What is a remote desktop protocol attack?
by Kapua Iao
A Remote Desktop Protocol Attack is a type of data breach which occurs via a user’s remote desktop protocol (or RDP). An RDP allows one computer to connect to another or a network without direct contact.
This has become something of a necessity over the past year as more employees, including within the healthcare industry, work from home.
No doubt because of this, researchers have noticed a jump in cyberattacks that use RDP as an entry point. But how exactly do these attacks occur? And how can organizations protect their employees and their networks from such breaches?
RDP use cases
A remote desktop connection relies on various protocols including RDP, used to log into Windows from afar by connecting to remote desktop services. It was first invented by Citrix in 1995 and added to Microsoft products in 1998.
Other protocols do exist; for example, Apple has its own version. RDP normally comes preinstalled as part of a Windows operating system.
Remote desktops can be essential for day-to-day operations. Many organizations utilize this technology to give:
- Admin and/or IT workers access to troubleshoot
- Employees access to organization-related data
- Employees the ability to work from home
The COVID-19 pandemic didn’t introduce the concept of remote working, but it brought a shift in how many employees work from home. Currently, there are almost five million RDP servers exposed to the Internet, an increase of two million from before the pandemic.
Many of these users (employees and organizations) are new to remote working. Most do not understand the need to follow safety procedures to ensure cybersecurity. All it takes is one vulnerable RDP for a cybercriminal to gain entrance into any organization.
Remote desktop protocol attacks
RDPs have a history of cyber-insecurity. The Federal Bureau of Investigation even released a warning in 2018 addressing dark markets selling RDP access.
Cybercriminals see RDP as an easy entry point. Weak password policies and misconfigured endpoint security play a big role in this.
A cybercriminal can do much damage once inside a system, from inserting malware to exfiltrating data, and/or installing mining programs or ransomware.
Hackers can disable, erase, or overwrite backups, remove security software, or download unwanted software. And even cause bodily harm, as threat actors tried to do with the recent Florida water treatment facility hack.
According to the ESET Threat Report Q4 2020, RDP attacks last year increased by 768% between Q1 and Q4.
Protect and mitigate your RDP risks
For all organizations that need to connect remotely, knowing how to protect a single computer and/or a network from cyberattacks is essential. Especially during the current health crisis.
First and foremost, if an organization does not use RDP, the connection should be disabled. Moreover, an organization should only provide remote access to employees that need it.
Second, organizations must look into endpoint security—never leave an RDP connection open to the Internet.
Third, policies and procedures must be up to date. They should include rules on only using organization-provided devices, multi-factor authentication, and complex passwords. Organizations must always audit these policies along with any connectivity logs.
And finally, implement physical and technological safeguards such as:
- A firewall and/or VPN
- Backups kept on a separate, unconnected server
- Remote desktop gateways
- Patches and updates as needed.
If someone detects a breach, disable RDP access right away. Cut off the infected computer from the rest of the network and figure out how the intrusion was able to occur.
Don’t forget solid email security
And to protect against human error, implement strong email security. For healthcare organizations that must be HIPAA compliant, this means combining strong employee awareness training with HIPAA compliant email.
RELATED: HIPAA Stands For . . .
Our HIPAA compliant email solution, Paubox Email Suite, requires no change in user behavior. No extra logins, passwords, or portals to wade through. Just protected email communication.
With our HITRUST CSF certified solution, all outbound emails are encrypted and sent directly from an existing email platform (such as Microsoft 365 and Google Workspace). Furthermore, malicious inbound emails are blocked even before reaching an employee’s inbox.
RDP attacks and their consequences are detrimental to any organization. Keep cybercriminals from gaining access through this entry point. And keep your employees safe when they need to work at home by utilizing reliable cybersecurity measures today.