Over Half of Fortune 500 Exposed To Remote Access Hacking (axios.com) 29
Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, something many experts warn should never happen, according to new research by the security firm Expanse and 451 research. From a report: According to Coveware, more than 60% of ransomware is installed via a Windows remote access feature called Remote Desktop Protocol (RDP). It's a protocol that's fine in secure environments but once exposed to the open internet can, at its best, allow attackers to disrupt access and, at its worst, be vulnerable to hacking itself. RDP is a way of offering virtual access to a single computer. It allows, for example, an IT staffer in one office to provide tech support for a baffled user in a different office. But RDP is best used over a secured network rather than over the open internet. "We compare exposed RDP to leaving a computer attached to your network out on your lawn," Matt Kraning, co-founder and CTO of Expanse, told Axios.
More than half? (Score:1)
That is like almost 100, right?
Re: (Score:2)
If we assume you can only do binary numbers, then no.
Re: (Score:2)
I can do decimal too. I am not a moran.
Re: (Score:2)
Your username suggests otherwise.
Re: (Score:2)
What? No, you use a different remote access protocol like Anydesk where the end user who is physically onsite has to authorize the connection. You don't cut a hole in your network just because some day you might have to access it from afar. Maybe if I was maintaining light houses in Siberia I would consider it, but I would hate myself for it.
Re:What is the protocol called that allows Remotin (Score:4, Informative)
If I have to log in at 10 PM to install a service pack for Unmaintainable Sysadmin Nightmare 2012 during a scheduled downtime window, I don't want to have to be on site, or depend on someone else being on site to say I'm allowed to do it.
Easy Fix (Score:4, Funny)
Don't put your computer on the lawn. Problem solved.
Re: Easy Fix (Score:1)
Re: (Score:3)
Don't put your computer on the lawn. Problem solved.
Well that's just silly. I put mine in the back yard where no one can see it. Security by obscurity works.
Re: (Score:2)
Lawnworks
Yardworks
Obscurityworks
How do they know? (Score:2)
How do they know it was RDP? Did they actually attempt to hack the connection to find out what it was, or are they just making assumptions because, we all know, making assumptions leads to wonderful clickbait headlines. Maybe they were honeypots designed to trap the unwary scriptie.
Re: (Score:1)
How bad really (Score:2)
Did not read the article but there is exposed RDP and there is exposed RDP.
Older versions of RDP had weak encryption etc that would make me skiddish about using outside of a VPN. However the transport is now TLS protected by default and probably as secure as any VPN.
If you have some kind of MFA provider and you are careful to set logins for both domain and local users to require MFA, and you make sure the MFA system fails closed I don't see how RDP is worse than any other remote access solution..(well okay
Re: (Score:1)
Damn. People really think like this in 2019.
Re: (Score:3)
No
Remember, this report is about Fortune 500 companies. At scale, you can't count on desktop-level solutions because you simply have too many desktops. Security solutions belong in the datacenter. The only proper Fortune 500 way to do this is to allow remote access via an intermediate security device that lives in the datacenter and is managed by either the network team or the security team. This is not rocket science, there's a billion of them, from vendors we already know, like Cisco, SonicWall, Barracuda
Re: (Score:2)
I don't think anyone is suggesting that these companies should or are letting all desktops have RDP access. We are talking about probably a couple systems administrators can use as work platform. Tools like Group Policy will ensure login polices are in fact applied and not changed locally. We are very much talking about hosts that are managed via the network team or the security team.
A good rule that I learned at a previous job (15 years ago, this stuff isn't new) was to never allow a packet crafted by a foreign device into the core of your network.
I am probably as old as you are based on the magnitude of our UIDs here and "15 years" and you know what I am still going to
Re: (Score:2)
In other words I'd want a reverse proxy + waf watching HTTP messages being passed to my web server; not a TCP proxy...but maybe a layer 7 firewall could at least provide some cover or defense in depth.
A TCP proxy would be the minimum acceptable, and only if there were no other options. That's what the policy was for, to define that minimum. Since no one could ask for a NAT, they had to start a discussion of how to handle it. That discussion would always be with a networking or security team that was in a position to ask the right questions to get the right kind of device in place. I'm sure you know how often a business team gets a consultant that thinks they know what they're doing and simply asks for a
Re:How bad really (Score:5, Informative)
Encryption means little when there are zero-day vulnerabilities that affect the service. The problem isn't the lack of modern crypto; the problem is exposing internal servers to the internet.
Just this year, we have CVE-2019-1326, CVE-2019-1225, CVE-2019-1224, CVE-2019-1223, and CVE-2019-1108 for DoS or information disclosure.
And let's not forget the remote code execution under CVE-2019-1181 and CVE-2019-1182 [microsoft.com].
In short, if you think it's OK for a server to expose RDP/3389 to the internet then you're just wrong. You need to have your remote workers VPN into the network so you can keep RDP traffic within your network perimeter.
This is really Cockup before Consipiracy (Score:3)
In Corporate America, like, real corporate america, this isn't a problem.
But let me tell ya, from personal experience in an MSP some time ago, the clients of that MSP are spectacularly careless, ignorant, reckless.
You explain to them, as you clean up ransomware and restore databases and file shares, that opening RDP and SQL to the Internet At Large is a really Bad Idea. You charge the a nice fat sum to clean all the damage up. They do it again.
And again.
And again. And once more. The last one, happened as I turned in my resignation to the owner of the MSP.
So before cockup, before even honeypot, I just consider terminal stupidity as the cause, compounded by eternal laziness.
Re: (Score:2)
Not all IT workers understand; the BOFH is the hero of the story. All those stupid rules have Reasons.
I am not suprised. (Score:2, Interesting)
Dubious article (Score:2)
There is no link to the main claim which is : "Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, something many experts warn should never happen, according to new research by the security firm Expanse and 451 research.". So we have no idea what that means.
The article starts by "Exclusive:".
The content is just a bunch of vaguely related associations from famous names (MacAfee, Sophos).
So this is very likely
Re: (Score:2)
Port forwarding (Score:1)