With many organizations now adopting an almost entirely working-from-home (WFH) model as the world shelters-in-place to battle the COVID-19 pandemic, understanding how attackers might exploit remotely accessible entry points and how you can block them has never been more critical. Organizations are expanding and purchasing new virtual private network (VPN) solutions that allow access to business applications using an internet connection. Similarly, there’s greater use of remote desktop solutions and more reliance on cloud environments and applications with employees working off premises. VPN and remote access gateways have always been ideal candidates for adversaries to target; increased use in the wake of COVID-19 amplifies these risks.
As you expand your organization’s capacity for WFH, make sure that you are also using best practices for securing your newly expanded attack surface. Let’s take a look at some of the key risks with VPNs, remote desktop protocol (RDP) and cloud services.
VPN solutions vary widely in their performance, quality and approach to security. When relying on a VPN for secure transmissions, your organization should institute an independent verification of the security of your implementation. Of course, having a VPN provider check the security of their own solution is a start, but it’s not enough because it’s like relying on the company setting up a security fence to verify its effectiveness; if that fence provider is asked if the fence is adequate, they will say yes.
Beyond configuration issues, there are a number of common security issues related to VPN gateways. These vulnerabilities include remote code execution, file path traversal and password modification that can lead to credential theft and internal network compromise. For example, CVE-2019-11510 is a vulnerability that allows an unauthenticated remote attacker to gain access to private keys and user passwords. First identified in May 2019 for Pulse Connect Secure, Pulse Secure’s SSL VPN is still unresolved on a significant number of enterprise networks.
The CyCognito platform observed a 7x increase in the number of newly deployed, and thus exposed, RDP servers in March over previous months, which is not surprising given the massive shift to remote working. What is surprising is that two-thirds of those RDP servers don’t have the recommended Network Level Authentication (NLA) implemented. NLA is a mitigation to prevent unauthenticated access to the RDP tunnel and dramatically decreases the chance of success for RDP-based worms. Our analysis further reveals that 18 percent of Fortune 1000 companies have RDP servers without NLA or VPN protection.