Due to the self-isolation caused by COVID-19 people were forced to take their professional and some personal communication online this year. This increased activity triggered malicious incidents such as malware, data-related breaches, and phishing. In March alone, Google banned more than 18 million scam websites related to coronavirus. The drastic increase in attacks calls for raising security awareness when it comes to personal life and it’s absolutely a must to ensure a safe working place.
That’s why employers have to assess these remote work risks and ensure proper cybersecurity training for their teams. The human factor is the weakest point in the system and should even one case of falling victim to phishing occurs, your security investments can be ruined in a moment.
COVID-19 made us all work from home, and this often means connecting to the working network from your computer using a remote desktop protocol also known as RDP. Along with it, you may often hear the term ‘BYOD’, or ‘Bring Your Own Device’ referring to the practice of employees using their own computers to connect to the working space.
While RDP is the most popular way, it’s not a secret that it can be the most vulnerable one, so here are the top threats it brings and how they can be avoided:
1. Brute force attacks
Despite the recommendations to use strong passwords containing both numbers, letters and special symbols, many users tend to set their birthday or mother’s name and other things that are easy to guess as their passwords. If there are no strict password requirements, they will use the same weak credentials for remote connections, which makes them targets to brute force attacks where different login combinations are used to get access. According to recent data, approximately 100,000 brute force attacks happen every day.
How to avoid: Make sure to use strengthened security policies within your active directory (set up the minimum password length, maximum password age for regular password updates, keeping the passwords history so that your employees have to set a new unique password). In addition, make sure the system blocks a user after 3-5 failed tries to prevent further attempts. Also, it’s recommended to secure logins with additional protection layers like 2FA or OTP.
2. RDP port vulnerabilities
By default, the port 3389 is used for RDP connections. That makes it exposed to Distributed Denial of Service (DDOS) attacks, where the TCP requests over this port overload the server and it becomes unavailable. These attacks are hard to mitigate by blocking unwanted traffic since the requests are coming from different sources.
How to avoid: Make sure to close the default 3389 port in the firewall for incoming connections, allowing them only from the corporate network, and use secure tunneling for RDP connections. As a more secure alternative, the RDP default port should be changed to any custom one that significantly reduces the risks as custom ports are harder to detect and exploit.
3. Man-in-the-middle threats
While the connection between the server and user network is encrypted in RDP connections, the lack of authentication creates the possibility of man-in-the-middle (MITM) attacks. That allows the intervention of a malicious actor to alter the server-client communication and is used to replace originally transmitted packets with fake ones or for spoofing attempts (forging the headers to look as if the emails/traffic is coming from the legitimate place).
How to avoid: Introduce the additional authentication with TLS encryption that prevents session hijacking keeping the traffic safe. Also, set up DNSSEC for the domain name for DNS authentication and again restrict the access only to allowed IP ranges (through corporate VPN).
4. Remote code execution
The most widely spread Windows RDP vulnerability is the BlueKeep worm (patched in CVE-2019-0887). It allowed remote code execution using the clipboard access, so once the paste clipboard action was used, it triggered running processes on the background without asking access permissions. Luckily, the patch was released and only older Windows versions were affected. Taking into account that the vulnerability re-appeared at the beginning of this year and was fixed in CVE-2020-0655, the first patch’s versions may be incomplete. According to the estimations, more than 1 million RDP users were affected by this.
Remote code execution opens a way to steal sensitive data for its future exposure or selling, as well as infecting them with ransomware to for extortion or just destroy the data and the company’s reputation.
How to avoid: Make sure to use secure Remote Desktop solutions, use the latest stable software version, and follow the security news for the software you use to be aware of any new patches. While it cannot be predicted where the next exploit will be found, with technology development, it’s only a matter of time as a new vulnerability is discovered almost every day. That’s why it’s critical to regularly perform both internal and external penetration testing to keep your system ready to combat the attacks.
While working from home seems to be a trend and there are no signs of it losing its popularity, it’s worth taking care of the security of your networks and employees. Among the protective measures are regular software and OS updates, external system backups, reliable firewalls with proper setup, and anti-malware protection. Rapid incident response, strengthening security policies to restrict access to the most sensitive data, and changing passwords regularly should be common practices in your company as well. If your employees use their personal devices for work connections, make sure that your system admins conduct BYOD checks prior to connection.
One good point would be to keep your team informed about the latest cybersecurity trends, especially if that requires some actions from them (i.e. protocols for confirming account ownership if you deal with customers and general rules for handling suspicious emails or links).
The most important thing to note here is that technology is evolving every day as well as the new ways of system exploits appear. That’s why ensuring that your system is prone to external attacks is not a single-time event but a never-ending process.