Worried About Your Internet Presence?

Worried About Your Internet Presence? Focus on Your Attack Surface

The Internet has created myriad ways for people and organizations to connect with one another. Unfortunately, attackers will attempt to find and exploit the Internet presence of an organization. All of the connections, profiles, pages, and posts can be discovered and potentially weaponized in both targeted and opportunistic attacks.

Continue reading

RDP and BlueKeep: What You Need To Know

RDP and BlueKeep: What You Need To Know

On May 14th, 2019, Microsoft released a patch for a pre-authentication vulnerability affecting several versions of Windows. Microsoft even released a patch for end-of-life software because the vulnerability is so serious that it has the potential to create a WannaCry-styled global outbreak. In this post, we’ll talk about RDP, the vulnerability, and how you can make sure that you’re secure.

RDP: Already Known to be Trouble

Remote Desktop Protocol is a Microsoft-based service that allows a user to remotely connect to a device and interact with it through a virtual interface. It’s like a screen share where you can control what’s happening on the projected screen. RDP is a very useful tool but was never intended to be exposed to the public Internet. If it is ever compromised, the attacker can do just about whatever they want; it’s as if they were sitting in front of the physical device.

RDP has a lot of known issues. In fact, RDP is one of the most common entry vectors for ransomware. The SamSam campaign has targeted dozens of organizations, bringing down hospitals and local government. Attackers scan the global Internet looking for exposed devices open on RDP and then attempt a brute-force password guessing attack. If strong passwords and lockouts aren’t used, the attacker can gain direct access to a user’s machine and then begin to move laterally. It’s incredibly dangerous to have one thin layer separate attackers from a user’s device, which is exactly how RDP operates when it is publicly exposed.

WannaCry 2.0

RDP is already known to be risky. But CVE-2019-0708 — also known as BlueKeep — takes things up a notch by allowing an attacker to remotely execute code pre-authentication with no user interaction. This is just about as bad as it can get for a vulnerability. All an attacker needs is a vulnerable device; no user to click on anything, no privileges, nothing. And the complexity of the attack is low, meaning that attackers will reverse engineer the exploit quickly.

The result could be a program that seeks out vulnerable devices (of which there are many), automatically infects them, and then continues to spread. These worms, which are self-propagating infections, are the worst kind and can quickly spiral out of control.

In 2017, WannaCry infected around 200,000 machines across 150 countries via a similar mechanism (SMB). Hospitals were hit especially hard, rendering their computer systems unusable. An RDP worm could cause similar damage, making this a vulnerability that’s especially important to patch immediately.

Cover Your Assets

With all of the dangers associated with RDP, you might think that it is tightly controlled and rarely exposed. But you’d be wrong. In the past two weeks, Expanse observed RDP instances exposed at 50% of the Fortune 500. Seventy percent of the Fortune 100 had at least one exposure in the past three months.

Why are these exposures so common? Mostly because they occur in an organization’s blind spot, namely cloud and ISP IP space. Some employees purposely expose their laptops on RDP to get work done. Other times, misconfigurations can result in an employee’s laptop being exposed while they travel.

These exposures occur outside of an organization’s known IP space. It could be in IP space registered to a coffee shop, a hotel chain, or their home Internet connection, but it can be nearly impossible for the security team to detect the exposure unless they are monitoring the global Internet.

Expanse identifies rogue RDP exposures via signature-based detection. Cyber risk analysts use Expanse’s internal mapping engine to discover and track specific configuration details. These are used to track RDP exposures no matter where they occur. Exposures that reside in on-prem, cloud environments, consumer dynamic IP space, or any other portion of the Internet can be found when you monitor everything.

To help organizations protect themselves, we’re offering a complimentary report on your RDP exposures.

Types of Risky Communications You Should Watch Out For

Types of Risky Communications You Should Watch Out For

How do you know who your assets are talking to? If you don’t have visibility into risky communications your assets and employees are engaging in, you can’t secure your network and your data. Subsidiaries and strategic suppliers only make this more complicated, because while you don’t generally have direct visibility into their networks, risky behavior can still negatively affect your security posture.

Continue reading

Common Cybersecurity Issues

3 Security Issues Every Organization Should Worry About

Before joining Expanse as a Cyber Risk Analyst, I worked as a cybersecurity consultant for one of the Big Four auditing and professional services firms. In that time, I got a front-row seat to the security challenges facing enterprises today. I learned to be skeptical of the cyber maturity of the “big guys,” or the large and well-established enterprises that are connected to the daily lives of millions. While working with clients of all sizes across multiple industries, I realized very few organizations have even a decent grip on their actual cybersecurity posture.

Continue reading

Increasing Your IQ Around Attack Surface Reduction

Your Attack Surface Problem Is Really an Asset Management Problem

The foundation of effective security is knowing what you need to protect. Without a full inventory of your Internet-connected assets, you don’t have a clear picture of your attack surface. And that means you can’t identify and remediate exposures. While many organizations today may think they understand their attack surface, the truth is that they don’t because of a fundamental breakdown in asset management and governance.

Continue reading

Quantitative Methods for Assessing Cyber Risk - Part 3

Part 3: Quantitative Methods for Assessing Cyber Risk

Accurately model risk to up-level cyber discussions and evolve security postures

Most businesses are very comfortable assessing risk, whether it be from a project failing, market uncertainty, workplace injury, or any other number of causes. But when it comes to cyber security, rigor disappears, hand-waving commences, and analysts pick a color (red, yellow, or green).

Continue reading

Quantitative Methods for Assessing Cyber Risk Part 2

Part 2: Quantitative Methods for Assessing Cyber Risk

Accurately model risk to up-level cyber discussions and evolve security postures

Most businesses are very comfortable assessing risk, whether it be from a project failing, market uncertainty, workplace injury, or any other number of causes. But when it comes to cyber security, rigor disappears, hand-waving commences, and analysts pick a color (red, yellow, or green).

Continue reading

Quantitative Methods for Assessing Cyber Risk

Quantitative Methods for Assessing Cyber Risk

Accurately model risk to up-level cyber discussions and evolve security postures

Most businesses are very comfortable assessing risk, whether it be from a project failing, market uncertainty, workplace injury, or any other number of causes. But when it comes to cyber security, rigor disappears, hand-waving commences, and analysts pick a color (red, yellow, or green).

Continue reading