Ransomware attacks have been on the rise for a few years, but when COVID-19 triggered a near-universal pivot to remote work, a whole new world of vulnerabilities opened to the criminals behind them, including the access of Remote Desktop Protocol ports.
What is Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is a proprietary Microsoft communications protocol that allows individuals to remotely connect to corporate systems and services. RDP uses an encrypted channel and prevents attackers from eavesdropping on your connected session and provides fast, remote administrative access to a Windows machine.1
CAP Physicians Insurance Agency (CAP Agency) partners with Tokio Marine HCC – Cyber & Professional Lines Group (TMHCC), to provide CyberRisk insurance coverage for all CAP members with the opportunity to purchase a higher limit policy. TMHCC estimates that about 60 percent of all their ransomware attacks in 2020 originated from open RDP ports.
Did you know?
RDP is typically accessed with usernames and passwords and therefore susceptible to brute-force attacks and credential stealing campaigns. After an attacker compromises an RDP connection, they will often deploy malware (like ransomware), steal data, or move laterally in a corporate network to perform reconnaissance.2
How do you know if your practice is vulnerable?
Generally, a vulnerability scan can help determine whether a commonly used RDP port is facing the public internet and therefore potentially exploitable. These scans are noninvasive and use only public facing domains (i.e., website URL) to assess where ports are “open” to attack. Hackers can (and do) scan to identify open RDP in the same manner.
Helpful Tips3:
- Never have RDP exposed to the internet or open to any other network you do not trust.
- Always secure a virtual private network (VPN) or RDP Gateway with Two Factor Authentication (2FA).
- Always enforce strong complex passwords and enable an account lockout policy after too many failed attempts.
- Restrict access to RDP by applying firewall rules to limit which IP addresses (individual or group) can access the RDP server from untrusted networks.
- Keep all remote access software (especially Windows Server) updated and patched.
Here’s how CAP Agency can help:
For CAP members who purchase a stand-alone higher limit policy written by TMHCC, an RDP scan will be conducted by them at no cost to you to ensure you know about potential vulnerabilities before any hackers do. If an open port is discovered, it is recommended that you inventory all remote access connections that are exposed to the internet and take steps to ensure that they are properly secured. In partnership with TMHCC, CAP Agency will let you know if an open RDP is detected to help prevent potential ransomware or other cyberattacks.
As a reminder, CAP members are offered complimentary access to TMHCC CyberNET®, the most advanced cyber risk management training solution addressing the latest trends in data breaches and cybercrime, including best practices to protect against RDP remote access.
To access the trainings, visit https://CAP.nascybernet.com. (First-time users will need to sign up for a free account with your CAP member number as your “Sign Up Code.” Once you have registered, you will be able to create username(s) and password(s) for your employee(s).)
For more information, please contact CAP Agency at 800-819-0061 or email CAPAgency@CAPphysicians.com. The licensed professionals with CAP Agency can also help you learn about your own personal cyber risk and about affordable coverage options and services available through Tokio Marine HCC.
1ePlace Solutions, Inc., Securing Windows Remote Desktop (RPD) Guide, TMHCC CyberNET.
2ePlace Solutions, Inc. via: https://www.pandasecurity.com/mediacenter/security/brute-force-rdp/
3ePlace Solutions, Inc., TMHCC CyberNET®.