Compliance Archives - RealVNC®

AnyDesk security breach is a stark reminder of the imperative for truly secure remote access

RealVNC — Mon, 05 Feb 2024 14:12:54 +0000

AnyDesk has announced that, following a security audit, they found their production systems have been compromised. Here’s what this should tell you about why a truly secure remote access solution is an imperative.

The AnyDesk breach: What do we know so far?

According to an incident response by AnyDesk, a security audit found some of the company’s systems have been compromised. The incident is said to not be related to ransomware.

AnyDesk has downplayed the incident, claiming that the situation is under control. However, users have been urged to reset their passwords if also used elsewhere. The timing of maintenance in the days before the public announcement, as well as the late Friday afternoon press release from AnyDesk, would indicate that the breach occurred several days before public acknowledgment was given.

BleepingComputer has discovered that the attackers stole source code and private code signing keys.

To make things even worse, a recent report from Resecurity suggests that AnyDesk user credentials have made their way onto the Dark Web.

Why should you take the AnyDesk attack seriously?

If you’re an AnyDesk user, you should take this news very seriously. And even if you’re using another remote access solution, this needs to make you challenge its security credentials.

Unfortunately, this is not the first time that something like this has happened. As we said at the time of the GoTo security incident, when security is not the first priority, customers are the ones who end up suffering.

RealVNC: The commitment to security

At RealVNC, security is at the heart of everything we do. We do our best to mitigate such risks, and to keep your data as secure as possible. Here are some of the things we do to make sure that your data never ends up in the wrong hands.

RealVNC's ISO27001 certification: managing data security risks

Our security experts understand the implications of stringent security requirements.

Our ISO27001 certification is our commitment to uphold the highest standards of information security management. When we say that our systems are fortified, we are not speaking lightly. This certification means we engage in continuous risk assessment, employ comprehensive security controls throughout all areas of operations in our company, and ensure that our staff is trained in best practices for information security.

What sets an ISO27001 certified provider apart in today’s digital landscape? It shows that we have a proactive approach to data protection throughout the entire company. We don’t just respond to threats; we anticipate them and prepare for them.

If your remote access provider doesn’t have this certification, question them on it!

RealVNC's fundamental security principles

Our security principles are essential to the service we provide to you. They ensure that your data is as secure as possible, at all times:

High-trust services – this means that you don’t have to trust RealVNC as a company to trust our software and services.
Secure data storage – RealVNC doesn’t record your sessions. Your data can’t be decrypted, either. Not now, not ever.
Secure environment – we treat every connection as if it is made in an hostile environment.
Connection control – the one ultimately deciding who is able to connect is the owner of the remote computer.

These principles serve as a guideline for everything we do, ensuring the security of your data.

Here’s a quick example of how these principles work in practice. The username/password you use to log into our portal cannot by itself be used to gain access to remote machines.

Each remote machine will have a further, separate set of credentials (usually platform-native authentication, like Active Directory etc). You are required to enter this before taking control.

Having at least two sets of credentials required to make a connection does, admittedly, cause slight UI/UX friction. However, it’s something we hold dear, as it means that we don’t ever store the credentials that ultimately give you access to a remote device on our systems. Also, the portal credentials we do store are never stored in plaintext, and are one-way hashed.

The importance of independent security audits

This is another one of RealVNC’s many security initiatives, designed to keep your data secure. An extensive white-box security audit, done by respected Berlin-based firm Cure53, has confirmed RealVNC’s strong security stance.

We’ve urged the industry to confirm its software’s security with more than just words ever since. As we said numerous times, when this doesn’t happen, the end users are the ones paying the price.

Your data - in safe hands with RealVNC

We would also like to take this opportunity to confirm for our users that everything security-related at RealVNC is working as intended. We are unaffected by any data breaches and we can assure you that your data is in safe hands. We will continue to work hard to keep it that way.

