Understanding Citrix Bleed

Citrix Bleed is a buffer overflow vulnerability residing in specific configurations of NetScaler ADC and Gateway. Its malicious potential lies in enabling attackers to bypass critical security measures like multi-factor authentication (MFA) and steal sensitive information, including credentials and user session data. This essentially grants them unfettered access to your internal systems and resources, paving the way for data breaches, ransomware attacks, and lateral movement within your network.

Timeline of Citrix Bleed

• August 2023: The Citrix Bleed vulnerability is silently exploited as a zero-day, with reports suggesting its existence since late 2022.
• October 10, 2023: Citrix releases security bulletin and security patches to address CVE-2023-4966.
• October 17, 2023: Citrix confirms active exploitation of unpatched appliances.
• October 18, 2023: CISA adds CVE-2023-4966 to its Known Exploited Vulnerabilities (KEV) catalog.
• November 2023: Increased attacks attributed to Citrix Bleed, targeting government agencies and major corporations. These include Boeing, the Industrial and Commercial Bank of China, Comcast, Xfinity and more than 60 credit unions and healthcare orgs. U.S. cyber officials and the FBI warn that both nation-states and criminal groups are now targeting Citrix Bleed.
• December 2023 – Present: Cybercriminals, ransomware groups, and other threat actors continue to leverage the vulnerability, highlighting the urgency of patching.

The Scope of the Bleed

The Citrix Bleed exploit affects several versions of NetScaler ADC and NetScaler Gateway. Organizations relying on these appliances for secure remote access, application delivery controllers, and load balancing are at risk. The potential impact stretches far beyond data breaches, encompassing:

• Financial losses: Ransomware attacks, hacks, data exfiltration, and business disruption can lead to significant financial damage.
• Reputational damage: When hackers get access to your sensitive data and main systems, resulting in public exposure of security vulnerabilities, this can severely damage your brand image and customer trust. Even if you have proactive information disclosure around the vulnerability, the damage is often already done.
• Operational disruptions: Compromised systems and networks can cripple your operations and functionality, leading to downtime and productivity losses.

Mitigation – Patching and Beyond

Immediate action is paramount. Here’s what you need to do:

1. Patch all vulnerable Citrix NetScaler ADC and Gateway appliances immediately. Do not delay! Refer to Citrix’s official KB articles for detailed patching instructions.
2. Scan your network for signs of compromise. Look for unusual activity, unexplained logins, and unauthorized data access.
3. Review your security posture and access controls. Implement additional security measures to mitigate the risk of exploitation even after patching.
4. Educate your users about cybersecurity best practices. Train your employees on phishing awareness and password hygiene to minimize the risk of human error.

Protecting Against Future Bleeds

Citrix Bleed serves as a stark reminder of the ever-evolving cyber threat landscape and how bad actors can utilize these vulnerabilities to hijack your systems. To be adequately prepared, consider these practices:

• Maintain a proactive vulnerability management program. Regularly scan your systems and applications for vulnerabilities and prioritize patching based on severity.
• Implement a layered security approach. Combine network security, endpoint protection, and intrusion detection/prevention systems to create a robust defense perimeter.
• Stay informed about the latest cybersecurity threats and vulnerabilities. Subscribe to security alerts and advisories from credible sources like CISA and CERT.

Citrix Bleed is a serious vulnerability not to be ignored. By taking immediate action, patching your systems, and adopting a proactive security posture, you can effectively control the bleeding and safeguard your organization against cyberattacks.

Additionally, remember to:

• Utilize vulnerability scanning tools and penetration testing: These proactive measures can help identify and address vulnerabilities before attackers exploit them.
• Implement strong authentication mechanisms: MFA should be mandatory for all access points, particularly those exposed to the internet.
• Segment your network: Minimize the potential damage from an attack by isolating critical systems and resources.
• Have a clear incident response plan: Prepare for the worst and establish a documented plan for responding to security breaches.

By taking these steps, you can ensure that your organization remains resilient against even the most sophisticated cyberattacks. Let’s work together to stop the bleeding and protect our digital ecosystems.

Beyond the Patch: Rethinking Secure Remote Access in a Post-Bleed World

While patching remains crucial in addressing immediate threats like Citrix Bleed, it’s important to recognize that it’s merely a bandage on a larger wound. The vulnerability’s emergence underscores the inherent risks associated with traditional remote access solutions, particularly those reliant on complex on-premise infrastructure. This is where exploring alternative approaches, such as Cameyo’s Virtual App Delivery (VAD) platform, becomes critical in building a more resilient security posture.

Cameyo’s Zero Trust security model stands in stark contrast to the vulnerabilities exposed by Citrix Bleed. Instead of placing trust in the network perimeter, Cameyo reduces the attack surface by virtualizing applications and delivering them directly to users’ endpoints through a secure browser session. This approach offers several key advantages:

• Reduced Attack Surface: By removing applications from the network, Cameyo eliminates the potential for attackers to exploit vulnerabilities like Citrix Bleed to gain access to your internal systems.
• Zero Trust Access: Every user and device is continuously authenticated and authorized before accessing applications, ensuring only authorized individuals have access to sensitive data.
• Simplified Management: Cameyo’s cloud-based platform simplifies application management and eliminates the need for complex on-premise infrastructure, reducing the burden on IT teams.
• Enhanced Endpoint Security: Applications do not run locally on endpoints – instead they are delivered as Progressive Web Apps (PWAs) – further minimizing the risk of malware or ransomware infections.

In the wake of Citrix Bleed, Cameyo’s VAD solution offers a compelling alternative for organizations seeking a more secure and agile approach to remote access. By embracing Zero Trust principles and eliminating the reliance on vulnerable on-premise infrastructure, Cameyo empowers organizations to:

• Minimize the risk of future security breaches: With the attack surface significantly reduced, even zero-day vulnerabilities like Citrix Bleed become less impactful.
• Improve user experience: Secure access from any device, anywhere, fosters a more flexible and productive work environment.
• Reduce IT costs: Simplified management and cloud-based delivery translate to lower operational expenses.

The Citrix Bleed vulnerability serves as a wake-up call for organizations to re-evaluate their remote access and virtual desktop strategies. By looking beyond traditional solutions and embracing innovative approaches like Cameyo’s VAD platform, organizations can build a more robust and resilient security posture, ensuring business continuity and protecting sensitive data in today’s ever-evolving threat landscape.

Remember, patching vulnerable systems is essential in the immediate aftermath of Citrix Bleed, but true long-term security lies in adopting proactive strategies and embracing Zero Trust principles. Consider Cameyo’s VAD solution as a potential step towards a more secure and future-proof remote access architecture.

Note that this blog post is intended for informational purposes only and should not be considered a substitute for professional security advice. Please consult with Cameyo or another vendor with security expertise such as Mandiant or Google’s BeyondCorp Enterprise. To book a call with a Cameyo security & virtualization expert, click here. We’ve helped hundreds of organizations make the switch from legacy remote access technologies to our cloud-native, zero trust platform, and we’re here to help you in any way we can.

If you’re still looking for more information on Cameyo’s approach to Zero Trust security, check out our post on why you should eliminate VPNs, our guide to RDP security, and our approach to browser isolation.

The post Citrix Bleed: A Deep Dive for IT Leaders appeared first on Cameyo.

When the spotlight fell on those vulnerabilities, two common culprits emerged. One was phishing, which tends to exploit human trust and ignorance to turn an unsuspecting employee into an attack vector. The other was the Remote Desktop Protocol, or RDP, which is the technology on which so many forms of remote access rely. In mid-2020, ZDNET went so far as to say that RDP “reigns supreme” when it comes to ransomware exploits.

The identification of RDP as a potential security risk wasn’t news to a lot of people in the IT industry. During the pandemic, however, its threat as an attack vector magnified because of how widespread its use became in debilitating ransomware attacks. According to Palo Alto Networks’ Unit 42 Cloud Threat Report, 1H 2021, RDP exposures increased by 59% across all cloud providers in the short span between Q1 2020 and to Q2 2020. The 2020 Incident Response and Data Breach Report from the same group found that RDP was the initial attack vector in 50% of the 1,000+ ransomware deployment cases it studied.

What is the Remote Desktop Protocol (RDP) and why does it pose security risks?

The Remote Desktop Protocol is a part of a suite of technologies found on Microsoft Windows systems that are designed to allow users to remotely connect to and control a separate system. RDP works in conjunction with Remote Desktop Services (RDS) to provide a graphical representation of the host’s desktop interface on any remote client machine that supports it. This was traditionally used for IT to diagnose and fix issues on a remote user’s computer via the GUI, but these days it’s far more common to find RDP being used to provide users with virtual desktops or perform remote management.

(As a brief aside for the sake of clarity, Microsoft’s official name for their RDP client software is the Remote Desktop Connection. This was previously known as the Terminal Services Client because of its roots in Windows Server’s Terminal Services.)

RDP connections pose a security risk for three simple reasons:

1. RDP is the de facto industry standard for providing remote desktop sessions and other services to remote users.
2. The increase in remote work has likewise increased the use of virtual desktop and other remote access solutions that rely on remote desktop services.
3. Because of how RDP works by default, simple RDP vulnerabilities have the potential to grant hackers access to entire networks.

Through the use of man-in-the-middle attacks or phishing campaigns that allow for unauthorized access to a remote client, a malicious actor can use that client as an attack vector to (or through) the remote desktop gateway. Virtual private networks (VPNs) exacerbate this situation because they assume legitimacy and offer network-level authentication to remote clients. Even strong passwords and IP address whitelists don’t offer sufficient protection when VPNs are at play.

Yet it’s important to note here that infected endpoints aren’t the only potential RDP vulnerability. Ransomware.org details what’s known as a reverse RDP attack, whereby the threat actor plants malware on the RDP server. Any client that connects to that infected server becomes infected itself. Entire organizations could therefore potentially find themselves on the wrong side of a system-wide lockout.

How does the server become infected in the first place? This is done through brute force attacks that run through authentication permutations until they hit the right combo that gives the hacker RDP access. Many organizations face challenges in preventing this because they have to open their firewall to common RDP ports in order to provide seamless access to authorized remote users.

Older, unpatched versions of RDP also have innate security vulnerabilities that make them susceptible to malware like BlueKeep (CVE-2019-0708), which is a “worm” that can infect a server and spread to connected devices.

Does that mean RDP security is a lost cause?

With so many actual and potential RDP vulnerabilities, it might seem like secure remote access is an impossible task. And if that’s true, it presents IT departments with a terrible choice: Either forbid hybrid and remote work altogether or allow hybrid/remote work and accept malware and other security concerns as a necessary consequence.

Fortunately, that isn’t the case.

Zero Trust Network Architecture (ZTNA) is a best practice that approaches network security from a different angle — and in doing so aims to provide better balance to the “trust versus threat” dilemma. Instead of assuming that authentication should equate to full network access, Zero Trust treats every device as a possible security risk. It operates on a model of least privilege, so both remote users and those at in-network workstations are only granted permissions to access the apps and data they need and nothing more. You can think of ZTNA as compartmentalizing and containing users rather than just opening a single door to the organization’s entire network.

Any Zero Trust model will both require and strengthen a secure remote desktop policy. To put that another way, organizations can leverage ZTNA to empower their hybrid/remote workforce even as they mitigate the security risks associated with remote-enablement technologies like RDP. But much of that depends on sourcing and implementing the solutions that also prioritize that balance.

Cameyo is a building block of a Zero Trust Network Architecture

For organizations that are as serious about Zero Trust as they are about hybrid and remote work, Cameyo’s Virtual App Delivery (VAD) offers a way to secure RDP vulnerabilities while simultaneously giving their workforce secure access to their critical apps.

Cameyo is able to do this in part because it’s OS-independent. It doesn’t require a special client; all apps are delivered to the user via a dedicated encrypted HTTPS (TLS/SSL) HTML5 browser session. This means that clients running operating systems like Windows, ChromeOS, iOS, Android, and Linux can all work with software that retains its full desktop functionality, yet the software is never running on the remote device itself. This likewise means that all user interaction with the app is abstracted from the host machine — so the attack vector is obfuscated for malware payloads.

And while Cameyo does use industry-standard RDP for secure remote access, it makes use of several custom technologies like Secure Cloud Tunneling, NoVPN and Port Shield to safeguard networks against brute force attacks, ransomware and other cyberattacks. As a result, Cameyo provides IT with the ability to deliver all of their apps to users on any device without having to expose firewall and server ports to the open Internet or the need for VPNs. These technologies complement an entire platform designed around the Zero Trust philosophy:

• Single Architecture – Cameyo does not rely on acquired/bolt-on technologies or third party products that significantly increase the surface of attack for hackers.
• Cameyo Secure Cloud Tunneling – a proxy server is set up between the end user device and the Cameyo server, eliminating the need to open firewall ports to direct inbound traffic. It also eliminates the need for VPNs because the end user device is completely isolated from the corporate network. Both are a major attack vector for hackers. Our Secure Cloud Tunneling KB article includes additional info and a diagram.
• Cameyo Port Shield – closes HTTP, HTTPS, and RDP ports at the Windows firewall and dynamically opens them to authorized users only when they need access. Server ports are another favorite for hackers. Additional info on Cameyo Port Shield can be found here.
• Least Privilege Principle – users do not have admin privileges. In the unlikely event a hacker gains access to a Cameyo user session, they are locked into the session and unable to move to other areas of the corporate network.
• Non-persistent Servers – when a user closes a Cameyo session, their data and entire user profile is deleted. Our patented Temporary User Profile technology stores the updated user profile separately and seamlessly syncs the user profile upon session relaunch (see below for additional information on Temp User Profiles).
• HTTPS security and encryption – all Cameyo servers are automatically created with HTTPS to ensure all data/sessions are encrypted.

Through this combination of secure RDP technologies and ZTNA, Cameyo provides your hybrid/remote work users with seamless, secure access to all their apps from any device while simultaneously solving RDP security issues and reducing your overall attack surface.

If you thought Zero Trust and remote work were mutually exclusive, we offer a free trial so you can see Cameyo unite the two in your own environment. Sign up for your own free trial and start delivering apps securely to your remote users today. We also offer you the option to schedule a demo should you have questions about the basics of Virtual App Delivery and how Cameyo fits into a holistic Zero Trust security approach.

