How to Secure Remote Access for Your Employees

The restrictions that come along with the COVID-19 pandemic have forced many organizations to adopt the work from home model. One key component of the work from home model is remote access – the ability to connect to another computer or network over the internet.

Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that enables a computer user to access another computer over the internet. While this protocol was initially released for most Windows operating systems, this protocol can now be used with Mac operating systems.

A remote desktop user can access another desktop, open and edit files, and use applications of this desktop no matter where this desktop is geographically located. In the context of the work from home model, remote workers often use remote desktop software to access their work computers.

In order for the interconnected computers to send data back and forth, RDP opens a dedicated network channel, in particular, network port 3389 for this purpose.

In the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks” published on December 18, 2019, Microsoft Defender ATP Research Team said that attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections.

According to the Microsoft Defender ATP Research Team, based on several months’ worth of data from across Microsoft Defender ATP customers, out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, the team discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. “Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more,” Microsoft Defender ATP Research Team said.

In a brute force attack, an attacker uses the trial and error method in guessing the correct username and password combination. RDP access is attractive to threat actors as this gives them access to their targets’ entire networks, giving threat actors an entry point for spreading malicious software (malware) and conduct other criminal activities such as stealing data.

Since the beginning of March, Kaspersky reported that the number of RDP brute force attacks has rocketed across almost the entire world. “One of the most popular application-level protocols for accessing Windows workstations or servers is Microsoft’s proprietary protocol – RDP,” Kaspersky reported. “The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers.”

With existing tools, such as Shodan (a search engine that lets users find specific types of computers connected to the internet using a variety of filters), internet exposed RDP can be detected by simple internet scanning. McAfee reported that the number of RDP ports exposed to the internet had grown from roughly 3 million in January 2020 to more than 4 and a half million in March.

In the past few years, many underground markets have emerged selling RDP credentials (username and password combinations) at relatively low cost. According to researchers at McAfee, they uncovered RDP credentials linked to a major international airport that could be bought for only US$10. 

Cloud Computing

While both RDP access and cloud computing allow workers to work remotely, these two differ in a number of ways. In RDP access, users access their physical work computer, while in cloud computing, users access files and applications that are stored in the cloud. Both RDP and cloud computing have their pros and cons. For instance, while cloud computing is easier to use and more efficient to implement for remote workers, not all organizations have totally migrated to the cloud for regulatory and security reasons.

Similar to RDP, cloud services such as Microsoft 365, formerly known as Office 365, are becoming the favorite targets of threat actors. Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post “New tools to block legacy authentication in your organization” identified legacy authentication protocols as the preferred entry points of threat actors in attacking organizations via Microsoft 365.

Weinert reported that more than 99% of password spray attacks on Microsoft 365 accounts use legacy authentication protocols and more than 97 percent of credential stuffing attacks on Microsoft 365 accounts use legacy authentication. Legacy authentication protocols refer to protocols that use only the basic authentication – login method that requires only a single-factor authentication consisting of only the username and password combination. Password spray attacks attempt to hijack a number of online accounts using few commonly used passwords, while credential stuffing attacks attempt to hijack online accounts using stolen usernames and passwords.

Cybersecurity Best Practices

Here are some of the cybersecurity measures in securing remote access:

  • Keep all software up to date.
  • When exposing RDP to the internet, use strong passwords, use multi-factor authentication, use VPN and use Firewall by whitelisting only authorized IP addresses.
  • When using Microsoft 365 and Azure, block legacy authentication with Conditional Access.

Over the years, we’ve helped hundreds of businesses of all sizes to secure their remote access. In fact, 100% of our managed services clients were able to transition to secure remote work during the pandemic without any loss of business or productivity.

You could be sleeping better tonight knowing that your employees and your business are well protected from cybercriminals. Start with a free consultation today by calling us at (416) 920-3000 or email and we will respond within 30-minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *