Has the remote work initiative your company just deployed told hackers when, where and how to hit your company?
Over the past month we’ve seen an explosion in remote workers due to Covid-19. For many of my customers, they’ve been directed to get employees working remotely any way they could as quickly as possible. Now that we have a moment to breathe, it’s important to make sure that your cybersecurity risk isn’t soaring.
Why is cybersecurity risk soaring?
Data compiled by Shodan, a search engine for Internet-connected devices, has revealed an increase in enterprise RDP and VPN use but these solutions aren’t being used securely.
Meaningful Numbers:
- 41.5% growth in number of devices exposing RDP to the Internet on standard ports (3389)
- 36.8% growth in number of insecure service on a non-standard port (aka security by obscurity) on alternative port (3388)
- 33% growth in the number of servers running VPN protocols (IKE, PPTP) on different ports from 7.5 million to nearly 10 million
- 8% of RDP instances remain vulnerable to BlueKeep (CVE-2019-0708)
- 16.4% growth in Industrial Control Systems (ICS) protocols that don’t have any authentication or security measures
What do these numbers mean?
We’ve seen a massive jump in the enterprise RDP and VPN use but if companies aren’t using these solutions securely, hackers know when, where and how to hit a company.
Security Steps to Keep in Mind:
- Never expose RDP services to the internet, do not port forward 3389
- Putting RDP on an alternate port (3388) does not provide additional security
- RDP shouldn’t be publicly accessible without other protections (firewall whitelist, 2FA, RDS Gateway, etc.)
- Point-to-Point Tunneling Protocol (PPTP) has a number of security issues, as a result it’s an obsolete method for implementing virtual private networks
- Ensure you have mitigated known VPN Vulnerabilities
- CVE-2019-1573, a vulnerability that may allow an attacker to access authentication or session tokens and replay them to spoof the VPN session and gain access as the user
- CVE-2019-11510, allows an unauthenticated remote attacker to send a URI string to perform arbitrary file reads affecting Pulse Connect Secure SSL VPN installations
- CVE-2018-13379, allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests in the FortiOS SSL VPN web portal
How can I decrease my cybersecurity risk?
There are a number of proactive security steps your company can take to ensure while your employees are working remotely, hackers aren’t taking advantage.
Proactive Steps to Take:
- Setup a VPN
- If your Firewall doesn’t have VPN capabilities, deploy one that does
- Confirm your VPN configuration is secure
- (James would doing a firewall configuration check make any sense)
- Deploy a trusted 3rd party remote access tool
- SIEM- Security Information Event Management– detect vulnerabilities, alert potential security risks and respond immediately
- Run through your cyber security incident response plan to make sure you don’t have any gaps if your IT team is now all remote
- Make sure your contact information, including phone numbers, is up to date
Email Becca Feig at becca@aislabs.com to discuss the approach that would be the best fit for your company.
**Thanks to James Byrne for input.**