The post Your Guide to RDP Security appeared first on Cameyo.

That left organizations—and IT departments specifically—in a real bind. They desperately wanted to harden their network security and prevent cybercriminals from gaining access to sensitive data that could seriously damage their business. At the same time, they also had to keep day-to-day operations running, and that meant allowing remote users to access files and software behind the corporate firewall.

One of the most common methods of providing users with this access has been through a virtual private network, or VPN. With a VPN client, remote workers can “tunnel” into the organization’s internal network via the connection provided by a third-party Internet service provider (ISP) — in most cases, their home Internet connection.

It’s easy to see the appeal. Most VPNs are able to automatically traverse the various links in the network chain (e.g., the users’ home router or a public Wi-Fi access point, modems, the corporate firewall) and enable users with even basic technical knowledge to establish a direct connection between their remote PC and the organization’s local network. For IT, the bulk of the work goes into configuring the users’ VPN connection and is therefore upfront rather than ongoing.

But virtual private networks have some proven downsides. Corporate VPNs typically require on-premises infrastructure, such as VPN servers and connection brokers, which means purchase costs and long-term maintenance. From the user’s perspective, it isn’t always easy for them to understand how to use VPNs properly. VPNs can also affect the speed of Internet traffic and make high-bandwidth connections appear to run more slowly.

And they also have some deep-rooted security flaws.

Think VPNs are secure? Think again

As we’ve already acknowledged, VPNs are often used by enterprise-scale organizations. In addition, a lot of the marketing for commercial VPN providers revolves around things like online privacy and protecting your personal data. Those factors have led to the widespread assumption that VPNs are synonymous with security.

The truth is that VPNs are actually a prime attack vector for major hacks.

Recently, security-focused organizations like the US National Security Agency have issued stark warnings for large groups of VPN users. In 2022, critical vulnerabilities in Citrix Gateway, an SSL VPN service, as well as related products were found to allow hackers to bypass authentication and verification mechanisms or carry out brute-force attacks. Exploits like these could give malicious actors access to an organization’s entire network.

Nor was this the first time that a vulnerability had been found in Citrix VPN solutions. Security flaws in the same suite of products are known to have exposed more than 80,000 organizations to threat actors in 2019.

And Citrix VPN solutions certainly aren’t the only ones vulnerable to exploits and attacks. Virtual private networks as a technology category have serious and fundamental security issues, as a roundup of headlines from the past few years will reveal:

• Security experts discover a 1,500%+ increase in attacks against VPN due to remote work [Nuspire/PRNewsWire]
• Attacks on VPNs and health industry headline 2021’s biggest cyber risks [Security Magazine]
• Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs [Bleeping Computer]

Simply put, the conventional VPN model runs counter to recommended security policies and best practices.

What’s the nature of some VPN vulnerabilities?

There are some inherent security flaws that are common to all or most VPNs.

DNS leaks: Whenever a computer attempts to communicate with another networked device, it makes a Domain Name System (DNS) query via the DNS server that has been configured for that device. VPNs rely heavily on custom DNS settings that can inadvertently leak DNS queries. This leakage can reveal things like the endpoint device’s IP address and its online activity or even allow important Internet traffic to escape the ostensibly secure VPN tunnel. It also leaves the device vulnerable to spoofing and man-in-the-middle attacks.

VPN pivoting: Like its name suggests, pivoting describes the method by which a hacker turns a compromised endpoint into a vector for attacking its network, often through malware. The implicit trust behind VPN connections makes it possible for these rogue devices to circumvent permissions or firewall restrictions, thereby gaining full network access and a direct route to sensitive data.

Poorly stored credentials: The point-to-point tunnels that VPNs create are usually touted as one of their security features. However, security researchers have found that VPN clients often store authentication credentials or session cookies on the remote endpoint. If these credentials are intercepted by hackers, they now have access to the corporate network through the VPN connection.

Some might be quick to point out that VPNs use different connection protocols — namely, Internet Protocol Security (IPsec)/IKEv2, IPSec/L2TP, OpenVPN and Point-to-Point Tunneling Protocol (PPTP). But the fact is that these vulnerabilities exist irrespective of the protocol.

To eliminate VPN security risks, you need to eliminate VPNs

Security experts have recognized the “all access” philosophy of VPNs to be a serious concern and an outdated approach to modern computing. In response they’ve started advocating for a security policy called Zero Trust Network Access (ZTNA), which is the polar opposite of the VPN model. In fact, Gartner has identified ZTNA as the fastest-growing segment in network security, with a growth forecast of 31% in 2023.

The assumption behind ZTNA is that all devices are potentially compromised. As a result, the focus falls on providing endpoint devices with “just in time” or as-needed access to the corporate network while also limiting their scope of access as well. Should those devices be actually compromised, hackers’ room to maneuver will be severely constrained and any damage will be highly contained.

Unlike VPNs, Cameyo’s Virtual Application Delivery (VAD) platform was designed from the very beginning with the Zero Trust security model in mind. It eliminates the need for VPNs (and therefore the major security hole they introduce) yet provides remote workers with seamless access to their essential apps.

Not to put too fine a point on it, but one of our remote access technologies is called NoVPN. It offers the same end functionality as a VPN but doesn’t come burdened with the same risks — like the need to punch holes in your organization’s firewall. And NoVPN is just one component of our comprehensive Zero Trust network architecture:

• Always-on monitoring & validation: Cameyo makes use of what are called non-persistent servers. This means that a user’s data is erased from the Cameyo server every time that user logs out.
• Device access control: Cameyo follows ZTNA best practices by treating every device as if it could be compromised. Remote users get access to all (and only) the apps they need as they need them.
• Identity & access management: If you have a preferred Single Sign-On (SSO) provider, Cameyo can integrate with it for seamless authentication. Cameyo supports existing Multi-Factor Authentication (MFA) protocols too.
• Least privilege: Because Cameyo delivers apps via an SSL HTML5 browser session, all Internet traffic that is part of this session is encrypted. Furthermore, the underlying technologies keep permissions to the bare minimum, cutting off access to sensitive data.
• Prevention of lateral movement: Devices remain isolated from the corporate network/data as well as Cameyo’s VAD platform. In the event that a device is infected with ransomware or a malware payload, it remains confined to that endpoint.
• Segmentation: Cameyo’s VAD platform maintains segmentation between the endpoint and the corporate network/data, even when users are in an active session.

You can read more about these security features in this related post, “Mitigating RDP and VPN Vulnerabilities to Reduce Ransomware Attacks.”

The very same security advantages of Cameyo’s VAD solution are also what give it its unparalleled flexibility. With Cameyo, organizations can enable seamless remote access to apps independent of the operating system of the endpoint device. ChromeOS, Windows 11, and macOS users can access legacy Windows applications. iOS and Android users can access desktop-class Linux apps, Windows apps, etc. Remote users can even use intranet apps — anywhere, from any device.

If you’re currently using VPNs, don’t wait for a ransomware attack to highlight the need for Zero Trust security. Sign up today for your free trial of Cameyo and see how Zero Trust security policies and seamless remote access to apps can go hand in hand. And if you’d like more detail on how Cameyo eliminates VPNs while making it easier than ever for remote workers to access their essential apps, schedule a demo to have one of our engineers provide the technical background.

