Remote access with privileges: Not all VPN accounts are equal
With surprising efficiency, large parts of the economy in Germany and other countries have switched employees from working in offices to working at home. Teams, Zoom, Jitsi and other tools have taken the place of direct contact with colleagues across desks, virtual coffee breaks maintain an informal team atmosphere and the first savvy manufacturers are offering fake backgrounds for video conferencing. The fact that so many jobs could be converted from office-based to remote in such a short time indicates either a significantly better level of digitalization than was generally thought or that previously only the will was lacking. Although the number of remote connections has grown exponentially and this has its technical challenges, most issues are related to scalability. Many problems can be solved by increasing bandwidth, improving delivery methods for two-factor authentication and adding additional ports on remote gateways.
However, security requirements have also changed. Many employees are working from home for the first time. They are vulnerable to calls or emails from attackers impersonating support staff and claiming that they are verifying important information and settings, rather than their true, malicious purpose of harvesting personal data and credentials. Many remote workers who have encountered problems using authorized communication channels have resorted to ad hoc solutions including using unencrypted and public networks. Some video conferencing tools did not require access codes and were open to listeners. Many of these problems were quickly identified and addressed in the first days of the coronavirus lockdown. However, the situation is not quite as simple for VPN accounts that have privileged access. Administrators, whether internal or third-party, also need access to the company's IT systems and their accounts are particularly valuable to attackers.
If administrators have always had privileges for remote access, they will also (hopefully) always have used a VPN with two-factor authentication. This might not be the case if a remote account has been granted higher privileges due to the coronavirus pandemic and a quick solution was implemented with port forwarding and HTTPS without a VPN. This may be acceptable for a real emergency situation, but it should really only apply once and for a very short time for a maximum of a few hours. Even if administrators use a VPN, attacks are more likely due to the now significantly increased number of VPN accounts. Wired magazine reported that US energy companies were recently attacked by password spraying and VPN hacking. Password spraying uses brute-force attacks against a large number of accounts to bypass account lockouts which usually occur after three failed attempts.
For this reason, an extended rights concept for restricting and monitoring the capabilities of high-privilege accounts should be implemented for remote access and LAN networks. The need for multi-factor authentication is obvious, but a Privileged Access Management System (PAM) is also essential for remote access. This requires well-defined, well-thought-out processes. For example, a role and rights concept must be implemented that does not grant all administrators all rights to everything. Apart from for very small companies, "segregation of duties” should be mandatory for administrators. A database administrator does not need full administration privileges for the underlying operating system. In the current circumstances, it may make sense to lift some restrictions temporarily but only with increased logging. Either via a SIEM or at least with a central log that may only be viewed and modified by another administrator. Under normal circumstances, remote administration should be classified as a higher risk and therefore either limited in function or only permitted with two-person integrity. Meanwhile, there are a large number of VPN solutions, some of which are cloud-based, that can be deployed in a short time and even on a temporary basis. However, regardless of how the lockdown situation will develop in the coming weeks, privileged access is an important topic that any organization should consider and address comprehensively.