One of the major trends in our industry has been the proliferation of remote workers using “Bring Your Own Device” (BYOD). Since the devices are owned by the employee, corporate security teams cannot install their software. Company data may be accessed by two methods, either directly through apps, or indirectly through remote desktop capabilities. Both methods rely on a device that is outside of the corporate IT infrastructure in the possession of an employee. Either method exposes the company’s data to loss to cyber criminals. To understand why, this article discusses some of the tools cyber criminals can deploy to exploit remote employees.
In the normal course of our business, we help clients monitor activity of their employees on their devices. The “good guy” monitoring software provides a window into the types of tools used by cyber criminals to compromise a company’s security and gain access to valuable data. These tools include key stroke logging, click logging, URL logging, screen shots, access to log files and an inventory of software used by the employee. In the hands of a skilled cyber-criminal these tools would allow the cyber-criminal to impersonate the employee to gain access to the companies systems.
Here’s how. The software inventory tells the cyber-criminal what software they need installed to make the connection. The key stroke logger will provide the user name and password, and the screen shots will provide information about the connection, including clues about the multi-factor authentication. If a VPN tunnel is setup, the cyber-criminals can remote control the employee’s computer to gain access to the configuration of the VPN tunnel to gain any keys. With no multi-factor authentication (MFA), the cyber-criminal would have enough information to gain access to most systems with just this information.
The most common form of multi-factor authentication is to a cell phone. Cyber-criminals have two methods for getting the MFA codes from a smart phone. One method is to get malware installed on the employee’s phone that forwards any codes received to the cyber-criminal, or allows the cyber-criminal remote control. The more common method used today is for the cyber-criminals to take the employees phone number by impersonating the employee with the cellular phone company. Once the phone number is switched to their own device, the criminals can get the MFA codes directly. Both of these methods have been documented as used by cyber-criminals.
A cyber-criminal could also use an active session to impersonate an employee when they aren’t working to gain access to information. Cyber-criminals controlling a device could also inject code into a company’s systems to search for and exploit weaknesses in internal systems. Since the screen shots will reveal the company’s internal systems, the cyber-criminals can tap the vast library of hacker’s tools to compromise the system. The success of either of these methods may allow the cyber-criminal to gather corporate information.
Any remote device compromised and controlled by a cyber-criminal can become a gateway to your company’s data.