The post How to Eliminate VPN Security Risks appeared first on Cameyo.

Back in April, we introduced our Cameyo Rapid Recovery service to help organizations keep their networks & data safe and their people productive in case of an emergency and/or ransomware attack. The service runs in Google Cloud and provides organizations with a separate, secure cloud desktop environment from Cameyo that they can instantly switch to if their on-premises environment is attacked or disrupted, enabling their employees to maintain access to all their business-critical apps in case of emergency. 

And while Cameyo Rapid Recovery provides a great option for organizations running their own data centers to fail over to Google Cloud with no interruption to the Cameyo cloud desktop service – what about organizations that are already utilizing Google Cloud but also want an added layer of resiliency in case there are any issues with their primary data center location? That’s why today we announced new Disaster Recovery-as-a-Service (DRaaS) capabilities within Cameyo called One-Click Cloud Failover. The introduction of One-Click Cloud Failover gives organizations using Cameyo’s service in Google Cloud the ability to easily select a backup region so that, in case of an issue in their primary data center location, they can easily switch to the new data center region without disruption in service to end users. 

“While Cameyo Rapid Recovery was designed to provide our self-hosted customers with an insurance policy in case their on-premises environment was attacked, our new One-Click Cloud Failover capabilities give our fully-hosted customers additional peace of mind in case anything were to happen with their primary Google Cloud data center location,” said Andrew Miller, Co-Founder and CEO of Cameyo. 

“IT organizations have learned the importance of business continuity, and Cameyo’s new One-Click Failover and it’s existing Rapid Recovery capabilities leverage their partnership with Google Cloud to give companies the capabilities they need to ensure end-user productivity in the event of a disruption to their primary site. This is a natural fit for companies that want to use the cloud as a backup datacenter, or that want to add resiliency to an existing Cameyo deployment in Google Cloud,” said Gabe Knuth, Senior Analyst at Enterprise Strategy Group (ESG). “Plus, Cameyo’s dedication to Zero Trust means that this can be done without cutting any corners on security.”

The Cameyo One-Click Cloud Failover functionality is available today to all Cameyo customers using Google Cloud. Like all of Cameyo’s security capabilities, One-Click Cloud Failover is built into the core of the platform and is available immediately to Cameyo customers at no additional cost. Want to learn more? Schedule a quick demo with one of our cloud desktop experts and we’ll show you how it works. 

The post Cameyo’s new One-Click Cloud Failover provides Disaster Recovery as a Service (DRaaS) appeared first on Cameyo.

RDP was developed by Microsoft as a proprietary technology and has been built into every version of Windows since Windows XP in 2001. And, yes, that does include more recent versions of the operating system like Windows 10 and 11. As its name indicates, the Remote Desktop Protocol was intended to make remote desktops more user friendly by facilitating communication between Microsoft’s Terminal Server and the Terminal Server Client.

Part of that ease of use derived from the standardization that RDP provides. Windows servers and clients know that RDP port number 3389 is the default listening port for computers to establish a remote desktop connection, so they keep this port open automatically. That way, users are less likely to encounter the kinds of connection errors or Windows Firewall issues that will send them to IT in search of help.

Unfortunately, the use of 3389 as a standard port didn’t escape the attention of malicious actors. They quickly realized that they could exploit RDP’s open port as a way to deliver a ransomware payload or a DDOS attack. A popular method is simple brute force attacks: Hackers will try a relentless series of authentications in the hope of gaining illicit access to the remote desktop server on that port.

This has turned the default RDP port into a major liability. Cybercrime experts currently estimate that RDP is the initial attack vector for half of all ransomware attacks. Naturally, the number of ransomware attacks rose during the pandemic, when the world shifted quickly to providing remote desktop access to users who were now working outside of the office.

But with a 2021 PWC survey revealing that 83% of companies anticipate continuing remote or hybrid work going forward, remote desktop services and the software that leverages them will remain in demand. Consequently, RDP will remain a point of vulnerability for IT and organizations as a whole.

The not-so-quick (or effective) fix: Manually configure your RDP port

There’s a widespread assumption that simply changing the default port for RDP to something other than 3389 will thwart hackers. And if you have no other options, it’s true that assigning a new RDP port is a better defensive maneuver than not changing it at all.

Here’s a quick tutorial on how to do it:

1. Double-click on the Windows Start button. Type regedit and then press Enter. This will launch the Registry Editor. In newer versions of Windows, you can do this directly from the Windows Search feature.
2. In the Registry Editor, look for HKEY_LOCAL_MACHINE in the sidebar. Extend the drop-down list and navigate to HKEY_LOCAL_MACHINE\SYSTEM. Keep extending the drop-downs next to CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
3. Click on RDP-Tcp. That will open up a list of items in the main window.
4. Locate the dword file named “PortNumber”. Right-click on the PortNumber dword file and select “Modify…”
5. This results in a dialog with three fields: Value name, Value data and Base. Change the base to Decimal. In the Value data field, enter a new port number between 1025 and 65535. Make sure that the new remote desktop port number you choose is not already in use by another application or service.
6. Click OK, then reboot the computer.

This general procedure should change the default RDP port on your Windows machine. But bear in mind that the Windows Registry contains sensitive, system-level data that is not supposed to be altered in most circumstances. Any changes you make could cause instability.

Another important thing to remember is that this only changes the local ports on the current machine. If you have multiple clients using Windows Remote Desktop or other RDP-based software, you will need to make the exact same changes to the default RDP port on those machines as well.

On top of this, you’ll also need to update your Windows firewall rules. This is done by creating a new rule or set of inbound rules that account for the new RDP port. If you’re using Windows Server to provide remote desktop services, these changes to the Windows Registry and Windows Firewall will likely need to be replicated there too. Double check with your software solution provider to determine whether it’s okay to do this without breaking functionality.

The next time the user connects to these RDP-based services using a Remote Desktop client, they will have to manually update the local port. They can do this by adding a colon and the new RDP port number after the machine’s hostname or IP address (e.g., “hostname:1234”) in the connection field.

However, just changing the RDP port number doesn’t mean that the security problem is solved. It isn’t hard for someone with basic technical knowledge to determine the new port number, especially if they gain access to a remote computer.

This method is also insufficient if your organization practices or plans to implement a zero trust policy. Zero trust assumes that every device is potentially compromised, so any open port—even if it’s not the default—is treated like an attack vector. In a zero trust environment, the only acceptable course of action is to lock down vulnerabilities, restrict user access to essential functionality and minimize all exposure of the internal network to remote entities.

