As the software market continues to grow and evolve at a rapid pace, it’s tempting for ISVs to focus on writing code that makes their software better and more powerful while overlooking key security considerations. Specifically, when it comes to providing remote support, make sure you’re following these 10 security best practices.
1. Use Strong passwords.
According to the 2017 Verizon Data Breach Investigations Report, 81% of hacking-related breaches involved either stolen or weak passwords. While cybercriminals have many tools at their disposal, they prefer the quickest and easiest avenues, which include exploiting weak passwords. There’s lots of tips available online giving advice about creating passwords, such as “choose a favorite phrase and replace a couple of characters with symbols,” but such strategies just make it harder for users to remember rather than keeping bad guys off of your customers’ networks. If you’re providing remote support to your customers, it’s best to use a password management tool.
2. Add Multi-factor authentication.
No matter how good your password strategy is, it’s not nearly as good as multifactor authentication (MFA), which adds additional features to a traditional user name and password login, including something the user has (e.g., a security token) or something the user is (e.g., biometric verification).
3. Use unique credentials per client.
In the old days of remote management, companies would allow multiple technicians or other users to share login info and use the same credentials for each client to make things simpler and reduce the number of active licenses. Each technician needs his own credentials and each of your customers need their own unique credentials, so if an incident occurs there’s traceability and accountability.
4. Limit user access.
With remote technologies, a person can literally log in to a system from anywhere in the world where there’s an internet connection. While this feature is convenient for your employees, it’s also convenient for cybercriminals. To help ensure the latter group stays off of yours and your customers’ networks, add access restrictions, such as enabling authorized users to connect to a customer only when they’re logging in from a known IP address (e.g., your corporate network). Another idea, is to require a user at your customer’s company to select a dialog box giving permission for your company to connect remotely, rather than allowing your company to connect automatically at any time. If you’re doing troubleshooting or updates after hours, this may not work, but otherwise it’s another good way to reduce risk.
5. Turn on Encryption.
All non-console administrative access to your customers’ networks should be encrypted. Most business-grade remote login tools make it easy to encrypt communication with a click of a box.
6. Turn on network logging visibility.
Every remote access tool has the ability to generate logs, which provide insight into which users and devices are connecting to the network. The thing to remember with logs is that you’d don’t know what’s unusual until you know what’s usual. So, if you’re not regularly looking at logs, when something strange happens, you won’t detect it. Ideally, someone should spend time each day reviewing logs, so they can detect anomalies caused by malware or hackers.
7. Have usage policies.
When it comes to computer usage policies and security best practices, users need to know what’s acceptable and what’s not before they can be held accountable. You can’t say someone broke the rules if there were never any usage rules established in writing. If your customer doesn’t have anything in place, The SANS Institute’s “Acceptable Use Policy” document is a great place to start.
8. Use alerts to detect anomalies.
When it comes to security, alerting can quickly become so overwhelming that it’s treated like noise in the background and ignored. In fact, that’s what happened during the Target breach in 2014. ISVs must configure security settings to minimize false positives, but alerts can be a great way to identify threats. For example, if it would never make sense for one of your technicians to troubleshoot a software problem before 7 a.m. or after 5 p.m., automated alerts can be triggered if someone logs in outside these parameters.
9. Keep up with patches.
Not only does performing regular software updates help ensure your software continues to work properly and your customers get all the latest features and functions, it’s also a good idea from a security perspective. In fact, the WannaCry ransomware attack that affected more than 400,000 machines worldwide last year, was only successful because so many computers were at least two months behind on their software patches.
10. Audit configuration settings.
Software and security are dynamic things – you can’t just “set it and forget it.” With that in mind, be sure to regularly review your configuration settings to confirm an update didn’t uncheck a critical box or inadvertently create a vulnerability for one of your customers.