The focus was on productivity, and getting the business operational was the sole goal. It makes perfect sense; the world was responding to a complete shift in how we work. But now, we’ve all either heard about or experienced the massive rise in cyberattacks since the pandemic started. And securing everything about how your remote workforce connects to the corporate network has become the priority.
However, the focus for most companies has been on “how to connect securely.” With the emphasis on the connecting part and not necessarily on ensuring that. Regardless of how the remote workforce gains its remote access, it helps to ensure the organization’s security stance.
The answer was to use the native remote desktop functionality built into Windows for some. Others did the same but used a VPN first to encrypt the connection. Still, others use some form of third-party remote access solution, which likely provides even better security and control.
Regardless of your answer (and disregarding, for the moment, the apparent or nonexistent cybersecurity value each solution provides), I want to place your focus on the need for multi-factor authentication (MFA) when providing any remote access. I’m a huge believer in MFA for literally everyone in the organization to preserve your cybersecurity stance. So, here are three reasons why I’m passionate about seeing MFA as part of your remote access strategy.
1. There’s too much “Access” to Remote Access
While we’d all like to think that technologies like Microsoft’s built-in Remote Desktop Protocol (RDP) aren’t accessible from the Internet, that’s just not the case. According to security vendor ESET, the last third of 2021 saw a 274% increase in RDP-based brute force password attacks over the previous third of the year (yes, they’re analyzing 2021 in thirds due to specific trends in cyberattacks). And if you think that stat represents a small number of attacks, the number of attacks in the last third was 206 billion in just the last third of 2021 alone! The point here is this massive number of attacks wouldn’t exist if there were no RDP sessions externally accessible in the first place. In short, there are way too many organizations today that have RDP-based access to their networks. And even if you’re not using RDP specifically, but are using a third-party remote access solution, many of the threat actors are using the very same solutions for remote access during cyberattacks.
One of the reasons these attacks are so prevalent is the simplicity of finding an exposed remote access connection. For example, threat actors run automated scans across all ports looking for an RDP response and, second, automating a brute force password attack when no MFA is required. Should an organization require MFA over these exposed RDP connections (which should be disabled, for the record), the likelihood of these attacks succeeding (as they exist today) diminishes to zero. There is no native solution built into Microsoft RDP to prevent brute force attacks, so attackers have free reign to try as many user/password combinations as they desire.
2. Credentials Are Too Easy to Obtain
In many cases, the use of remote access comes in conjunction with a phishing campaign intent on tricking users into providing their Microsoft 365 credentials. In 57% of phishing attacks, the goal is to obtain online credentials. Since these are often the same credentials as the user’s Active Directory account, the credentials provide a threat actor with everything they need, providing an RDP session to connect to within the same organization.
Again, with the use of MFA in place for RDP, the credentials on their own are useless. However, if an organization has MFA on their remote access, they also likely have it in place for online applications, making the obtaining of use of credentials in the first place difficult to impossible.
3. Remote Access Provides Too Much Privilege
A given compromised set of credentials initially gives threat actors a foothold within the business and access to any data and applications that the user has access to – this, alone, creates a tremendous risk, depending on the user account. It also gives them access to a Windows endpoint (in most cases). Depending on how well-patched the OS and applications are, the remote access endpoint may provide an easy path to obtaining elevated credentials by taking advantage of vulnerabilities commonly used in attacks. In addition, it gives the threat actor a known identity within the organization to further attack the rest of the company.
I like to use the example of the mailroom clerk who only has access to the web to access shipping company websites and their corporate email. If they were the one compromised by a threat actor, a simple phishing email to every person in the organization using the social engineering tactic of informing the potential victim they have a package waiting for them and providing a malicious link. Add in MFA to this scenario, and the threat actor cannot reach the remotely accessible endpoint in the first place.
MFA is Just What Your Remote Access Needs
Remote access is a productivity play; it empowers organizations to extend the reach of the corporate network out to their employee’s homes, coffee shops, hotels, etc. But that extension also includes developing the organization’s potential threat surface to those very same places. The addition of MFA to remote access creates a defense in depth strategy (layered on top of basic credentials) to help stop cyberattacks before they ever really get started.
So, whether you are using RDP or a third-party remote access product, it makes sense that your business should enable MFA for every user to make sure the credential user is also the owner of that credential. Doing so will significantly reduce the risk of attack for remote access while only adding a slight burden on the user at logon.