In recent weeks, a pair of significant remote access security-related events have reignited concern and drawn considerable attention from cybersecurity specialists and users alike. These events highlight the need for strong security protocols within remote access tools, as well as demonstrate the potential risks that come with less secure tools.
To summarize, while the root cause of the security issues varied – one a result of critical vulnerabilities within the software and the other a cyberattack that led to a compromise of production systems – both could have resulted in unauthorized users gaining access to and seizing control over connected devices resulting in data breaches, system compromises, such as ransomware injection, and other harmful activities. In the case of the code vulnerability, there is additional concern as on-premise instances also exist requiring patches to be applied at the individual account level – potentially leaving many organizations at risk.
Both remote access security issues underscore the vital need for robust safety measures within any form of remote access software and infrastructure, which is why GoTo took additional security measures with GoTo Resolve. While no software can claim to be 100% bullet proof from cyber threats, we built GoTo Resolve unlike any other remote access or RMM software. We built it on zero trust access control foundation to add an additional, stronger layer of protection.
So, what is this zero trust approach and how would it have secured devices even in scenarios like the recent problems? Think of it as a “never trust, always verify” approach where zero trust assumes that even if a user is behind the login wall, the system should not automatically trust that they should be there. Zero trust requires that anyone and everything trying to connect to deployed GoTo Resolve hosts verify identity and authorization before performing a sensitive task, such as remote controlling a device or running a PowerShell script. It works like this:
- All users who want to access or run commands on hosts are required to create an individual signature key (separate from their login password), and before each sensitive action must reauthenticate with this key.
- The signature key is unique to that user, and it is not stored anywhere, not even by GoTo, and cannot be compromised online.
- Verification of commands are conducted at the host with it only accepting commands from reauthenticated, authorized users.
- Even if a malicious actor hacks into backend systems or phishes login credentials, the attacker cannot change or create new automations or commands for endpoints without the signature key.
This level of protection essentially locks down your fleet from malicious actors. Conversely, other remote access solutions allow unlimited access once someone is “in the system” either through the front door or backdoor, which opens ample opportunities for malicious actors to create havoc.
Of course, in addition to scrutinizing your technology’s security and selecting secure remote access software like GoTo Resolve that has next level protection, there are other core security steps all businesses should continue to take:
- Ensure software is patched and updated to fix known vulnerabilities.
- Side note: if using on-premise technology, reevaluate the benefits and risks of it versus a cloud-based solution where providers can deploy security updates and patches quickly across all systems.
- Enforce strong password policies at your company and use multi-factor authentication.
- Conduct regular security audits of your tools and infrastructure.
- Educate employees on security best practices and phishing awareness.
- And finally, have an incident response plan to quickly and effectively respond to any security incidents.
Given today's state of remote and hybrid work and increased reliance on remote access and support solutions, ensuring the security of these tools and your processes is paramount to safeguarding sensitive data, protecting systems from unauthorized access, and mitigating the risk of cyberattacks.
Learn more about GoTo Resolve’s full suite of security measures including zero trust architecture.
