Is Remote Working Compromising Your Cybersecurity?
In the understandable rush to enable remote working, many organisations are – in the face of the immense pressures – neglecting security hardening. This technical blog post by our Principal Security Consultant, Sasha Raljic, outlines the risks of functionality over security and shares insights and advice.
The Coronavirus Pandemic has fundamentally changed the way workers are accessing corporate information. While many companies are already familiar with the remote working process and have the underlying infrastructure to support remote workers, others had to adapt quickly.
To support a massive increase of remote workers, many organisations had to implement remote working solutions that are potentially inadequate and did so without giving much attention to security. This approach is understandable as any form of solution is needed to ensure that a business remains open. This fast-paced deployment of remote working solutions is evident on a global scale. The same trend was also observed here in the UK.
Several cases related to Coronavirus hacking are already well publicised. Multiple law enforcement alerts have detailed the dramatic increase in the use of COVID-19 themes by cybercriminals. This global environment presents new opportunities for malicious threat actors, as new and potentially easy targets are appearing every day. To test this, we’ve observed the following protocols on Shodan, an Internet intelligence gathering platform, and their daily increase on both the global and national scale:
- Port 1194 – Default OpenVPN Port
- Port 1723 – Default PPTP Port
- Port 3389 – Default Remote Desktop Protocol Port
- “OpenVPN-AS” banner and server header
- “Remote Desktop Protocol” banner
- Port 500 – Default IPsec VPN Port
There are three assumptions and disclaimers that need to be made regarding the data * presented:
- Other services can be found running on ports normally reserved for services described above. This will introduce some inaccuracies.
- RDP and PPTP should not be used as remote working solutions at all. These were included to demonstrate insecure infrastructure deployment.
- Service and server banners can be changed, which once again can introduce inaccuracies.
*Data was collected between 19th and 23rd March 2020.
Furthermore, the following statistics do not show any potentially misconfigured services. Protocols listed above such as OpenVPN and IPsec are industry standards; however, these can also be misconfigured, especially now where security hardening is not the priority. Other protocols, such as PPTP and RDP, should not be internet accessible.
OpenVPN – Defaults to port 1194 TCP or UDP and OpenVPN Access Server – Defaults to port 443 TCP and 1194 UDP (443 is used if forwarding to Connect Client)
SSL VPNS, such as OpenVPN protect user data in transit and allow remote workers to access internal company resources. While OpenVPN is considered secure, further security hardening is required. In organisations where many users are using this technology, certificate and configuration management can become problematic, resulting in system administrators only using username/password combination by setting the “client-cert-not-required” directive. The following results demonstrate a sharp daily increase, both globally and nationally.
Get your free cybersecurity assessment, contact us today
Port 1723 – Microsoft Point-to-Point Tunnelling Protocol
Microsoft’s protocol was considered insecure since its inception in the 1990s. This protocol was designed to function in everyday Windows environments, and as a result, it’s closely integrated into Microsoft’s Operating System, making it very easy to set up. In a nutshell, this protocol contains several security issues related to Challenge/Response authentication protocol as well as its RC4-based MPPE encryption and should not be used. While EAP-TLS could be used, managing PKI for certificate-based authentication becomes overly complex. As a result, many system administrators use less secure authentication methods.
Despite the protocol issues, incredibly, the overall number of instances has increased significantly. This could be down to its simplicity and ease of setup.
This article by INFOSEC, The PPTP VPN protocol: Is it safe? provides further information on protocol shortcomings.
Port 3389 and Remote Desktop Services Banner
There’s no easier method to work remotely than to internet expose your work machine. Apart from the obvious issues, like someone having access to your login screen, password policy is often weak and malicious threat actors will often brute force this service to gain access. User accounts are often visible, already providing 50% of the required credentials to log in. Once compromised, this service can be used to stage further attacks on your internal network.
Patching issues are also a big problem, the more recent one being CVE-2019-0708 or BlueKeep, which at best allows malicious attackers to cause a denial-of-service condition and affect data availability, or at worst to allow arbitrary code execution. Incredibly, Remote Desktop Protocol instances have also dramatically increased – probably as organisations simply need to allow 3389 on their firewall.
Port 500 – IPsec VPN
This form of VPN seems to be most widely utilised, primarily due to its support and close integration with enterprise-grade equipment. IPSec is a suite of protocols used for cryptographically securing end-to-end communication. Misconfigured IPSec VPN instances are often observed, and a sharp increase of newly deployed VPN servers will inevitably introduce security misconfigurations within organisations. IPSec VPN instances have also sharply increased.
While these services (excluding PPTP and RDP) are only a small number of remote working solutions, other methods and VPNs exist. As functionality over security takes precedence at this point in time, many organisations will be pushing out solutions that are either misconfigured or worse, not fit for purpose. This approach will ensure that cyber-attacks become more frequent in the near future.
Our Advice: Remote Working Security Best Practices
There are several resources available that clearly define security best practices when it comes to deploying and using VPN solutions. In short, every organisation should start with the following:
- Do not expose services such as RDP to the wider internet
- Do not use outdated tunnelling protocols, such as PPTP
- Implement multi-factor authentication wherever possible. Most reputable VPN solutions already support this
- If implementing OpenVPN, apply additional hardening. Examples can be found here and here
- Avoid common IPSec misconfiguration settings, such as IKEv1 Aggressive Mode Exchange and weak encryption settings. Further information can be found here
- Ensure that VPN Clients remain up to date
- Implement complex password policy wherever possible
If you’re concerned about the security of your remote access solutions, contact us for advice and we’ll respond to you quickly. To assist organisations in the face of the increased security threats from the coronavirus, we’re also offering free cybersecurity assessments. Click on the button below to book yours; we’ll be only too glad to help.
