information about SecurityMetrics, visit www.securitymetrics.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.