After a recent webinar on top threats, someone send me the following email
Kevin, I was just online with your threat vulneability webnair and found it very interesting. You gave some good information and in a great way. But I did have one question that came to mind after the presentation if I could ask it. What is your feeling on how secure GoToMyPC and LogMeIn and the such is for people working from home and connecting to their work PC. You see this advertised a lot and a lot of people want to use it. Thanks for your help,
I decided to post my answer here because I thought it was a good question that others might want to hear about as well.
Generally I don’t like the idea for several reasons and it isn’t because their systems are not setup to be secure or that I believe that it would be easy for a hacker to access the system through those means. First, I don’t like it because it opens up a backdoor from the computer and all-to-often the IT admin doesn’t even know they have done it. Even if these back doors are approved and known, they quickly are forgotten about, not maintained, become unmanaged holes in their security. Second, while working from home, you now couldn’t tell what someone was doing directly sitting at that computer vs. what someone was doing via remote control. Third, it gives access to your network to another 3rd party provider, but not just the network, but authenticated access to a PC.
I just feel there are better, more manageable and secure ways of allowing remote users access to internal systems. I recommend VPN’s be used. This way the computer is its own node on the network and can be tracked as such. It isn’t creating a backdoor that could potentially be exploited. It uses encryption with integrity checks without going through any middleman. You can also use standard or strong authentication. I recommend strong authentication using ID tokens or something similar. These connections can be terminated inside your network to still be subject to other security solutions such as your firewall, IDS/IPS, etc. You can monitor access centrally and control permissions better when employees leave the company.