As you’d expect with the current COVID-19 quarantine, a lot of companies are implementing quick fixes to get their employees working from home and continuing business. Some of the ways organizations are doing this can be somewhat risky.
Are RDP and SMB protocols safe?
Remote Desktop Protocol (RDP) allows an employee to essentially tap into their office keyboard and mouse from home, thereby allowing them to use their office computer just like they were sitting in front of it. This service has been around for a while and, every few years, someone finds a new critical vulnerability. Microsoft then has to issue a security patch in response. This game of whack-a-mole is one of the drawbacks to working with RDP.
In addition, if the organization has configured RDP to only require a user’s Windows user ID and password, then malicious actors can more than likely manage to connect to the service using guessed or stolen credentials. This is the typical avenue we see cyber attackers use, such as with ransomware attacks.
We see the same with Server Message Block (SMB) protocol. Organizations use SMB for things like logging int o the Windows network, sharing files and mapping network drives, similar to RDP. The SMB service is also prone to new security issues requiring patches every few years, and it also uses Windows credentials for logging in. Therefore, it’s ripe for attackers to obtain access using guessed or stolen credentials.
While new critical vulnerabilities in these services may happen only every few years, in a perfect storm of bad timing, attackers have found two new critical vulnerabilities in both RDP and SMB within just the last few months. Microsoft has recently released new critical security patches for these services. However, many organizations and individuals have not applied these patches yet. We’re also starting to see attack code in the wild for these vulnerabilities.
How can we better secure these protocols?
So what can you do to enhance the security of RDP and SMB? The answer is in multi-factor authentication (MFA) for remote access. MFA requires a second authentication factor for access in addition to a user ID and password.
There are a few different methods available for implementing MFA. Some MFA requires an app on your phone to validate the login. Other MFA implementations will send a one-time password via text. This way, even if an attacker managed to compromise your user ID and password, they still won’t be able to log in since they do not have access to your phone and the second authentication factor.
We also highly encourage setting up MFA on work email. A lot of organizations don’t think there’s a lot of risk to email, but many attacks start with someone breaking into a work mailbox and then stealing or resetting passwords from there.
How can we keep remote PCs secure?
One of the best ways to keep your remote workers’ computers secure is with anti-virus software. If your employees are going to use their personal computers to access their work computers or the office servers remotely, think about giving them a license for your corporate anti-virus software. Make sure they’re running a good commercial anti-virus application and not the one that came preloaded with their computer so that you can make certain the anti-virus software is up to date.
What is the best way to provide remote access?
The best way (i.e., the most secure way) to provide remote access for your quarantined employees is with a virtual private network (VPN). Usually, this is built into your firewall or an appliance that goes next to your firewall.
A VPN includes software that runs on the remote laptop or computer that provides a secure connection, often with MFA. The VPN will sometimes have different layers to it that will check the remote computer to make sure that anti-virus and appropriate patches are installed before a worker can even connect.
I’ve heard that phone-based MFA isn’t safe. Is that true?
There is a risk with your phone with an attack called “SIM swapping,” where attackers will reach out to your cellphone company to impersonate you and try to get the company to migrate your phone to their phone. So, if you use MFA that utilizes SMS text messages sent to your phone, the attacker can then steal that MFA code. It is a pretty sophisticated attack that takes some effort from the attacker.
These attacks mostly happen with people who use SMS text MFA to do high-dollar wire transfers or Bitcoin exchanges. Attackers aren’t going to go through the effort of SIM swapping to use the MFA to get into your apps or personal bank accounts.
But if you do use SMS-text based MFA to log in to a website or application that’s used for high-dollar transactions or similar high-security functions that could likely be targeted, definitely talk with your provider about maybe switching from an SMS-based MFA to something better.
Should I use external vulnerability scanning? How much will it cost?
We, as well as several industry security standards bodies, do recommend having external vulnerability scanning performed. Basically, the organization providing the service will scan all of your IP addresses that face the Internet and tell you if you have any exposed security risks. They’ll look into if any users are using default passwords for services, if there are any services missing patches, etc.
Most external vulnerability scanning services are relatively inexpensive, especially for small businesses with a minimal number of Internet-facing addresses. You will typically receive monthly or quarterly scans. You basically tell the scanning organization what your external addresses are, which you can get from your ISP, and when you want the scans to be performed. Once the scan completes, they’ll send an email with a link to look at your results and uncover what could be a risk.
What type of cyber attacks may be coming during this quarantine?
Attackers are going to try to use the coronavirus as a way to get you to log in somewhere to give away your password. So be extra wary of emails and even texts that promise rebates from the IRS, offer coronavirus assistance or even appear to be warnings. Anything that tries to get you to click on a link and inadvertently share your login information should be treated with caution.
If you have any questions regarding remote access security during this time of quarantine or any other time, do not hesitate to contact us.