Practice zero trust with Cameyo cloud desktops 

Cameyo’s Virtual App Delivery (VAD) platform enables organizations to maintain strict zero trust IT policies while providing their work-from-home (WFH) and hybrid users with effortless cloud desktop access. We’re able to achieve this mix of uncompromising security and incredible ease of use thanks to a suite of innovative technologies and practices. These include:

• Non-persistent servers: Every time the user logs out, all of their user data is fully wiped from the Cameyo server.
• Cameyo NoVPN: As a rule, virtual private networks (VPNs) grant users access to the corporate network. Cameyo keeps clients off the corporate network, yet it’s also far easier for users to connect than with a VPN.
• Secure Cloud Tunneling: With Cameyo, IT can deliver applications to remote & hybrid users outside of the VPN and without opening any ports in their firewall. It’s the best of both worlds: flexibility and security.
• User segmentation: Cameyo’s virtual app delivery (VAD) isolates sessions and ensures constant separation of resources, so users and their devices never come into contact with networks or data beyond that.
• No lateral movement: In the event that a user’s device is infected with malware, by design Cameyo prevents that malware from ever reaching your internal network and data. Nor can it reach the Cameyo system.
• Least privilege: Cameyo delivers all apps via a secure HTML5 browser and encrypts all traffic with HTTPS. Cameyo also leverages Windows Terminal Services and temporary user profiles, so admin privileges, settings and files remain off-limits
• Identity and access control: Cameyo integrates with your single sign-on (SSO) provider of choice. Any multi-factor authentication (MFA) you have set up with your SSO carries over to Cameyo.
• Port Shield: Rather than leaving the RDP port open, Cameyo opens and closes both the HTTP and the RDP ports dynamically in response to authenticated user activity and whitelisted IP addresses.

This is how Cameyo delivers an ultra-secure, user-friendly cloud desktop even as it eliminates the need to tinker with Windows Registry settings and firewall rules.

Better still, Cameyo’s VAD solution is Windows-independent. What this means is that Cameyo doesn’t force users to interact with an entire Windows-based desktop environment or use a Windows-based client to stay productive. They can selectively access the apps they want, and they can do so on any device, regardless of its operating system. That stands in stark contrast to Windows Remote Desktop and other legacy remote desktop access solutions, which are often built around providing a full Windows desktop experience.

If zero-trust security coupled with industry-leading ease of use for your remote workforce sounds like an ideal combo, simply sign up for your free trial of Cameyo’s VAD platform to experience it for yourself. And if you’ve got technical questions about how Cameyo is able to provide greater flexibility while hardening security, all you have to do is request a demo. Our engineers will gladly talk you through the features and practices described above in more detail.

The post How to Secure Your Remote Desktop Ports appeared first on Cameyo.

Whether it’s due to a cyber-attack or some other disaster/natural disaster, if an organization’s network is compromised, they often can’t afford to have data center outages that result in downtime that impacts their business operations. They must have a disaster recovery plan & business continuity plan in place to help ensure their people can continue to access the applications & data they need to do their jobs and keep the business running.

That’s why today we introduced a new business continuity cloud service designed to help organizations keep their networks & data safe and their people productive in case of an emergency and/or ransomware attack. The new Cameyo Rapid Recovery service runs in Google Cloud and provides organizations with a separate, secure cloud desktop environment from Cameyo that they can instantly switch to if their on-premises environment is attacked or disrupted, enabling their employees to maintain access to all their business-critical apps in case of emergency. Paired with Chrome OS Flex – the cloud-first, easy-to-manage, fast, and secure operating system – organizations can install Chrome OS Flex on compromised Windows & Mac devices to quickly recover the devices and experience the benefits of Chrome OS, all while continuing to access their business-critical applications through Cameyo.

Ensuring Business Continuity in Tumultuous Times

The new Cameyo service, running on Google Cloud, provides organizations with an ultra-secure business continuity solution in response to the Department of Homeland Security’s (DHS) recent “Shields Up” advisory, which recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” This means that every organization – from small businesses to Fortune 500s and everything in between – need the IT infrastructure and recovery solutions in place to ensure high availability, data protection, and to automate the optimization of business continuity.

“In this time of heightened cyber-attack risks, every organization needs both proactive protection as well as an insurance policy in case something does go wrong,” said Andrew Miller, Co-Founder & CEO at Cameyo. “Cameyo Rapid Recovery combines Cameyo’s deep expertise in delivering zero trust cloud desktops with the enhanced security of Chrome OS devices and scalability Google Cloud to provide restoration of access for an organization’s people within hours of an attack.”  

“Often times insurance policies come with a significant price tag and are infrequently utilized, so it’s refreshing to see two market leaders provide an affordable service designed to give organizations of all sizes peace of mind in these tumultuous times,” said Mark Bowker, Senior Analyst at Enterprise Strategy Group (ESG). “Cameyo and Google are both known for their commitment to zero trust security technologies and principles, so the combination of these offerings is very compelling for any organization looking to protect their operations.”

Bringing Together Best-In-Class Zero Trust Security 

The Cameyo Rapid Recovery business continuity service brings together and leverages the following technologies and cloud computing services and cloud solutions from Cameyo and Google, each of which is committed to delivering best-in-class zero trust security:

• Cameyo Virtual App Delivery (VAD) – Built with zero trust capabilities at its core, Cameyo’s VAD platform is the most secure way to deliver cloud desktops without the complexity of traditional virtual machines. With Cameyo Rapid Recovery, Cameyo pre-configures an environment in Google Cloud so secure cloud desktops can be provided for an organization’s employees within hours. If an organization’s network or data is compromised, they can continue to give their employees access to all the business-critical apps – including legacy Windows apps, internal apps, and SaaS apps – they need to do their jobs, while maintaining separation from the compromised network. This protects critical data while enabling a real-time, cost-effective way to reduce the business impact of an outage.
• Chrome OS Flex – Chrome OS Flex is the secure, cloud-first, easy-to-manage, and fast operating system for PCs and Macs. It enables organizations to experience the benefits of Chrome OS on their PCs and Macs, ensuring they boot fast and can be managed from the cloud. After a cyber-attack, this enables organizations to quickly recover potentially compromised Windows and Mac devices by installing Chrome OS Flex, maximizing the life of the existing hardware they already own and refreshing them with a modern, fast, operating system. This reduces e-waste while optimizing older computers’ value alongside Chromebooks when new device purchases aren’t possible. Chrome OS Flex is in early access, and organizations can try it out here.
• Google Cloud – Google Cloud protects your data, applications, infrastructure, and customers from fraudulent activity, spam, and abuse with the same infrastructure and security services Google uses. Google Cloud’s networking, data storage, and compute services provide data encryption at rest, in transit, and in use. And Google Cloud’s advanced Zero Trust security tools support compliance and data confidentiality.

“When we faced a ransomware attack, our cloud provider recommended Cameyo as both an immediate incident response solution and a simpler, more secure long-term solution for giving all our people access to their business-critical apps from anywhere,” said the VP of Technology & Operations at a large New York-based fashion retailer. “We were able to deploy Cameyo and give all our people access to our ERP system within one day. It’s unfortunate it took an incident like this to get us there, but now that we have Cameyo in place, I can say that this is exactly the cloud-native solution we should have had in place the whole time. ”

The Cameyo Rapid Recovery service is available today to all organizations except for those based in Russia, Belarus, Eritrea, North Korea, and Syria. The service costs $300 per organization, per month with an annual commitment. And due to the increased business need for Business Continuity as a Service (BCaaS) solutions in all businesses around the world due to the heightened risk of cyberattacks, Cameyo is providing all organizations with the first four months of the Cameyo Rapid Recovery service for free. In the case of an attack, organizations can quickly activate their environment in Cameyo and decide the number of monthly users needed at that time. To get started, organizations can request access here.

