The past couple of months have been intense for most companies since they had to shift to working remotely. This situation is unfortunately a huge opportunity for cyber-attackers. Remote connections mean more vulnerabilities to exploit.
Active Directory (AD) is the main identity and access platform for companies around the world. If you want to secure your network you need to protect the remote use of AD credentials.
Phishing aimed at the most vulnerable
As if it was not enough on its own, the coronavirus outbreak brought with it a lot of new phishing email campaigns. The attackers are aiming at the most vulnerable users – just like the disease itself – your new remote employees. Using public fear to lure their victims is their main strategy. They send URLs or document to download of safety recommendations or infection maps. The probability of users clicking on a link or downloading an attachment is higher than ever.
Basically, hackers are after a set of compromised credentials which they can use to access a network and move laterally within it to locate anything valuable that can be exploited. Even worse, similar to the coronavirus, you might not even know you’ve been touched. The Ponemon Institute says that 191 days is the average data breach discovery time.
The threat surface is growing
Now more than ever, your organization might be at high risk if you don’t have a sufficient protection of Active Directory connections. Most companies have been forced to work remotely which has expanded rapidly the threat surface.
This risk is higher when we know that most companies weren’t ready for it, they had no time to prepare whatsoever. What they did is rush to allow Microsoft remote desktop (RDP) access so that their employees would be able to access desktop resources remotely.
Understandable enough, companies’ priority has been the continuation of operations. Cybersecurity didn’t get the attention it deserved.
Remote Active Directory logins security
RDP access is unfortunately not fully secure, it is only protected by a single password. Here are three recommendations to protect those sessions:
- Strengthen passwords
- Use a Virtual Private Network (VPN) for all remote sessions
- Enable two-factor authentication on these remote sessions
These 3 steps will allow you to significantly improve the security of your remote employees.
For more security and to fully minimize the risk, find below a full list of recommendations written by experts:
- Remote working equipment policy: The best thing is to use the devices available, secured and controlled by your organization. If this is not an option, you should give clear usage and security rules to your employees working from home.
- Make sure to secure your external access: To do so, use a VPN (Virtual Private Network). Once this is done, and if you can, limit VPN access to only authorized equipment to strengthen security. If anyone tries to connect from a “non-authorized” device, login must be denied.
- Strong password policy: To be strong and safe, all your passwords must be long, complex and unique. However, passwords will only be vulnerable. The address those vulnerabilities, activate two-factor authentication on all remote sessions, especially for connections to the corporate network.
- Deploy security updates: Whenever they’re available they need to be deployed on all pieces of equipment in your information system. If you don’t, attackers can quickly exploit those vulnerabilities.
- Backup of data and activities: After an attack, backups might be the only way for your company to recover its data. Perform and test backups on a regular basis to make sure they are working.
- Use antiviral solutions: A professional antiviral solution helps protect your company from viral attacks, but also sometimes from phishing, or from some ransomware.
- Logging of the activity and access: Systematic logging of all access and activities of your workstations and equipment (servers, firewall, proxy…) will give you information on how a cyber-attack happened, its extent and how to remedy it.
- Supervise the activity of external access: It’s important to be able to detect suspicious access, it could represent a sign of an attack. To be able to detect those, you need to monitor all your remote sessions and access to your files and folders. For even more security, real-time alerts and immediate reactions are a great way to act before damage is done.
- User awareness: Your remote employees must be given clear instructions on what they can or can’t do. They are the first barrier to help you avoid/detect attacks.
- Be ready for a cyber-attack: Perfect security doesn’t exist. No organization, whatever its size, is immune to cyber-attacks. If you anticipate by assessing the possible scenarios, you can take the necessary measures to protect your organization.
- Managers must be involved: They have to be implicated and responsible when it comes to security. It’s important in order to ensure employees’ adhesion.
About the Author
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.
IS Decisions software makes it easy to protect against unauthorized access to networks and the sensitive files within.
Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.