Name in API: ransomware_association
Breach Risk: High
Age Out: 1 day
Factor: Cubit Score
Summary
This issue type pertains to the exposure of Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and Server Message Block (SMB) services, which were identified through external reconnaissance efforts. Using tools such as Nmap and other network scanning utilities, we detected instances where these services are publicly accessible over the internet. These findings were corroborated by entries in the organization’s security Scorecard, indicating potential risk due to the lack of proper access controls or firewall protections.
Publicly exposed RDP, VNC, and SMB services are commonly targeted by threat actors for initial access, lateral movement, or data exfiltration. Their presence on the public internet significantly increases the attack surface of the organization and introduces serious security concerns, including brute-force attacks, exploitation of known vulnerabilities, and unauthorized access.
Remediation of this issue type involves disabling/blocking the above mentioned services or putting other security controls around them
Description
Remote access services are technologies and tools that enable users to access and control computer systems or networks from a remote location. These services facilitate seamless connectivity between users and their devices, regardless of geographical location. This allows for efficient collaboration, troubleshooting, and resource utilization. Remote access services can take various forms, including virtual private networks (VPNs), remote desktop protocols (RDP), and web-based remote access solutions. They are widely used to enable employees to work remotely, for IT support personnel to troubleshoot issues on user devices, and for system administrators to manage servers and infrastructure anywhere with an internet connection.
Risk
Using remote access services presents several risks to organizations. If not properly secured, remote access can serve as an entry point for attackers to infiltrate the network, potentially leading to data breaches, ransomware attacks, or other malicious activities. Weak authentication methods or improperly configured access controls may allow unauthorized users to gain entry, compromising sensitive information and systems. Additionally, remote access sessions conducted over unsecured networks, such as public Wi-Fi, are susceptible to interception, putting confidential data at risk of interception or eavesdropping.
Recommedations
- Enforce strong authentication methods, such as multi-factor authentication (MFA), to verify user identities before granting remote access.
- Implement encryption protocols, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to secure data transmitted over remote access connections.
- Use virtual private networks (VPNs) to establish secure and encrypted connections for remote access sessions, especially when accessing sensitive data or systems over untrusted networks.
- Implement robust access controls and limit remote access privileges only to authorized users and resources necessary for their roles.
- Regularly update and patch remote access solutions and software to address known vulnerabilities and enhance security posture.
- Monitor remote access activities closely through logging and auditing mechanisms to detect and promptly respond to suspicious or unauthorized access attempts.
Remediation
This issue type CANNOT be resolved directly because it relies on other Issues Types (RDP, VNC and SMB) that are currently active against the Scorecard. Once findings against these issue types are remediated, this issue finding will automatically drop off on it's own.
Note: Even though the remediation options for this issue type are present, remediation if submitted will automatically be rejected by our automation. We are working on removing the remediation option completely from under this issue type.