As organizations increasingly adopt remote work in the wake of COVID-19, the remote desktop protocol (RDP) has experienced a significant surge in usage. It comes as no surprise then that cybercriminals have demonstrated greater interest in RDP as well. Balancing an organization’s remote access and security needs requires a new approach to security, including the adoption of a zero trust architecture.
The Reasons Behind the Sudden Popularity of RDP
RDP enables an employee to remotely control a desktop computer located in their office. With the surge in COVID-inspired remote work, use of this technology has increased significantly. RDP provides a number of benefits for organizations embracing telework, including:
- Device Flexibility: Employees may wish to use a variety of different devices when working from home; however, certain job roles may require software that is only available on a particular operating system or that has high memory or CPU requirements. With RDP, an employee can run these programs on their office machine while controlling it with any device that can run an RDP client.
- Easier Deployment: Depending on the software requirements of a particular job role, provisioning a new machine for teleworkers can be a complex and time-consuming process. By using RDP, an organization avoids the need to set up a new machine for employees suddenly working from home.
- Simplified Licensing: Many different types of software have a “per user” or “per device” licensing model, meaning that an employee with multiple computers may require multiple licenses. With RDP, working remotely doesn’t mean that a company needs to purchase additional licenses for teleworkers’ home-based devices.
- Improved Data Security: When using RDP, all processing is performed on the remote device with only the image of the display being sent to the remote user. This means that an employee does not have to download sensitive information to a local device to perform processing tasks, enabling an organization to ensure that this data does not leave the enterprise network.
- Regulatory Compliance: If data protected by regulations never leaves the corporate network, then an organization does not need to design a unique data security strategy for remote devices. This can dramatically simplify regulatory compliance and may be essential for allowing remote work in certain industries or with particular types of data.
Cybercriminals are Huge Fans of RDP As Well
RDP has made it possible for a number of organizations to continue “business as usual” through the COVID-19 pandemic without significant changes to their network infrastructure or the purchase of laptops or other mobile devices for the entire workforce. However, the sudden widespread use of RDP has also provided an opportunity for cybercriminals to use it in a variety of different attacks, including:
- Credential Stuffing: Credential stuffing attacks involve testing weak or breached credentials to see if they are used on a particular account. Accomplishing this requires access to a login portal, which RDP provides. The increased usage of RDP provides attackers with opportunities to test credentials for an employee’s corporate accounts and, if successful, to gain authenticated access to enterprise systems.
- Ransomware Delivery: RDP has become a favorite delivery vector for ransomware operators. After an attacker gains access to a corporate system using RDP, they can directly drop and run the malware themselves instead of using complex attacks to do so.
- Distributed Denial of Service (DDoS) Amplification: A recent study determined that vulnerable RDP servers can be used as DDoS amplifiers. By including these servers in their attacks, DDoS attackers can conceal the source of an attack and achieve a greater impact on the target than if they attacked it directly.
These are only some of the ways in which cybercriminals can leverage RDP within their attacks. They pose a significant threat to the security of the organization using RDP and anyone who is targeted by DDoS attacks leveraging their servers. Despite this, the benefits of RDP can outweigh the risks if the service can be used securely.
Achieving Secure, Usable Remote Access with Zero Trust
The main problem with RDP from a security perspective is when it provides unauthorized access to corporate systems. If only legitimate users can access the service, then the potential security impacts are minimal.
Using RDP effectively without risking a cyberattack requires implementing a zero trust architecture. Under the zero trust model, access to corporate resources (like RDP) are provided on a case-by-case basis. The remote user needs to authenticate their identity, and, once authentication is complete, all future requests are permitted or denied based upon the access and permissions assigned to that particular user account. This means that if a system has strong user authentication – using two-factor authentication (2FA) – and well-designed permissions, then the cybersecurity threat of RDP is minimal.
However, zero trust is only effective if it can be enforced. Accomplishing this requires a remote access solution with support for zero trust network access (ZTNA), such as secure access service edge (SASE).
