Remote access challenges and news of hacks have been in the news since Work From Anywhere became urgent over a year ago. It started almost immediately with rumblings about VPNs followed quickly with concerns about remote desktop protocol or RDP. The frustration was understandable, VPNs have been around a long time with a notoriously unpleasant user and IT experience. The social media hashtag #KilltheVPN was born out of this frustration. More important than the bad user experience are the insecurities and vulnerabilities found in VPNs which add to organizational risk, especially when their use is “turned up to 11”. RDP itself has been used for years as a remote access solution; accessed via a VPN, internet facing portal, or over the internal network. The pandemic rush to work from home sent thousands of RDP users and RDP enabled machines outside the classic network perimeter.
By May 2021, after the Pulse Secure VPN products were exploited, the Cybersecurity & Infrastructure Security Agency (CISA) issued the directive that this exploit posed an unacceptable risk to civilian agencies. CISA and the FBI issued a joint statement on yet another remote access challenge related to the DarkSide Ransomware that took down the Colonial Pipeline. They urged critical infrastructure operators to “adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory.”
Those mitigation recommendations included, “Limit access to resources over networks, especially by restricting RDP.” The reason for the focus on RDP is clear in recent trends:
- According to Webroot, during COVID, there was a 400% increase in attacks against remote desktop protocol (RDP) machines in use, significantly expanding the threat surface for these organizations. Verizon (DBIR 2021) reports that desktop sharing was the second largest vector of hacking (the largest was attacks against web applications). Using brute force attacks, hackers can take over these machines and cause chaos inside the network.
- Sophos Active Adversary Playbook 2021, “RDP played a part in 90% of attacks. However, the way in which attackers used RDP is worth noting. In incidents that involved RDP, it was used for external access only in just 4% of cases. Around a quarter (28%) of attacks showed attackers using RDP for both external access and internal movement, while in 41% of cases, RDP was used only for internal lateral movement within the network.”
This flurry of agency recommendations was quickly followed by a sweeping executive order from the Biden administration on cybersecurity which made clear that zero trust was the security methodology of the future.
“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.”
Zero Trust Network Access (ZTNA) directly addresses the problems with VPN and RDP access. With ZTNA, you can enable remote access to web applications and services without exposing these potentially vulnerable platforms to attacks. For organizations using ZTNA, the vulnerable application is accessible for authorized remote users but is never published to the public internet or even directly accessible from the internal network and user requests to the server are always brokered at the application layer.
Why is it so important to keep applications off the public internet? Axis engineers recently set up a honeypot in an out-of-the-way web hosting center. Within 30 seconds the scans started showing up. Within 60 seconds, the first login attempt, and within 3 minutes, the first exploits were being uploaded and captured. (All this visibility was achieved by running T-Pot, which will open your eyes quickly to the unseen internet.) Adding up the stats from all 19 honeypots, they were hit by roughly 2 million attacks against that single public IP. That is not scans – that is active toolkits and scans and attempts to compromise through our (fake) available services.
That is precisely why reducing the attack surface is so important, and such a critical component of overall risk management. If something, RDP for example, is connected to the internet, anywhere, attackers will find it. By scaling VPN and RDP access to deal with the work-from-anywhere trend, organizations are simultaneously and dramatically expanding their threat surface and overall risk profile.
Enabling secure access is a great place to start a zero-trust journey. Agentless access options deliver immediate ROI with nothing to deploy on endpoints, enablement of personal or third-party owned devices, and the ability to be operational in minutes. Zero Trust quickly transforms third-party access from high-risk using RDP and/or VPNs to a simple secure access service delivered in the cloud. From there, organizations can expand to other use cases.
By adopting ZTNA today, your business will be ready for the future as the strategy and tactics for secure access change. Zero trust is clearly the approach, but how that is architected and delivered is changing as application delivery and consumption patterns change. In a work from anywhere world, users are no longer in a predictable location. The traditional model for delivering security was data center focused, with multiple layered tools at the perimeter. That is changing to one focused on cloud delivered security when you can, and on-premise security when necessary.
As a result, the Secure Access Service Edge (SASE) is emerging, converging security and networking functionality in the cloud, collapsing such solutions as ZTNA, Secure Web Gateway, CASB, Firewalls into a single cloud-delivered platform solution.
Getting started with ZTNA today will prepare you for a zero-trust future, no matter what direction it takes.