The instances of “ransomware” exploiting security weaknesses are increasing. New reports show that education – both higher education and K–12 – are the top sector for ransomware attacks, with 1 out of 10 organizations experiencing ransomware attacks. If your servers are accessible from the Internet, you may have set some risky business in motion. Commonly used protocols, like remote desktop protocol (RDP) or server message block (SMB), are particularly vulnerable to attack. If successfully compromised, these devices can be used to access and infect the entirety of your network.
How are devices exposed?
Some devices, such as servers, may require public access from the Internet to perform their function. These devices are exposed to some risk simply by their nature. Additional exposure, however, is often accidently granted by permissive firewall rules.
As a best practice, whenever a firewall rule is made, the “least privilege” principle should be applied. That is, you should only allow the minimum amount of access required to make something work and no more. Firewalls with rules that allow “any” as a source IP address are opening themselves to a wide range of vulnerabilities. Rules that combine any source IP address with any destination port are equivalent to leaving a TV on the lawn overnight. Basically, something bad is going to happen, it’s only a matter of when, not if. Protocols such as http and https are often open to “any” and rely on additional layers of security to protect the server. Protocols such as RDP and SMB are exceedingly dangerous to make available to everyone on the Internet.
What is an attack vector?
An attack vector is a path or means by which a hacker may gain access to your IT infrastructure for delivering a malicious payload or outcome. Attack vectors could include viruses, e-mail attachments, web pages, pop-up windows, instant messages, and more.
What can be done to protect your network?
Always insist on using the principle of least privilege. Only open pin-hole sized specific access in your firewall rules that state specific transport protocols from specific source IP addresses to specific destination IP addresses on specific destination ports. Rather than open the RDP port to remotely manage your systems, consider alternatives like encrypting RDP traffic in a VPN instead of changing firewall rules. Using a VPN is a security best practice and provides improved authentication, authorization, auditing, and privacy, and helps with nonrepudiation compared to firewall rules alone.
If a VPN is not an option, consider limiting RDP access to only specific source IP addresses to reduce your attack vector exposure.
If you’re an ENA customer, what options do you have?
If you are an ENA NetShield customer, the ENA CTAC is available to review your firewall configuration and provide you with instructions to secure it. ENA NetShield customers can also take advantage of its optional VPN service component. For additional information about ENA NetShield, contact your local ENA ASM or visit the ENA NetShield page.
Our Internet access, firewall, WAN, network security, and content filtering services are designed to power learning, streamline operations, and protect your organization from detrimental security threats and attacks. ENA’s engineering teams are constantly testing and developing new methods of discovering and mitigating threats in today’s ever-changing network security landscape. Through sophisticated traffic pattern analysis and strategically placed active policies designed to deny known attack vectors, ENA is able to limit attack traffic at the edge of our network.
ENA is the leading provider of Infrastructure as a Service (IaaS) solutions to schools, higher education institutions, and libraries. ENA offers a full suite of connectivity, communication, and collaboration services including broadband, Wi-Fi/LAN, voice, video, and cloud solutions.