There are few things more nightmarish to a CSO or CIO than a bad actor gaining remote access to their organization’s networked devices. Microsoft’s Remote Desktop Protocol (RDP) has long been a prime target for hackers because it provides direct access to a device or server through a graphical interface. The advent of BlueKeep makes having any unpatched RDP servers connected to the Internet particularly dangerous. BlueKeep, if exploited, not only gives attackers access to the server with RDP but also makes it possible for the attacker to “worm” into other connected systems. It’s critical for organizations to understand their complete Internet attack surface, including any exposed RDP instances or other critical exposures.
We know RDP exposures are more common than they should be. But to date, there’s been no comprehensive report on how frequently RDPs are exposed. To understand the extent of the challenge facing organizations in managing the risks from exposed RDP servers, Expanse partnered with 451 Research to examine the prevalence of RDPs across the Fortune 500.
Looking at a two-week period in April 2019, we found that 53.4% of companies in the Fortune 500 had at least one RDP exposure. Surprisingly, we also found exposed RDPs to be prevalent across industries many would assume to be the most sophisticated and well-funded. Seventy-five percent of aerospace and defense, 74.4% of technology, 55% of business services, and 51.2% of financial services organizations had at least one RDP exposure in the time period examined. Organizations in these industries are at the absolute pinnacles in their fields and many deal with highly sensitive information, which makes the prevalence of exposed RDP all the more startling.
We also found that organizations that spent more on IT (organizations that spend more on IT also typically spend more on cybersecurity) were not any less likely to have at least one RDP exposure. In fact, the top two quartiles of Fortune 500 companies by total IT spend were more likely to have at least one RDP exposure than the bottom two quartiles.
It’s best practice for organizations today to not have any RDP exposed to the Internet, or, if they must have RDP exposed, to have taken steps to mitigate the risks posed by those exposures. While we can’t verify what specific steps these organizations may have taken to reduce the risks posed by these RDP servers, the prevalence of exposed RDP is alarmingly high. It’s critical that companies in the Fortune 500 and beyond get a complete, outside-in view of their global Internet attack surface, including any RDPs, because assets like these outside of management can pose grave risks.
The fact that RDP exposures are so common even in the world’s most sophisticated organizations should represent a wake-up call on the importance of knowing and locking down your global Internet attack surface. You have to know your Internet to protect your organization. Click here to download the full report and learn more about our findings.