The post Introducing Cameyo Rapid Recovery – Business Continuity to Keep Your People Protected & Productive During Emergencies appeared first on Cameyo.

The basics of the Remote Desktop Protocol (RDP)

A possible fix: Changing the RDP port in Windows

Lock down your RDP ports with Cameyo

Given the exponential rise in ransomware attacks in recent years, organizations are taking security more seriously than ever. At the top of their to-do list is mitigating some of the inherent risk in the Remote Desktop Protocol (RDP). Since 2018, RDP has been the primary vector in half of all ransomware attacks, according to the cybersecurity research firm Palo Alto Networks.

The basics of the Remote Desktop Protocol (RDP)

Before we dive into a potential fix for Remote Desktop Protocol vulnerabilities, it’s important to understand what it is and why it’s used. Otherwise you could risk breaking essential functionality.

RDP is the set of network rules used for communication between Microsoft’s Terminal Server and the Terminal Server Client, which is a widely used means of providing remote desktop functionality to end users.

Whenever you have Remote Desktop Services enabled on any Windows server, it has RDP port number 3389 open by default. That standardization is helpful from a networking perspective, but it also makes that port number very attractive to malicious actors. They know there’s a good chance that 3389 is going to be perpetually open as a listening port, especially among enterprise or distributed organizations, and they’ll try to use it as a way to deliver a ransomware payload or DDOS attack.

So, to eliminate the problem, should you just disable RDP? Well, not exactly. The Remote Desktop Protocol is used by any number of applications that tap into Windows Server, and disabling it would mean losing essential services. It would make about as much sense as removing the engine of your car to make it less attractive to thieves.

A possible fix: Changing the RDP port in Windows

One way to thwart some of the less ambitious hackers and bots is to change the default RDP port number to something other than 3389. This is a good idea for both Windows clients and Windows Server, given that both use the same listening port for Remote Desktop Connection traffic.

Please note that this involves making fundamental system tweaks in the Windows Registry Editor. As a result, it could have knock-on effects for your device- and network-level firewall settings, which means that features related to remote desktop could break. Before starting, be absolutely sure you have a Windows registry backup and enough technical skill to reverse the steps below if that happens.

Bearing that caveat in mind, here are the basic steps to take to change RDP port on a Windows machine.

1. Double-click on the Windows Start button. Type in “regedit” (don’t worry if there’s not a dedicated text entry field) and then press Enter. This will launch the Registry Editor.
2. In the Registry Editor, look for HKEY_LOCAL_MACHINE in the navigation sidebar. Navigate to HKEY_LOCAL_MACHINE\SYSTEM by extending the drop-down list. From there, keep extending the drop-downs next to CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
3. Click on RDP-Tcp. That will open up a list of items in the main window.
4. Find the dword file named “PortNumber”. Right-click on the PortNumber dword file and select “Modify…”
5. You’ll see a dialog with three fields: Value name, Value data and Base. Change the base to Decimal. In the Value data field, enter a new port number between 1025 and 65535. Make sure that the new remote desktop port number you choose is not already in use by another application or service.
6. Click OK, then reboot the computer.

All being well, you will have now successfully changed the default RDP port on your Windows machine. An important thing to remember is that, with Windows Server, you’ll need to update your Windows firewall rules and also mimic this change across any clients that are still using the default RDP port. If you’ve only made the change on a Windows client machine, you’ll have to manually update the Remote Desktop client the next time you connect. This is done by adding a colon and the new RDP port number after the machine’s hostname or IP address (e.g., “hostname:1234”).

Lock down your RDP port with Cameyo

Rather than trying to dodge RDP security risks with Registry Editor workarounds, why not choose a digital workspace solution that enhances security while facilitating hybrid and remote work?

Cameyo’s virtual app delivery platform is built around a hardened Zero Trust security model, now considered a best practice among enterprise IT departments and cybersecurity experts alike. To that end, Cameyo makes use of multiple innovative technologies that mitigate risk and avoid common attack vectors like RDP port vulnerabilities. Some of these core technologies include:

• Secure Cloud Tunneling: Enables secure, user-friendly virtual app delivery independent of a VPN (which carries its own risks) and without needing to open any ports in the Windows firewall. You can read a detailed explanation of Cameyo’s Secure Cloud Tunneling here.
• Port Shield: Provides built-in security that dynamically opens or closes HTTP(S) and RDP ports in response to authenticated users. Even though the RDP listening port remains active, it’s inaccessible to non-authorized traffic—no Windows Registry Editor hacks needed. More info on Cameyo’s Port Shield is available here.
• NoVPN: Ensures that all data traffic is encrypted and that apps are delivered from a secure HTML5 browser via an HTTPS session. This effectively separates the client device from the corporate network. This Cameyo help center article has more details on NoVPN and how it works.

Technologies like these—not to mention additional ones like non-persistent servers and single sign-on (SSO) support—are what set Cameyo apart from other app virtualization solutions and remote work strategies. In a survey conducted by the research firm TechValidate, 98% of respondents reported that Cameyo’s security beats the competition (TVID: 8A7-240-702) while also being  simpler to deploy and manage (TVID: FD6-B62-2F3).

Take advantage of your free trial of Cameyo today and start experiencing the benefits of virtual app delivery. Not only will it free you from having to wrestle with RDP port vulnerabilities, it will also give your remote workforce seamless, anywhere access to business-critical Windows apps, even legacy software (regardless of OS like Windows 7, Windows 10, etc.). You can also schedule a demo to have one of our engineers give you a guided tour of Cameyo and its features.

The post Should You Change Your RDP Port? Here’s Why and How to Do It appeared first on Cameyo.

The post Mitigating RDP and VPN Vulnerabilities to Reduce Ransomware Attacks appeared first on Cameyo.

For this follow-up post, we wanted to start by diving a little deeper into some of the trends and attitudes that were revealed in Tessian’s information-rich “Back to Work: Security Behaviors Report.” We’ll then look at a few additional stats and research findings that highlight the role of RDP in remote work and ransomware attacks.

