- SECURITY THROUGH OBSCURITY PROS AND CONS HOW TO
- SECURITY THROUGH OBSCURITY PROS AND CONS SOFTWARE
- SECURITY THROUGH OBSCURITY PROS AND CONS PASSWORD
As you only have access to the network you will still need to RDP to the computer but can do so more securely without exposing it to the internet. The connection is mutually encrypted, providing authentication for both client and server, preferably using a dual factor, while creating a secure tunnel to the corporate network. A VPN will allow a remote user to securely access their corporate network without exposing their computer to the entire Internet. A much safer alternative is to use a Virtual Private Network (VPN).
SECURITY THROUGH OBSCURITY PROS AND CONS PASSWORD
Even with a complex password policy and multi-factor authentication you can be vulnerable to denial of service and user account lockout. The internet is continuously being scanned for open port 3389 (the default RDP port). To be very clear… RDP should never be open to the Internet. Do not allow RDP connections over the open Internet
SECURITY THROUGH OBSCURITY PROS AND CONS SOFTWARE
Recommendations are additional to standard systems hygiene which should be carried out for all systems (although it becomes more important for Internet connected hosts), such as keeping all software up-to-date, and we intentionally avoid ‘security through obscurity’ items such as changing the RDP port number. That is why, in this blog, we will use the adversarial knowledge from the McAfee ATR red team to explain what easy measures can be undertaken to harden RDP access. The good news is there are several easy steps that help an organization to better secure RDP access.
SECURITY THROUGH OBSCURITY PROS AND CONS HOW TO
It is also wise to consider how to better secure RDP if you are absolutely reliant on it. Given the dire circumstances highlighted above it is wise to question if externally accessible RDP is an absolute necessity for any organization.
Source: Coveware Q1 statistics Securing RDP Recent statistics showed that RDP is the most dominant attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019. Even though RDP misuse has been around for many years, it does seem to have gained an increased popularity amongst criminals focused on targeted ransomware. In the beginning of 2019 we dedicated several blogs to the Ryuk ransomware family that has been using RDP as an initial entry vector. The sheer number of vulnerable systems in the wild make it a “target” rich environment for cybercriminals. Unfortunately, this did not stop other cybercriminals from using similar tactics, techniques and procedures (TTPs). In November 2018, the FBI and the Justice department indicted two Iranian men for developing and spreading the SamSam ransomware extorting hospitals, municipalities and public institutions, causing over $30 million in losses. From its RDP launchpad, it would proceed to move laterally through a victim’s network, successfully exploiting and discovering additional weaknesses, for instance in a company’s Active Directory (AD). To gain an initial foothold on its victims’ networks, SamSam would often rely on weakly protected RDP access. At that time one of the most prolific targeted ransomware groups was SamSam. One of the methods of RDP misuse that we discussed was how it could aid deploying a targeted ransomware campaign. Last July, McAfee ATR did a deep dive on Remote Desktop Protocol (RDP) marketplaces and described the sheer ease with which cybercriminals can obtain access to a large variety of computer systems, some of which are very sensitive. Prior to this, RDP was already on our radar. This seems particularly relevant when (at the time of writing) 3,865,098 instances of port 3389 are showing as open on Shodan. These attributes make it particularly ‘wormable’ – it can easily be coded to spread itself by reaching out to other accessible networked hosts, similar to the famous EternalBlue exploit of 2017. Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication.
0 kommentar(er)
