By Gary Glover
Remote access makes doing business extremely convenient for merchants. Yet with this ease, comes vulnerability. Insecure remote access is the number one attack pathway used by hackers today. Keep reading if you're concerned about your portfolio's security.
With an Internet connection and remote access technology, small business owners and their third parties can easily access the business network from anywhere. However, insecure remote access gives hackers a pathway to compromise organization networks and access credit card data.
Remember Target Corp.'s massive data compromise in 2013? That incident reportedly began when a hacker accessed one of Target's systems via a remote access account belonging to an HVAC company. Thus, hackers gained a foothold on an internal system and then leapfrogged to other systems inside the retailer's network. This resulted in the theft of 40 million consumers' credit and debit card data and affected over 70 million people.
Many businesses open their networks to vendors for a streamlined process, better service and improved support. Few implement security policies and procedures governing third-party access. In the majority of recent hacking cases, specific businesses weren't necessarily targeted; the hackers likely scanned the Internet for vulnerable remote access systems and then attempted to compromise them.
If not properly secured, remote access allows attackers to bypass firewalls and most other system security measures and remotely access the POS or other systems in the payment environment. It's simply that easy for hackers, especially because while rules tend to be in place for employees using remote access, the rules aren't always applied to external parties.
Your merchants are using remote access technologies. It's up to you to ensure they are educated to manage this tool securely. Here are five best practices you can recommend to your merchants to encourage remote access security:
Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security Assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over 10 years. For more information about SecurityMetrics, visit www.securitymetrics.com.