1. More than a quarter of employees don’t want to inform IT that they made a security mistake. The survey that Tessian conducted for its research found that 27% of workers made a cybersecurity mistake while working from home. What’s more concerning is that they didn’t tell anyone they had potentially compromised company security—some out of fear of being disciplined or having to sit through more security training. This suggests that there are potentially many undetected and unreported security breaches that fly under IT’s radar.
2. 69% of IT leaders say that ransomware endangers the hybrid workplace. Guarding against ransomware attacks is not a fringe concern. Nearly seven out of every ten IT leaders were of the opinion that ransomware in particular poses a growing threat in hybrid work environments. One in four were in strong agreement with that assessment. Of the various industries that were represented, those in the legal sector were most (83%) concerned by ransomware, with those in technology (82%) and healthcare (77%) not far behind
3. Over half of 16- to 24-year-olds said they’ve cut corners when it comes to security. Among some organizations, there’s a sense that their tech-savvy younger employees are going to uphold the strict security practices that frustrate their tech-averse senior counterparts. That’s not necessarily true. Tessian found that 51% of employees aged 16–24 and 46% of those aged 25–34 year admitted to using security workarounds while working remotely. Those figures were halved (or more) among the 45–55 and 55+ demographics.
4. Nine out of ten organizations will adopt a hybrid model going forward. A McKinsey survey found that 90% of organizations said they’d be shifting to a mix of remote and on-site work—that is, a hybrid work model—in the wake of the COVID-19 pandemic. At the same time, McKinsey has also said that the shift to hybrid environments will be messier than most companies realize. Opportunistic hackers are already actively exploiting the resulting gaps in security, not least through ransomware attacks.
5. RDP was the initial attack vector in 50% of ransomware deployment cases. The remote desktop protocol (RDP) is a pivotal technology in allowing remote employees to access business-critical applications. The problem is that RDP ports tend to remain exposed to the Internet, which gives hackers a fairly wide and rewarding target. At the height of the pandemic in December 2020, Palo Alto Networks’ Unit 42 found that poor RDP security accounted for half of ransomware deployment vectors.
6. Security-focused search engine Shodan found 4 million exposed RDP ports. One article has noted that Shodan, a search engine designed to find Internet-connected devices, identified over 4 million exposed RDP ports plus at least 14,000 Windows RDP servers that are reachable via the Internet. That creates a veritable buffet for malicious actors. However, the article’s recommendation that virtual desktop solutions will solve RDP issues overlooks the fact that virtual desktops aren’t always the right tool for supporting a hybrid workforce.
7. Cybersecurity startups have already brought in $12.2 billion this year. With many organizations understandably nervous about ransomware and what hybrid work will mean for their security practices, enterprising cybersecurity firms have capitalized on this niche to the tune of over $12 billion. That’s more than double what the industry raised throughout 2016. However, when the underlying risk for ransomware attacks are phishing e-mails or RDP vulnerabilities, hiring a big-ticket cybersecurity company could be overkill for the problem at hand. 

The cost-effective way to empower hybrid workers and protect against RDP vulnerabilities 

The available data clearly show that:

• ransomware is on the rise in hybrid workplaces
• organizations are set on adopting hybrid working environments
• remote employees aren’t always diligent or forthright about their security practices
• vigilance is essential, especially when it comes to RDP vulnerabilities, and
• there’s no shortage of cybersecurity solution providers who want to offer their (expensive) services.

So, what’s an organization to do?

Camyeo’s virtual app delivery allows organizations to provide their remote workers with the apps they need to stay productive—simply, securely and cost-effectively. Via Cameyo’s secure HTML5 browser session, users can seamlessly access their business-critical software with native performance from any device, anywhere in the world.

The best part is that this flexibility also comes with tighter security built in at the core. Cameyo NoVPN encrypts all data traffic while keeping the user’s device separate from the corporate network. This avoids both the inherent security risk of VPNs as well as the complexity that encourages users to find workarounds. Meanwhile, Cameyo Port Shield opens and closes RDP ports—dynamically and automatically—only for authenticated users (with re-authentication required each time).

In addition, Cameyo’s virtual app delivery platform implements best practices by aggressively clearing non-persistent data. When a user’s session is over, the temporary data is wiped from the server, which prevents hackers from being able to exploit it.

Take advantage of our free trial of Cameyo (no credit card required) and see how you can avoid ransomware attacks while giving remote users instant, effortless access to the right software. If you’d prefer, you can also schedule a demo of our virtual app delivery platform. With Cameyo, you’ll discover that a productive hybrid workplace and a strict Zero Trust security model aren’t mutually exclusive. 

The post Ransomware and Hybrid Work, by the Numbers (Part 2) appeared first on Cameyo.

Ransomware is a sinister threat to your data and business-critical systems, and one that has been increasingly targeting remote & hybrid workers since the beginning of the pandemic.  The threat landscape is growing and as we’ve seen with major attacks across multiple industries and sectors recently – from the Colonial Pipeline, to JBS Meatpacking, to Kaseya – no business is immune to a ransomware attack. 

Remote access systems and protocols have long been a favorite target of cybercriminals using ransomware.  And as most organizations have heavily pivoted to remote access solutions since the onset of the pandemic, the attack surface of the newly evolving digital workspace is growing larger.  

In this post we’ll discuss the threats that exist within the digital workspace and how organizations can protect themselves.

Ransomware attacks are increasing

Already this year, large-scale ransomware attacks have made major news headlines.  On May 7th, 2021, Colonial Pipeline was targeted with a ransomware attack from a criminal hacker group known as “Dark Side.” The attack took down critical systems and infrastructure.  The fallout from the ransomware attack resulted in the shutdown of 5500 miles of pipeline, effectively eliminating half of the fuel to the United States East Coast.  The shutdown led to panic buying and fuel shortages for days.  

Cyberattacks are increasingly featuring ransomware.  The Group-IB LLC, a cybersecurity provider, noted the number of ransomware attacks was up by 150% in 2020.  This increase also includes a 200% increase in the extortion amount.  According to Cybersecurity Ventures, ransomware will attack a business every 11 seconds by the end of 2021. In addition, the costs of ransomware attacks are projected to be $20 billion.  These figures represent a 57X increase since 2015.  It shows just how effective and successful ransomware attacks have become.

More figures showing the escalating nature of ransomware:

• In 2020, ransomware attacks surged 800%
• In 2020, 73% of all Ransomware attacks were successful with no effective defense.

Remote connectivity to the digital workspace – a gateway for ransomware

Experts agree that remote connectivity to corporate resources, born from the unique productivity needs of the pandemic, has created the perfect storm for ransomware.  John Hammond, a cybersecurity researcher at the security firm Huntress, put it this way:

“When you are working from home, you are not behind the castle walls anymore.  You are working with your own devices, away from the safe perimeter of corporate networks.”

IT and network teams have been forced to open network connectivity in ways that may not have previously been allowed before shifting to the distributed workforce.  This shift facilitates the growing demand for remote workers and flexibility of communicating with corporate networks to access internal resources.  In addition, many more users may now have access to VPN clients, RDP connections, and other remote connectivity. 

Key statistics to note:

• 1 in 4 Americans will be working remotely in 2021
• 36.2 million Americans will be working remotely by 2025
• These statistics represent an 87% increase from pre-pandemic levels

Each new network “exception” that may be allowed to remote workers opens a hole in the organization’s armor. It can make it much easier for hackers to enter the internal network and compromise business-critical data.  In addition to the sheer number of network allowances made this past year, the types of remote technologies used to access the digital workspace are often legacy and antiquated. This leads to additional cybersecurity risks. 

Traditional remote access technology security risks

What are considered legacy remote access technologies at this point?  For decades, organizations have historically used technologies such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) to connect to internal corporate resources.  While these have worked well in the past, they were never designed to scale to a situation where most people work remotely, and they introduce significant security challenges.

Remote Desktop Protocol (RDP) has been notorious for security-related vulnerabilities that have led to widespread ransomware infections.  A recent analysis of popular Remote Desktop clients was found vulnerable with over 25 vulnerabilities to note amongst with the three clients analyzed.  A total of 16 of these were classified as major vulnerabilities.

Time and again, Microsoft has announced vulnerabilities found in RDP, leading to a scramble to patch affected Windows Servers and desktop operating systems.  In May 2020, Microsoft announced another vulnerability, CVE-2019-0708, dubbed BlueKeep.  Hackers can also use the leaked NSA tool called EternalBlue, which uses the BlueKeep exploit to unleash a wormable virus that would look like the NotPetya attack on a global scale.