This is what RealVNC CEO Adam Greenwood-Byrne had to say:

I’m proud of RealVNC’s unblemished security record, and we continue to invest in systems and services that ensure we remain on the strongest footing. Customers who have been with us for years, including government departments around the world, recognise the value of our security stance just as well as we recognise the trust they place in us as their remote access vendor of choice.
We value those relationships tremendously at RealVNC and our team works tirelessly to ensure our customers have what they need to feel safe. The Internet is a much more dangerous place than it was 20 years ago and we are committed to evolving and adapting accordingly.

Also, if the events of the last few days have made you considered switching to a truly secure remote access solution, get in touch!

The post AnyDesk security breach is a stark reminder of the imperative for truly secure remote access appeared first on RealVNC®.

RealVNC Receives ISO27001 Certification: What It Is and Why It Matters

RealVNC — Thu, 11 Jan 2024 07:24:25 +0000

With cybersecurity threats becoming more complex every day, there has never been a more stringent need for robust data protection. One term that’s frequently mentioned in these discussions is ISO27001 certification. But what does it mean? And why should it matter to you?

What Exactly is ISO27001 Certification?

ISO27001—it sounds like a complex code, doesn’t it? It isn’t, actually. This international standard simply refers to Information Security Management Systems (ISMS). Think of it as a “seal of approval” that attests to a company’s system of managing risks related to data security.

When a company displays an ISO27001 badge, it’s making a statement. It says that it has met the rigorous requirements of this standard. It also means that it’s committed to upholding the highest standards of information security, data protection, and compliance with legal and regulatory norms.

The RealVNC Advantage: Going the Extra Mile

So, what does RealVNC’s recent obtaining of the ISO27001 certification mean for you? Simply put, it’s evidence of our commitment to data security.

This certification isn’t just another accolade. Instead, it serves as concrete proof that we’re serious about safeguarding your data. We’re not satisfied with providing industry-leading remote access solutions; we’re equally committed to ensuring operational excellence, resilience, and security against cyberattacks.

In the words of our Chief Information Officer, Andrew Woodhouse:

ISO 27001 certification reinforces that security is at the forefront of everything we do, not only in the products we build but how we operate as a business. This further solidifies RealVNC’s position as the world’s most secure remote access solution and gives our customers confidence that we go above and beyond to protect their information and maintain the confidentiality, integrity, and availability of data. We are proud to join an exclusive group of global organizations renowned for their advanced information security practices.

The Takeaway: Why Should You Care?

Why should RealVNC’s ISO27001 certification matter to you? The answer lies in the assurance it provides. This certification gives you the confidence that your data is in safe hands—a company that doesn’t just meet basic security requirements, but goes above and beyond to protect your information.

This achievement places us alongside a select group of global organizations known for their rigorous information security practices.

The post RealVNC Receives ISO27001 Certification: What It Is and Why It Matters appeared first on RealVNC®.

Five great ways to strengthen your password security

Bogdan Bele — Thu, 05 May 2022 11:10:00 +0000

Many people are still using the simple passwords they created in the early 2000s. Getting hacked wasn’t such a huge concern for organizations and their employees. However, as we become even more connected as a society, there is an increase in the risk that threat actors pose. For example, quoted in our article regarding the role of remote access in cyberattacks, brute force guessing of passwords was a factor in 78% of all ransomware attacks.

A simple look at the most common passwords in 2021 should make any security expert’s skin crawl. We have a problem when 123456 (and the “more secure” 123456789) are the only ones more used than qwerty. Nobody wants to (or even can) remember the long random letter and number combinations. After all, it’s much quicker to tap in the same old password for everything – and to be very clear, this is a practice you shouldn’t be doing under any circumstances!

The most common passwords haven’t changed much. Their ongoing prevalence makes it a cakewalk for hackers to break in. So what can your company and your employees do about it?

Use a password manager.
Use Multi-Factor Authentication everywhere.
Don’t share passwords, no matter what.
Check for previous hacks and delete your old accounts.
Avoid public Wi-Fi.

