Are you opening a security hole for your remote workers?

Posted on 2020-04-02 by Matt Strahan in Business Security

On Tuesday Shodun showed that the number of RDP servers exposed to the internet has skyrocketed, going up by 30%. Just having RDP exposed to the internet is pretty much automatically considered a vulnerability in our penetration testing, as it’s a complex protocol that has a history of vulnerabilities (most recently BlueKeep), and exploitation can lead to administrator access to the system. Given that most RDP servers have to be connected to an Active Directory domain, often administrator access is all you need to completely compromise the network and all its data.

Clearly the rise in remote working has caused some windows to be opened in organisations’ environments. While remote working doesn’t have to be a security nightmare, it can still be surprisingly easy to open holes in your security in the name of remote working.

The two main reasons for this is a lack of a strategy and technical debt.

There’s no cyber security strategy

A solid cyber security strategy will adapt to new ways of working and ensure the organisation remains secure while dealing with these new requirements. There’s more endpoints outside the perimeter? No worries, our cyber security strategy provides direction as to how to protect them.

The cyber security strategy is the cornerstone of an organisation’s cyber security. It cascades down into standards and processes that govern cyber security in all aspects. There’s just one catch: a lot of organisations don’t have one.

Cyber security is still a relatively new domain that all organisations are struggling to keep up with. The business strategy charges ahead, but security isn’t considered or is left behind. Ultimately, the cyber security strategy is a support to the business strategy and if it’s not there then the foundations might crumble.

When there’s no security strategy, the IT in the organisation is flying blind when rolling out these new systems. They don’t have the support of a security strategy and they’re simply adding this and that to the environment. There’s no consistency or cohesiveness. When the security of an organisation is only as strong as the weakest link, the lack of consistency becomes an asset to those who are targeting the organisation.

Technical debt

There are applications that have been in banks for decades, just moving along. Eventually maybe we’ll look at the antique mainframes that house them in the same way we might look at a Victorian style building. The mainframes aren’t the only antiques that are in organisation’s though – most of the antiques are software.

We still see old Java apps or desktop apps that just still hang around and are a key part of the business. The problem with these apps is that they often just don’t work in the new world of web services. They require old protocols like RDP to function and are extremely difficult to secure. The only security they’ve ever had is hoping no-one gets access to the system they’re installed on.

When people are working remotely the business needs to keep going. What does IT do then? They expose ports like RDP to the internet so that people can keep using these apps. In their desperation, they open that window.

Making it secure when the environment’s against you

In these times we need to be even more careful than usual and do deliberate steps. We suggested a few quick wins last week, but ensuring that you are secure in the steps you are forced to take are just as crucial. For example, a user can login through VPN then use RDP over VPN for a more secure experience. It’s slightly annoying for the user, but safety sometimes has to be annoying. It’s the same as wearing a harness when going on the roof.

The biggest issue is a lot of businesses are exposed not just in cyber risk but on the financial and operational sides of the business as well. A cyber security compromise could be fatal here. Although speed is important, speed has to be matched with safety.

If in doubt, get it tested with a penetration test or security review. Another set of eyes can help catch any holes you might have inadvertently opened in your environment in your urgency to allow remote working. Otherwise, make sure you have taken steps to ensure you’re covered.

If you missed our post about security precautions for remote work, go review it. Meanwhile, if you have any more questions or issues, or need a bit of advice, then get in touch with us or email us at [email protected]. We’re here to help!

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Annie Spratt on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn