Are RATs ever a good idea?

Remote access tools offer ease of access but at what cost to security?

La Tarte au Citron (Creative Commons BY or BY-SA)

I'm sorry, but when developers create technologies, they have to assume that whatever they name it, the product will inevitably be replaced with an acronym. Yes, a remote access tool sounds appealing, but who in the world would ever want to buy a RAT? 

To make matters worse, these tools pose risks to enterprise security. Who didn't see this coming? That a RAT could invite disease or infection really is of no surprise to me, but I (admittedly) have a greater emotional attachment to words than most. 

I digress. My point is that in the aftermath of the recent report that GoToMyPC accounts are being targeted with stolen passwords right on the heels of the TeamViewer hack, installing RATs on your computer seems downright risky.

Given that I don't know whether the connotation I have with RATs is fueled by my utter disdain for the long-tailed rodent of the same name, I consulted with Alex Hamerstone, GRC practice lead at TrustedSec, to help me and my readers understand both real and perceived remote access vulnerabilities.

[ ALSO ON CSO: Catching a RAT by the tail ]

"A lot of hacks are the result of people reusing passwords," Hamerstone said. So many compromised accounts are the result of people using the same username and password across multiple sites. If you're secretly thinking, "I know, I know. I have to stop doing that," you might want to avoid using remote access tools until you have broken that bad habit.

Why? Hamerstone explained, "Let's say my email address is I go to my banking website and login with the password abc123. I can keep that password as secure as possible on that banking site." By human nature, though, people use the same passwords on almost every site they visit.

"A bad actor can steal a list from an easy target, like an online forum or a newspaper website account. Then they can try that list of usernames and passwords on a credit card or banking websites," said Hamerstone.

Given the problems that passwords create, it seems logical that the best way to mitigate security risks is to stop using passwords. Hamerstone said that in an ideal world, yes, but realistically that is not so easy to pull off.

"From an academic standpoint, it’s easy to suggest we move away from passwords, but like anything else, implementing that kind of change is much more expensive and technically involved," he said.

Sure for highly technical people to implement more sophisticated technologies, that wouldn't be so tricky, but for the employees and users that are not as tech savvy, that's a greater undertaking.

"If I am managing machines that aren’t in front of me, I'm perhaps working at a help desk, where I am not always dealing with the most technical people. I can be working with the smartest accountant in the world -- and for most users remote access tools are used for ease of maintenance -- but those on the receiving end of the help line are not highly experienced IT people," said Hamerstone.

Alas, in the greater network ecosystem, RATs do have a purpose just as the rodents are reported to serve a greater purpose in the natural ecosystem. Whether you wish to interact with them is a personal decision.

Hamerstone said, "I can’t tell you what to do, but I want you to understand the risk. Security teams need to decide for their organizations what are the risks, and are they outweighed by the advantage of ease of access."

At the end of the day, companies are in business to make money and in order to operate, people need to be able to use their computers, so Hamerstone said, "Try to determine the middle ground of risk management."

New! Download the State of Cybercrime 2017 report