1. Use a password manager

Passwords are a pretty vulnerable security measure, but they’re unavoidable in most cases. You can, however, take steps to minimize the risk they pose.

A good password manager eliminates the need to create and remember complex passwords. It will generate a random, unique password when needed. You can then save it in an encrypted vault to use whenever you need it. Ideally, all passwords should generate strong, “makes-no-sense-if-you-read-it” combinations.

Not only does this make it harder to crack into your account by brute force, but if one account becomes compromised, your others are still safe.

Users only need to remember the password manager’s password. Make sure it is a strong one that only you know. Some password manager apps can also use your smartphone’s biometric sensors to unlock. Personally, Bitwarden has proved to be a great choice, but there are many great options that your organization can deploy.

2. Use Multi-Factor Authentication everywhere

Using a password alone is like locking the doors but leaving all your windows open. You may have closed the easiest route, but the intruder can still get inside with a bit of work.

Most accounts will use multi-factor authentication (MFA). Once you have entered your password, you will get a code/link via text or email with MFA. You can also generate the code in a secure app (or approve the login). You will need to enter it to prove you are the account’s legitimate owner.

From a remote access perspective, MFA is a crucial step in ensuring that safety is at the forefront of remote sessions and that the users connecting to different devices are who they say they are. With our flagship product, VNC Connect, you can enable MFA to protect your account and the machines you’re connecting to. You will also get an email when connecting to a new device for the first time, ensuring your business can maintain total control over device access.

While texting or emailing a code is the most common second factor used in MFA, they aren’t the only options. Multi-factor authentication can combine multiple credentials that are unique to the user, such as:

Something the user knows – a password or the answer to a pre-set question.
Something the user carries to authenticate – a card or key fob.
Something unique to the user – a fingerprint or facial recognition.

The benefit of adding a second layer of security is that the password is not enough to access an account. Even if an attacker has it, there is another obstacle to accessing the account. The benefits of MFA being part of your remote access strategy are immense.

And since we were mentioning password managers, make sure that you choose one that uses MFA – enable it and always use it!

3. Don’t share passwords, no matter what

While this might be obvious, many hacks happen because users tend to share passwords. And this has started occurring much more often since we all use streaming services. For example, more than a quarter of Netflix’s UK subscribers share their passwords. Since many users are likely to use the same passwords, many hacks are waiting to happen (let’s hope that at least they use MFA on their other accounts).

Additionally, if you can impose a password policy for your users, make it a complex one. Employees might not be pleased when having to change or remember passwords, but the long-term gains and extra security are second to none.

4. Check for previous hacks and delete your old accounts

Remember signing up for that random account ten years ago to enter a competition? Neither do we, but did you know that website got hacked in 2015? The more accounts your employees have, the more vulnerable your organization is to external risks – especially if you’ve used the same password everywhere.

You can check if your email address shows up in any data breaches at haveibeenpwned.com and sign up to get an alert when new breaches happen. A seasonal purge of old accounts will remove the burden of potential future attacks, leaving your company feeling more at ease.

5. Avoid public wi-fi

The internet has become so integrated with almost every aspect of our lives that in 2016 the UN declared internet access a basic human right. Public Wi-Fi is everywhere and a key player in compromising password security. On top of that, life beyond 2020 means flexible working is here to stay for many companies, indicating employees will have more freedom regarding where they work – from a coffee shop, a commuter train, or even an airport.

However, if you’re concerned about your company’s data security, you might want to advise not to connect every time a Wi-Fi notification pops up. When it comes to public Wi-Fi, there is no way of knowing who may be monitoring the session, from the URLs visited through to the keystrokes that users input.

The best way to browse risk-free is not to use public Wi-Fi, but sometimes it’s unavoidable when the 5G signal is non-existent.

Many reputable VPNs are available if public Wi-Fi is a must, even for smartphones. They will add an extra layer of security to keep data safe, especially for corporate devices.

