Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Managing Remote Access for Partners & Contractors

Published: 2020-09-29
Last Updated: 2020-09-29 11:00:55 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced[1]. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some review.

« Sometimes their techs will install the Bomgar jump client on your servers when they are troubleshooting issues. They don't remove it, it is left to the local entity to remove it or at least disable the service until it is needed again. »

Or

« A lot of vendors, especially in the local government sector expect customers to install these clients and leave them on. They are truly offended when you tell them no, same on the SCADA side of things. »

When you are outsourcing some tasks to a third-party (read: an MSSP, an integrator, ...), it’s very important to keep an eye on what they do and how they do it.

The installation of remote access tools (some of them are very close to a malicious backdoor) or specific accounts is a key point to allow them to perform their day-to-day job. But it does not mean that they can do whatever they want. When I read « it is left to the local entity to remove it or, at least, disable it », it means that a process must be implemented to follow this. The main risks are to detect an attacker using the third-party network to pivot into your organization or to detect their credentials used by attackers from unknown locations. That’s why Tyler asked its customers to reset all passwords related to their remote activities.

Here are some tips to increase the operations security when working with third-parties.

  1. Know « who’s behind the keyboard ». Are the third-party employees on the payroll, dedicated to you (read: they know you and your business). Are they also contractors? Are they located in the same country as yours?
  2. When it's not mandatory, do not keep the remote access open 24x7. All access requests must be approved following a procedure.
  3. Do not grant full access to your infrastructure. Restrict the third-party rights to the minimum resources to perform its job (least privilege). Keep segmentation in mind. Restrict its access to a jump host that will be used to enforce more security controls.
  4. Keep logs of who did what, when, why, and from where. Log everything, all connections, all commands. 
    Example: Detect an unforeseen connection from an unusual location outside the business hours.
  5. Keep an inventory of your partners and installed software. Force them to upgrade them and audit the settings.
  6. Enable security settings available in the deployed tools
    Example: Enable MFA, activate client-side certificates, provide security tokens.

Finally, don’t be afraid to say « No » and explain why you don’t agree with their requirements. They will work on YOUR platform which hosts YOUR data. You’ll be responsible in case of a data breach!

This list is not exhaustive. If you've implemented other specific controls when working for third-party organizations, please share!

[1] https://isc.sans.edu/diary/26610

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

PowerShell Backdoor Launched from a ShellCode
Sep 28th 2020
23 hours ago by Xme (0 comments)

Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client
Sep 28th 2020
1 day ago by Xme (0 comments)

Decoding Corrupt BASE64 Strings
Sep 27th 2020
1 day ago by DidierStevens (0 comments)

Wireshark 3.2.7 Released
Sep 27th 2020
1 day ago by DidierStevens (0 comments)

Securing Exchange Online [Guest Diary]
Sep 25th 2020
3 days ago by Johannes (0 comments)

Party in Ibiza with PowerShell
Sep 24th 2020
5 days ago by Xme (0 comments)

Malicious Word Document with Dynamic Content
Sep 23rd 2020
6 days ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Why is the entire community so... I don't know the words...
created Sep 8th 2020
2 weeks ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
4 weeks ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
1 month ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
1 month ago by Anonymous (0 replies)

Report Phishing to Major Cloud Providers
created Jul 12th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
3 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)

send lots of email to money@stifortunes.com