The National Security Council is urging small businesses to take “critical steps” to protect their organizations’ cybersecurity. Ransomware is on the rise. Remote networking in the work from home climate is also opening the door to serious compromises. Calyptix Security’s latest Genius Brief webinar addressed drawbacks to remote network access and emphasized the importance of implementing a data-centric security model with Zero Trust Network Access.
“The threats are serious and they are increasing,” warned Anne Neuberger, cybersecurity adviser at the National Security Council. The list of attack vectors is longer than even the most intimidating “honey do” list.
Businesses of any size are at risk:
- Bad actors impersonate users or systems to fool the target system
- Attackers capture, guess, or use brute force to gain authentication credentials
- Remote devices can be attacked and compromised to access protected systems
- Communications are listened to, interrupted, or jammed by third parties anywhere along the communication chain
- Target systems can be impersonated to phish users’ credentials
- Remote access breaches often result in ransomware incidents
- Denial-of-service attacks can interrupt system authentication or availability
Yet even with the growing threats, remote network access remains critical to business success. Remote desktop protocol (RDP) is a popular option for its convenience. But, RDP direct access sacrifices security.
Installing a virtual private network (VPN) is more challenging, but it does improve the security posture for RDP access. Still, installing a VPN on a home-owned computer and attaching it remotely to the company network can create significant configuration and bandwidth challenges. This approach may be a non-starter in security conscious organizations. Unmanaged and unmaintained devices in the wild scare security professionals.
Our Gatekeeper is an identity-based network access solution accessible over the web that provides small business a very secure method for remote network access, especially when combined with RDP. But first, let’s look more in depth at the security concerns with direct RDP or RDP over a VPN.
Remote Network Access is at Risk
“The cost of suffering an attack has skyrocketed,” according to a recently released ConnectWise survey.The research found “32% of SMBs have suffered a cybersecurity attack in the past 12 months, an increase from 25% who reported the same in 2020, with the financial repercussions of an attack, averaging $104,296, almost double the figure reported in 2019 ($53,987).”
The rise of remote work is contributing “to the increasing threat landscape,” ConnectWise reported. In fact, “75% of decision makers agree that their organization is less secure due to the added complexity of a remote workforce.”
They are not wrong. In Q1 of 2021, as much as 75% of SMB Ransomware incidents resulted from vulnerabilities and compromise of remote access tools, according to Coveware’s Quarterly Ransomware Report.
Part of the problem is in the perspective of cybersecurity. Many small businesses continue to focus on a network-centric security approach. They look to protect the pieces around the asset (e.g. the data) not the asset itself:
- Access Points
But, industry experts agree that the data-centric security model is safer. The National Cybersecurity Center of Excellence (NCCoE), recognizes “As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless where the data resides or who it is shared with.” Protecting and shielding the data itself requires data discovery and classification, designing data protection measures beginning with secure identity and access management controls and instilling good data governance.
Don’t have your data discovered and classified yet? Calyptix Senior Developer Aaron Bieber recommends you default to the highest level of data security until you do. After all, protecting all data as if it is the crown jewels is a lot safer than leaving it exposed to the public like a bowl of mints by the door.
Weighing Options for Remote Network Access
Implementing a data-centric security model requires careful consideration of the interests of users, the challenges of the administrators, and data security and privacy requirements. Yes, data has needs too! And it’s best to lead with the needs of the data.
Consider the direct RDP approach. Well, really we would rather you not. However, if you insist, here’s the cold hard truth. Direct RDP promotes convenience at the cost of security.
Direct RDP is free from Microsoft and easy for users and administrators. There’s no system overhead, client software installation or maintenance. You might also get some device and data control at the user level with RDP options and group policy. Yet the security of your data is highly suspect. Direct RDP will most likely be:
- Exposing systems directly to the Internet permitting unauthorized access by stolen credentials, pre-authentication vulnerabilities, and brute force or zero-day attacks.
- Missing secure authentication (two-factor or multi-factor, 2FA or MFA)
- Challenging for good governance and compliance
Still not convinced? Remote network access by direct RDP is ill-advised by the FBI, DHS and NSA.
The RDP over VPN Alternative
RDP over VPN is a better option, but it’s not without issues. On the positive side, you’re now shielding the destination RDP machine from the Internet. However, your administrators need to install, configure and maintain the challenging VPN software. Then, users are frequently frustrated by blocked Internet access (e.g. public WiFi) as well as bandwidth and software overhead issues.
From the data security perspective, remote network access via VPN relies too much on implicit trust. The Colonial Pipeline breach earlier this year exemplifies the risk. Once a bad actor connects to the network via VPN, they may enjoy unfettered access in the absence of adequate networking configurations (often complicated and seldom reviewed). It appears adequately segmenting network access via VPN could have helped Colonial. Once the hackers got in, they could see enough to compromise $4.4 million worth of data.
Integrating third-party systems or using certificate-based VPN clients enhances authentication with 2FA. Yet VPNs introduce two major considerations. First, you trade Microsoft RDP system vulnerabilities for VPN software provider vulnerabilities. VPN vulnerabilities cause increasing uncertainly, administrative maintenance and security exposure (as illustrated by SonicWall, Fortinet and Pulse Secure incidents). Second, you likely allowed remote devices in the wild to connect to your business network. Those devices, even if technically under management, likely have unpatched vulnerabilities and local users with elevated administrator privileges or risky web surfing usage. As for governance, it’s hard to find a place to start, just more challenges. Complexity is the mother of insecurity.
There are many more remote access options, including VNC, SSH, RMM tools, Team Viewer and Anydesk. The cloud-based options are really scary. Persistent cloud connections leave the door wide open for bad actors. “It’s like throwing the keys to the castle into the moat,” Bieber said. This vulnerability has been exploited in the past (e.g. Ubiquiti) and will be again in the future.
So what is a SMB to DO?
Eliminate what Gartner describes as “excessive implicit trust” and replace it with “explicit identity-based trust.”
OK, but how does that work? Zero Trust Network Access (ZTNA) is adaptive, identity-aware access that embodies the data-centric model.
The growing demand for remote networking has accelerated adoption of the ZTNA approach. Avoiding exposure of internal systems and applications directly to the Internet reduces risk of attack.
Gatekeeper, a feature of Calyptix’s AccessEnforcer, lets you tighten up data access. The solution starts with identity validation (e.g. via active directory) to first control who is accessing what. Then, Gatekeeper provides enhanced authentication by requiring a one-time verification code from an 2FA authentication app (e.g. Google Authenticator, Authy, etc.). Even then, access is segmented at the network level. The user can only see and access what the administrator allows them to see when they connect to the system. RDP access via Gatekeeper restores the user and administrator convenience of RDP with enhanced security of zero trust network access.
This approach offers protection without adding layers of complexity. Gatekeeper delivers secure network authentication, limits risks of publicly exposed vulnerabilities, and offers least privileges control, micro-segmentation, and transparent governance and audits. When combined with the data and device controls afforded by RDP options and group policy, data-centric security is easily attainable for SMB organizations operating with limited budgets and cybersecurity expertise.
The FBI, the NSA, and the DHS have all warned about the risks of RDP. A small business can’t afford to ignore these cautions. Nor can the managed service provider that is responsible for maintaining integrity in customers’ networks. Learn more about securing remote network access today!