Completely bulletproof security doesn’t exist. Taking all the steps available to protect data puts your organization in the next best position. If you are using a remote access solution, ensure it is secure and that it offers encryption on all connections, rich session permissions, and granular access control.

Cybercriminals will always look for new ways to weasel their way in, keeping us all on our security toes. It’s for us to make sure that they fail to succeed.

Updated for May 2022

The post Five great ways to strengthen your password security appeared first on RealVNC®.

How to maintain a compliant remote access strategy

David — Thu, 12 Jul 2018 12:42:00 +0000

To achieve compliance there are multiple considerations that must be addressed in relation to security, privacy and visibility.

Compliance regulations such as HIPAA, PCI-DSS and GDPR have stringent requirements when it comes to the handling and processing of corporate and personal data.

What’s more, data security is a priority for most organizations. When you establish connections with third parties and gain some control over their data (or relinquish some control over yours), robust security measures around the processes need to be in place.

This post aims to break down some of the aspects of a secure remote access strategy in relation to compliance regulations.

The safety and security of your data and the data you hold are important to your compliance commitments.

It’s essential to make sure your remote access software has the correct security and control features to help you comply. This should include:

Multi-factor authentication

All remote access sessions should be authenticated as or before they start.

Multi-factor authentication refers to the use of two or more separate methods for validating your identity. This could be as simple as username and password as the first factor, and a one-time validation code or key-chain that gets sent to your email account or phone.

Using multiple factors of authentication is much more secure than only using one. If one of the authentication factors is compromised, there is an additional layer of security to protect the user and their data.

Session encryption

Remote access sessions should be encrypted end-to-end. The minimum encryption level to look for is 128-bit, though 256-bit will give you a higher level of protection and may be mandated for industry compliance.

Remote access log and PCI-DSS compliance

Establishing compliance may require that you demonstrate log and audit history of everyone who has accessed your network remotely. This is often one of the first things an investigator will ask for during a review or if a breach has occurred.

Log and audit records are an essential part of your compliance strategy. Not just for GDPR, but for a variety of industry and government regulations, for example, ISO 27002 and PCI-DSS.

Granular access rights

Ideally your remote access software should give you fine-grained control over each user’s access rights. You should be able to give each user the appropriate privileges they need, and to control the devices they can access through some type of group or management structure.

GDPR and your remote access policy

Privacy is perhaps the most crucial remote access related issue in your quest to achieve compliance with GDPR or other regulations. Are you clear about how you handle and process the data that is captured during remote sessions?

If you’re using remote access software, data about your sessions will likely be collected for logging purposes. Information such as IP address, local user name, results of activities and chat transcripts may be captured and stored.

You should understand what this information is and how it is handled by your remote access software provider. Also, you may need to declare this in your own privacy policy to comply with regulations like GDPR, especially if you are using the remote access software to provide services for employees, customers and other third parties.

Data minimization is also an important aspect of remote access compliance: namely, being able to demonstrate that the data being used is essential for the requirements of the action being performed.

Remote user interfaces

Here, deliberate and controlled limitations need to be considered. For example, if a technician is accessing a desktop remotely with the intention of assisting in configuring the printer, they should only have access to the necessary data required to fulfill the task, not the wider network of information.

With due diligence and robust internal procedures, efforts to maintain regulatory compliance pay off in the long run. For growing companies in particular, it’s essential to develop a best practice-culture at an earlier stage, so that compliance and security are inherent in every remote access session, no matter how much you scale.

Ultimately, security and compliance are at the heart of protecting the reputation and future of your business.

VNC Connect remote access software enables PCI-DSS, HIPAA, and GDPR compliance, meeting all of the provided guidelines. Every connection is end-to-end encrypted with up to 256-bit AES encryption, 2048-bit RSA keys, and perfect forward secrecy, so sessions are entirely private to you now and in the future.

The post How to maintain a compliant remote access strategy appeared first on RealVNC®.