More than two-thirds of cyber criminal hacking attacks aimed at enterprises exploit insecure IT remote access, a report has revealed.
Remote access and desktop services are the largest point of failure for external attack pathways, according the Verizon 2011 Data Breach Investigations Report in partnership with the US Secret Service and Dutch National High Tech Crime Unit.
Insecure remote access presents danger
The percentage of attacks using insecure remote access far exceeds those that use back doors (34%) and web applications (22%).
However, the report says that just because web applications have dropped as an overall percentage of attacks, that does not mean they are any less critical a vector than they were a year ago.
"If you remove hospitality and retail victims from this dataset, web applications are right back on top and are more numerous than ever," the report says.
But across the full data set of 800 new data compromise incidents during 2010, 71% of all attacks in the hacking category were conducted through insecure remote access.
Remote access and desktop services, in combination with the exploitation of default and/or stolen credentials, is a huge problem in the retail and hospitality industries, the report says.
According to the report's authors, opportunistic attacks are carried out across many victims who often share the same support and/or software supplier, and as soon as an intruder discovers a particular supplier's authentication method and schema, they are able to exploit it across a multitude of that supplier's partners and customers.
Risks in the cloud
Even when organisations believe they are keeping company confidential information in secure environments, it is extremely vulnerable when insecure cloud-based applications are also used, says security firm Bomgar.
Cunning hackers can slip from cloud-based applications into workplace networks and, from there, access previously secure data, the company says.
Joel Bomgar, chief executive officer at Bomgar, is calling for European companies to move all remote access points behind corporate firewalls.
"More often than not, security officers will think that their most private data is hidden behind a secure firewall," said Bomgar.
"What they won't know is that down in IT support they are using a shared insecure IT system that essentially puts the data in the cloud - without their knowledge or consent," he said.
Bomgar points out that not all cloud providers are legally bound to protect data on their networks.
"Companies need to educate and protect themselves about the vulnerabilities and legalities of the cloud. Only a remote IT system that can fully sit behind the company firewall, and run off its own hardware, is a robust enough solution," he said.