INFO: Best Practices for Securing a Remote Access Application

Expand / Collapse

Accessing your computer network from off-site can be useful. You and your technical support staff can update your software, troubleshoot problems, monitor security cameras or do any number of things to sustain your business. However the same applications that provide you remote access can also provide malevolent criminals access to your computers. You can make your remote access applications more secure by following these nine best security practices.

  1. Only allow people with a legitimate legal or business need to use your remote access applications.

    The first step to securing your network is to restricting who may access it. The most secure networks only allow access to users with a need to access it.

  2. Do not share login credentials or use credentials that have been shared with you.

    Each individual at your company should have their own username and password which they should use and not share with anyone else. This practice allows you to track who accesses your computer.

  3. Use two–factor authentication.

    Two-factor authentication doubles the “guards at your gate”. It requires that you use two of the following methods of authentication to remotely access your computer and its network:

    • Something you know – like a password
    • Something you are – like biometrics or a fingerprint scan
    • Something you have – like an SSL certificate, RSA fob, or code texted from your bank

    The Payment Card Industry’s Data Security Standards (PCI-DSS) requires two-factor authentication when remotely accessing environments that contain cardholder data (CDE). If you have a question regarding how your configuration measures up against the PCI DSS, please contact a qualified Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).

  4. If you use a password, make it strong, unique, and change it often.

    Strong passwords are long passwords. At least 20 characters are ideal. This does not mean they have to be complicated; just mash together the words of a sentence like “In2005,SarahMadeMyFavoriteMovie.” Add in a few numbers and punctuation marks to make it stronger. PCI-DSS requires a password that is seven numbers and letters long and that you change it every 90 days, among other requirements.

    Make a unique password for every computer or network that you have. When cyber-criminals hack one password-protected account, they immediately try that password everywhere else. They can’t do that if your password is different for each network or computer.

  5. Keep your software up to date.

    Software vendors send out security updates frequently. Install those updates to make your computer networks the most secure. Check your vendor’s website at least monthly to make sure that your software has the latest security updates. Even better, configure the software to automatically download and install updates. If your remote access software does not provide updates any longer then it is time to move on to another solution.

    PCI-DSS gives you a 30 day window to install critical updates, but you will want to patch software much sooner in most cases.

  6. Lock down your firewall.

    Add a rule to your network firewall that restricts remote access by source IP address, destination IP address, and the involved service. Only activate this rule when remote access should be used, i.e. only at a specific time and for a specific length of time. If you aren’t sure how to do this, talk to your tech support. They can set you up.

  7. Limit how long your remote access application remains open.

    Your remote access should be configured to automatically end a session after a set amount of time, even if it is active. Idle sessions should end after 15 minutes of inactivity. PCI-DSS mandates an idle timeout, though it does not specify how long the timeout should be.

    Active sessions should end after one hour regardless of activity – this way if your credentials are hijacked by a cyber-criminal, they will be time limited in the damage they can do.

  8. Use encryption.

    Your remote access application should have encryption turned on by default, but check to make sure. PCI-DSS calls for strong encryption, which generally means using AES with a 128-bit key (AES-128), Triple-DES (3DES), or something stronger. Consult your product documentation to discover what encryption your application uses.

  9. Hold your vendors and contractors accountable.

    If you rent your computers from another company, outsource your IT support, or allow any other third party to access, manage or update your machines remotely, make sure they follow these guidelines.  This includes being sure that they use login credentials that are unique to your business. After all, you don’t want to get hacked because a contractor uses a username and password that they use for other clients.

To contact Trustwave about this article or to request support:

Rate this Article:

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster