At a minimum, an organization’s cyber risk increases when any kind of externally-facing Remote Access exists. And, in a worst-case scenario (that is relatively common across ransomware and data breach-related cyberattacks), the risk proves to be certain, as threat actors leverage unsecured remote access as the initial vector for an attack.
I’ve also discussed some high-level ways to improve the security of remote access but wanted to take a moment and see how some of the industry’s most highly-respected security standards look to address insecurities found within remote access. And, in an effort to look at the problem through a number of lenses simultaneously, I thought it prudent to start with the Cybersecurity Framework (CSF) from the National Institute of Standards and Technology (NIST), or, more commonly referred to as the NIST CSF.
First, an ever-so-brief primer on the NIST CSF. In the current iteration of the framework core (we’re on CSF version 1.1 as of the date of this article) are five Functions representing the major groupings of cybersecurity activities. These are Identify, Protect, Detect, Respond, and Recover. The Functions are further broken down into Categories and Subcategories representing more granular specific desired outcomes. And, lastly, there are Informative References which are specific standards from industry-recognized regulations, best practices, etc. that can be used as examples of practical guidance on how to address a particular aspect of your cybersecurity strategy. There’s also a maturity aspect NIST refers to as Implementation Tiers so you can gauge how well your organization is doing at implementing each required cybersecurity activity.
With the primer out of the way, let’s talk about how the NIST CSF applies to Remote Access. There are two ways to look at how NIST applies – directly and indirectly. The direct approach is easy; under the Protect function, within the Identity Management, Authentication, and Access Control category lies a subcategory entitled PR.AC-3: Remote access is managed. So, in essence, NIST goes right for the remote access jugular and tells you “this is something that needs to be secure.
So, what does NIST mean with they say remote access must be managed?
The informative references under this subcategory provide us with an idea of how we should be managing remote access. Let’s look at a few relevant examples from within PR.AC-3:
- Center for Internet Security (CIS) Critical Security Control (CSC) 12: Network Infrastructure Management – CIS wants to see any type of remote access (although they focus primarily on VPN-based access) connected to the organizations “Authentication, Authorization, and Auditing” services (which they refer to as “AAA”). Your takeaway is that credentialed access should involve a central directory service like AD, a cloud SSO, etc. that is being used organization-wide. It also should plug into some form of auditing (in this case, I’d be thinking that the logons are centrally logged at a minimum).
- COBIT 2019 – While the current iteration of the CSF mentions COBIT version 5, the most current version (2019) has quite a bit more to say about remote access to work environments. In short, remote access is seen as a critical asset for some employees and it needs to be monitored while maintaining up-to-date access control.
- NIST Special Publication 800-53 – This document is all about security controls and has an entire section devoted to remote access. Some of the aspects you should consider having in place are monitoring and control of remote access, centralized management of remote access, limitation of privileged access over a remote session, protection of corporate information via remote access, ability to abruptly disconnect a remote session.
While there are other informative references, these provide you with some idea of how NIST sees remote access as SO much more than just opening up RDP to the Internet and allowing users to log in.
But you can’t just stop with the controls that are specific to remote access, as there are other aspects of your cybersecurity stance that should be in place to indirectly ensure remote access can only be used for legitimate purposes.
Some of those CSF controls include:
- AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties – realize that threat actors use exposed remote access sessions to gain a foothold within an organization’s network. And should the credentials they use to gain access be privileged, you’re only helping the bad guy continue their malicious actions. So, limit privileged access over the remotely-accessed host device as much as possible.
- AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) – I’m going to interpret this the only way you should: put MFA in place, period. For every user, regardless of what their role is, whether they are the CEO or the mailroom clerk, etc. Now, what that MFA looks like is entirely up to you (and NIST has a whole other standard around authentication and digital identities to help establish how many factors, what kinds of factors should be acceptable, etc.), but what’s at least initially important is that you have MFA of some form in place with all remote access.
Aligning Remote Access Security with NIST
One of the challenges of aligning practical implementation with standards and best practices is that they often are written in such generic terms. In reality, they need to be, as the authors of the guidance need to put something out there that can provide value to every organization, regardless of what their network environment looks like.
But in the case of the NIST CSF, the informative references help provide context around specifically what you should be doing to improve security. And, in the case of remote access, it’s pretty clear that remote access cannot just be about blindly providing access but needs to be implemented in a way that takes the potential risks it creates seriously, and compensates with security controls that make remote access at least as secure – if not more – than its in-office equivalent.
By putting the suggested management, monitoring, privileged access, and authentication guidance into place over either your existing remote access solution or by implementing a new one that can meet the desired outcomes, you will create a flexible means of providing remote users with access to corporate resources – but do so in a way that has the necessary levels of visibility and control needed to actually improve your organization’s cybersecurity stance.