Methods to Enhance Cybersecurity for Remote Access Software (RAS)
Introduction
Remote access software (RAS) enables users and system administrators to access and control computer network systems remotely. RAS is typically designed to offer a user-friendly interface that allows authorized users to access files, applications, and system resources remotely.
RAS is vital in managing and maintaining Information Technology (IT), operational technology (OT), and industrial control systems (ICS) services. RAS allows organizations to remotely oversee networks, computers, and devices, offering flexibility and efficiency. While RAS provides benefits, malicious actors can exploit it, leaving businesses vulnerable to cyber threats. This article speaks to recommendations to secure RAS software effectively.
Importance of Remote Access Software
RAS includes remote administration solutions and remote monitoring and management (RMM) tools. RAS is used by managed service providers (MSPs), IT support services, and network admins to remotely perform various cybersecurity and network management tasks. RAS enables network and device health monitoring, maintenance automation, system configuration, remote backup and recovery activities, and patch management. Using RAS improves IT/OT system management, supports troubleshooting, and improves business continuity and disaster recovery approaches. Yet, these features that make RAS valuable make it an attractive tool for malicious actors to misuse.
Challenges and Exploitation
RAS presents security challenges because its “footprint” often goes unnoticed by traditional security tools and processes. Malicious actors can use RAS to establish network connections and evade security detection, resulting in what is often termed “living off-the-land (LOTL)” attacks. LOTL attacks use existing tools and infrastructure resident in the host environment, bypassing the need by the attacker for the use of custom malware. RMM software has robust capabilities that attract cyber attackers, allowing bad actors to maintain persistence and move laterally within compromised systems and networks.
Vulnerabilities and Exploitation Methods
RAS possesses vulnerabilities that cyber attackers exploit for ill-intended purposes and include:
1. Extensive capabilities development is bypassed: RAS enables threat actors to avoid developing custom malware and instead use legitimate tools, similar to remote access trojans (RATs) frequently used by network administrators.
2. Security tools are evaded: RAS typically goes undetected by antivirus, antimalware, and endpoint detection and response (EDR) systems because RAS is commonly used for legitimate system purposes and appears innocuous to other detection mechanisms.
3. Software management control policies are bypassed: RAS can be downloaded as portable executables, allowing actors to bypass admin privileges and software management control policies. This flexibility allows for the execution of unapproved software, potentially compromising the network.
4. Firewall rules are bypassed: Many RAS agents use end-to-end encryption, enabling bad actors to download documents and files that firewalls typically block.
5. Cyber intrusions are facilitated: RAS allows bad actors to simultaneously manage intrusions, including selling network access to other cybercriminals, expanding the bad actor’s reach and impact.
Recommendations for Enhancing Security
To defend against the malicious use of RAS, Architecture, Accounts, and Policy Recommendations:
· Develop a comprehensive risk management strategy by adopting established standards such as the NIST Cybersecurity Framework.
· Enforce a zero-trust approach or configure least-privilege settings to limit access based on user identity and device endpoints.
· Conduct regular user training programs and simulate phishing exercises to increase awareness of cybersecurity threats.
· Foster collaboration with a security operations center (SOC) to ensure continuous system monitoring.
· Perform Active Directory (AD) audits to identify inactive or misconfigured accounts.
· Implement just-in-time (JIT) access and two-factor/multi-factor authentication (MFA) for improved security.
· Maintain an inventory of software objects/components using a software bill of materials (SBOM).
· Enhance visibility and compliance using external attack surface management (EASM) solutions.
Conclusion
Securing RAS (Remote Access Software) is critical in today’s interconnected organization. With the recommended cybersecurity practices outlined above, organizations, IT providers, and MSPs can manage and mitigate the risks associated with RAS and improve their overall cybersecurity posture. By taking proactive measures, implementing continuous monitoring, and deeply understanding the cybersecurity threat landscape, organizations can maintain a more robust and forward-leaning defense against cyber threats.
About the Author
Ron McFarland, Ph.D., CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, an MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security, and other Cisco courses. He was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications, including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, Ph.D., MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/@RonMcFarland/featured