Aside from the security vulnerabilities and zero-day exploits found in RDP, it is highly vulnerable to brute force attacks when placed on the public Internet.  Hackers, bots, zombie machines, and other malicious traffic on the Internet will readily attempt to brute force user accounts to find accounts allowing access on an exposed RDP endpoint.  A compromised user account and an exposed RDP server can lead to an attacker coming right in the “front door” of your digital workspace, potentially with high-level account access to connect to sensitive resources.

Microsoft never intended RDP to be placed in the perimeter with the RDP endpoint exposed.  However, this is the easiest way for businesses to stand up remote connectivity for end-users, especially in a time crunch as seen in the beginning stages of the pandemic.  To engineer the RDP environment properly, organizations should use the Remote Desktop Gateway server, which tunnels RDP traffic over HTTPS connections instead.  Insecure RDP connections can lead to increased vulnerability to ransomware attacks.

The traditional Virtual Private Network (VPN) connection can also increase risks for a ransomware attack.  Like RDP, VPN connections can be misconfigured, use weak passwords, and lack two-factor authentication, which can easily lead to compromised credentials allowing an attacker to make unauthorized connections to internal resources.

VPN connections also allow a potentially insecure end-user machine to become part of the corporate network, exposing all other corporate network resources to any malicious software that may have infected the end-user client. Thus, VPN connections are logically like taking a long patch cable and extending the patch cable to the end-user client.  

The patch cable makes the client part of the corporate network.  There are ways to restrict VPN connectivity to limit the scope of which resources a client can connect, but this configuration again is another possible area where misconfiguration can happen or get neglected.  VPN credentials are also a weak link in the overall security of remote access technology.  

Suppose a user account password that is granted VPN access to the corporate network is compromised. In that case, an attacker essentially “becomes” that user and can connect to the VPN tunnel.  As a case in point to the danger of compromised credentials with remote access technologies, the Colonial Pipeline hack has since been attributed to a leaked VPN account password.    

According to Charles Carmakal, senior vice president at the cybersecurity firm Mandiant:

“Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network….”

The account, used by a former employee, was part of a list of breached passwords found on the dark web.  The VPN account also did not use multifactor authentication, making it even more vulnerable.  It shows just how fragile and insecure remote access solutions can be if these are not appropriately secured.

Protecting your digital workspace from ransomware

With the significant ransomware threats to your business and the demand for hybrid connectivity at an all-time high, how can you protect your digital workspace? Let’s focus on the following five areas:

• Evaluate your current remote access technology
• Implement two-factor authentication
• Leverage virtual app delivery
• Implement breached password protection
• Adopt a zero-trust environment

Evaluate your current remote access technology and access

As mentioned earlier, some organizations may be relying on remote access solutions that have been around for a decade or longer. Therefore, it would be wise to evaluate your current remote access technologies and how end-users are accessing digital workspace resources today.  Are there multiple technologies that allow users to gain access to the internal corporate network?  Is remote access for end-users overprovisioned?  Do users have access to full desktop environments when they only need access to a few applications?

You should audit which users have access to current remote access solutions and evaluate if access needs to be removed for any users who no longer need it.  In the Colonial Pipeline ransomware attack, a former employee’s account was still active with a breached password.  This stale account was used for unauthorized login via VPN.  With proper auditing, stale accounts should be removed regularly to reduce the attack surface.

If your business uses legacy or improperly configured remote access solutions such as an RDP server exposed to the perimeter or unrestricted VPN connectivity, now is the time to reevaluate remote access strategies and technologies for end-users to access digital workspace platforms.

Implement two-factor authentication

Cybercriminals are feverishly attempting to compromise credentials in your organization, as can be seen with the number of phishing attacks targeting most businesses.  Valid credentials, if these can be compromised, provide an easy way into your network.  Again, using the Colonial Pipeline ransomware attack example, all it took was a set of compromised VPN credentials to take down a massive pipeline operation shutting down 5500 miles of infrastructure.

The user account was not secured using multifactor authentication (MFA).  With multifactor authentication, even if attackers gain access to a valid user account and password, they still do not have all the information needed to authenticate.  While not the “end all, be all” of user credential security, it significantly bolsters any organization’s cybersecurity to implement MFA across the board, both for on-premises and cloud resources.  

Leverage virtual app delivery

As businesses evaluate current remote access technologies and access, it can become apparent that some users with access to full virtual desktops may only need access to applications instead.  Often, only power users need full virtual desktop sessions made available remotely.  Using virtual application delivery instead of full desktop sessions drastically reduces the attack surface.  Additionally, businesses may no longer need to allow VPN connections to the internal network with virtual application delivery. The application is made available to a user instead of opening the entire network to run a few applications. Thus, it serves as a much more efficient and secure approach.

Pivoting from full desktops to virtual application delivery can also have a cascade effect on security.  Many businesses find they need fewer resources and infrastructure when delivering applications instead of full desktops. As a result, the attack surface is significantly reduced when an organization has fewer resources to maintain, patch, and secure.

Implement breached password protection

As is highlighted in the Colonial Pipeline attack, breached passwords can come back to haunt an organization, especially if credentials make it to the dark web and into the hands of cybercriminals. Unfortunately, most identity and access management solutions in the enterprise today (Microsoft Active Directory as an example) do not provide native breached password protection.  

For the most part, outside of open source solutions, businesses must look to third-party solutions to introduce these capabilities into the environment.  These third-party solutions generally implement large breached password databases and scan your environment to ensure users are not using breached passwords.  Breached password protection can significantly increase account and password security when used in tandem with multifactor authentication.

Adopt a zero-trust environment

In the traditional networking model, internal networks were considered secure and “trusted.”  However, with the ransomware threats posed to businesses today, this model is no longer a safe way to operate your network.  Instead, hackers hope that companies operate with the mindset of having a “trusted” LAN.  Unfortunately, cybercriminals have been all too successful in using phishing, malicious websites, and malicious emails to infiltrate the internal network.  Once there, they have free reign over the “trusted” network as there are generally little to no security boundaries in place.  

Modern and secure network topologies view everything as untrusted and potentially malicious, including the internal network.  Additionally, even with services placed in the DMZ or edge network, look for solutions that segment and separate devices from the network to prevent access to your data, prevent lateral movement, and wipe user data after every session. Finally, a zero-trust model, based on identity, prevents the age-old problem of having RDP servers continually open from the Internet and subject to nonstop brute force attacks and password spraying.  

Wrapping Up

Ransomware represents arguably the greatest threat to your business-critical data of any modern cybersecurity threat. And with the accelerated evolution and migration to remote and hybrid work technologies brought about by the pandemic in 2020, remote connectivity and access to digital resources are critically important.

With this tremendous shift to “open” connectivity and access from anywhere and any device, cybersecurity in the digital workspace must be a focal point now more than ever.  But, unfortunately, hackers are using the new doorways into environments to launch massive and relentless ransomware attacks worldwide.  Choosing intelligent, effective, and secure remote access technologies and evaluating the tools and security measures in place will allow businesses to embrace the digital workspace with confidence.      

The post Protecting Against Ransomware in the Digital Workspace appeared first on Cameyo.