In 2020, all businesses recorded a troubling increase in attacks on work-from-home employees. Security firms note that criminals made more than 29 billion attacks on people using remote desktop during the year. A 768% increase against 2019.
This number should worry all businesses. Particularly those that let workers use office computers from home. Firstly, because the practice of allowing remote computers to connect with an office network is inherently risky. Secondly, and most importantly, home networks are less secure than business networks. Thirdly, if a work-from-home employee fails to follow good security practices, they could multiply the risks to your network. And the risk is huge!
Why protecting employees working remotely is so important for you
Last year, Trend Micro recorded 10.5 billion malicious attempts of connecting with devices that used remote connections. About half of those incidents were on IoT (Internet of Things) devices, which could potentially be attempts to intrude into home networks.
Moreover, the Interpol also recorded an increase in the use of malware that harvest data from victims. This includes, RATs, spyware, info stealers and banking trojans. A similar spike was observed in Ransomware attacks that cost businesses over $1 billion in financial losses last year.
To sum it up, cybercriminals can destroy your business, if they succeed to hack into your networks. For this purpose, criminals resort to many techniques, including phishing, social engineering, and brute-force attacks on computers.
In 2020, the most common method used by the criminals was to attack work-from-home employees. Here’s how such attacks work – First, the attackers try to compromise the victim’s computer. They do so by attacking the remote connection between the target and his business network. Once the attack succeeds, the hackers take control of the other devices over the network as well; after that, they install a malware over the network. Criminals use the malware to spy, steal data, disrupt services, and infect the business with ransomware.
Thus, it’s important for you to ensure that everyone using remote connections follows best practices and does not violate the company policy when connecting with your network. So, what are the best practices for remote connections?
Read on to understand how you can protect your business from cyberattacks that exploit computers of work from home employees. First, we’ll explore what remote connections are. Then, we’ll see how bad security practices escalate the risk of criminals hacking into your network. Next, we’ll look at the policies and procedures that you can put in place to mitigate that risk. And finally, we’ll share a few tips that your employees can use when connecting to your network remotely.
Remote connections
COVID-19 has led to an unexpected increase in dependency on remote desktop tools. Software that allows work-from-home employees to connect with office-computers. Common software solutions include, remote desktop protocol (RDP), secure shell (SSH), and virtual private network (VPN).
Of the three, let’s concentrate on RDP, as it’s the solution that you are most likely to use. It’s easy to set up, and it comes preinstalled on all Windows devices. You can go through this article by Mark Kaelin on TechRepublic if you need help with using the Windows remote desktop. Unfortunately, although easy to set-up, the RDP is also prone to cyberattacks.
As per Shodan creator, John Matherly, RDP access shouldn’t be publicly accessible without putting in place proper protections. RDP over the Internet gives hackers an opportunity to get direct access to a server on your network. Once a hacker realizes that you have an exposed RDP port, he or she would start their attack on your system.
Most criminals rely on two types of attacks to exploit exposed RDP connections. The first is, using exploit-codes for known RDP vulnerabilities. Criminals scan the Internet with exploit codes, and if your RDP is exposed, the hackers would automatically gain access. The second method relies on guessing the password of the RDP connection. Generally, criminals either use a brute-force password attack, or they use dictionary attacks.
In case of a brute force, the attackers go on guessing the password until they gain access, while in the case of a dictionary attack, attackers use a compiled list of usernames and passwords.
Another bad practice is to enable RDP access without setting up a login password. Criminals are continuously scanning the Internet for remote access points. They also use tools that keep on searching for vulnerable targets. If they find your RDP port, they can log in to your network directly.
How to Guard against RDP Attacks
To guard against such attacks, you need to remove your RDP ports from the Internet. Here are the steps that your security staff can take to secure your RDP ports.
- Restrict the use of 3389 port
- Enable two-factor authentication (2FA)
- Do not allow weak login passwords
- Check to confirm if employees haven’t disabled network level authentication
- Monitor the people connecting to your network via RDP
- Require users to use VPN to access the remote connection
- Put in place account lockout policies
- Update and patch your systems regularly
You should also take a look at the FBI advisory on RDP attacks. Here’s the more recent guidance outlining how cybercriminals exploit desktop sharing software and how you can mitigate the risks.
Along with the above changes, you also need to put in place a strong audit system to monitor the RDP connections to your network. If a service with RDP access is not required, remove it. If a system has RDP access open to the Internet, find out why, and put it behind a firewall, or force the person to use a virtual private network.
Another important factor that you need to attend to, is the training of your employees and third-party vendors. You need to ensure that they receive proper information security training. This includes, training on password practices, social engineering, and physical security of their workstation. After all, the people who access your systems remotely are the most important and also the most vulnerable part of your security setup.
