Securing a Remote Workforce in the Face of COVID-19 and Planning for the Future
2:55PM Jul 31, 2020
Hi, welcome back to hope 2020. We've got a great show for you right now we have Christopher Flatley,
who is a
preeminent cybersecurity doctor at SUNY Rockland here in New York, this discussion is securing a remote workforce in the face of COVID-19 and planning for the future. Take it away,
so I'll be talking about a remote workforce and planning and securing it for the future. A lot of what we're dealing with now is kind of unprecedented I shouldn't even say it kind of unprecedent it's completely unprecedented what we're dealing with now. So there's a lot of things that have come up and things that companies have realized throughout this, that it really made us more aware, and kind of crafting the way that we're going to respond in the future. You know, a lot of people don't want to stay fully remote but it's given us a lot of lessons that we can take and apply to disaster recovery business continuity and other concepts, other than just dealing with a pandemic situation. So, I'm the owner of a cybersecurity company based out of New York, my company maintains about 4500 endpoints in three different countries that we maintain and do 24 seven remediation and response for any security threats or anything that's going on with them. And we've seen about 30% 30 37% increase in attacks across all of our clients nationwide, particularly in the United States I'll focus on for the purpose of this talk, because that's where all my data is pulled from. So we've seen about 37% increase in attacks on those clients. Now these attacks have ranged from RDP exploits to people just trying to get into their web servers mail servers, really the whole gambit of people trying to take advantage of the COVID-19 situation people working from home, and people kind of adjusting. A lot of people aren't as familiar with the procedures from working from home, or maybe more likely to open an email that says, hey, here's our COVID procedure or click on this to get resources for COVID than they would be during a normal situation where everything is business as normal. I'm also a full time professor for the State University of New York, where I teach cybersecurity classes and coach the Ethical Hacking Team that we have there. So cybersecurity threats that I'm going to say throughout here is pretty current as of right now, but as we all know cybersecurity threats are constantly evolving and changing metric that you really can't pin down and can't just learn without continuing to learn and research, so I may say things in here I may talk about different protocols or programs that are vulnerable. Now, that may not be vulnerable tomorrow, or maybe safe now and may not be safe tomorrow. It's an ongoing process of learning what's safe and what's not. So please, if you're looking at this talking, taking notes and trying to figure out how you're going to implement your own strategies do your own research, you know, focus on your industry what the risks are to you, and really just making sure that everything is current. So, I'm gonna talk about a couple of the obstacles in the beginning, and then we'll move towards RDP where I've seen kind of the most attacks and most vulnerabilities present themselves. So the biggest problem for all businesses, especially when COVID-19 started was the lack of local or access to local resources. And what I mean by that is servers printers, scanners, all the things that when you go into an office you take for granted. You go into the office, you computers at your desk or you bring your computer with you. And now you can access the file server that sits on the same network, you can access the scanner the printer, all the resources that are there when you get into the office. Your home is now your office, everybody doesn't have the home server or doesn't have the office servers sitting at their house. So, we need to deal with how do we get people access to these resources. More importantly, how do we get access to these resources securely. Which brings us to our next problem or a sub problem of local resources, no VPN access and no VPN setup and configure. So most businesses, if they're operating brick and mortar you go into the office, don't really have VPN capabilities, private network, the ability for workers to connect remotely into their environment and act as if they were on the company network. So if you don't have that capability, you start looking for other solutions which we'll discuss in a little bit.
Even bigger problem
is companies that had an existing VPN. Now I see that's an even bigger problem because I'm coming from the IT side, and from the IT side, we look at the C level executives, and they go make this happen, and we go no sorry that's not possible. And they go, Well, we think it is. And that's what we have to put up with. So companies that already had existing VPN already had the ability for some of their workforce to work remotely was running into problems with executives basically saying, well, we already have five people work remotely. Why can't we have 500 people work remotely. Not understanding the limitations of technology or what that actually means from a technical standpoint. So sometimes when I was having conversations with clients, it was actually easier to take them from nothing to having a proper setup than it was to convince them that their setup would not suffice and would not support the number of employees that they need to be
having worked remotely.
Providing take home technology, anyone tried purchasing a laptop or try purchasing really any tablets or anything in the beginning of COVID most resellers were out, especially the ones that have pallets of laptops normally sitting around for enterprises to just buy on hand. It was really hard to get laptops, especially for a fair price. The price just skyrocketed on enterprise laptops. So, getting the take home technology. Also, freeing up a budget to buy the take home technology became very difficult to do, because the situation skyrocketed especially in New York where everybody just came home and didn't come back to work one day, a lot of the support that we did was in offices that haven't had employees there for months now, and we're going in and everything's left teary, everything is left on the desk, as if they were coming into work the next day, because some of them didn't realize they wouldn't be coming into work the next day. So getting that technology and making available for them to bring home
is another issue.
Where's the company's like t responsibility and companies have to navigate. What tickets are actually theirs. If the user is complaining that their internet isn't working. Normally, that would be eyeties issue. But as the internet problem actually with the home ISP, or is it with the connection to the VPN or connection to the company's resources. A lot of times, especially with people having cable and the amount of saturation on those networks, we ran into a lot of problems with people not being able to connect or not being able to get proper speeds, or their internet just dropping ISP is we're putting out some reports that show that their peak numbers that they normally hit are now their sustained numbers, because everybody was working from home, and their networks weren't built to cope with that. So you're having outages everywhere. The optimum outage map for New York was basically just a big orange blob. So every time a client calls and they're like, hey, people can't
connect from home.
We looked at the map and we go yeah you're in, you're in an outage area, we'll come check it or we'll remote try to remote in and see what we can do. But you might just have to restart modem and wait for it to come back up online is optimum is doing everything they can,
which ties right into the slow bandwidth speeds.
So, failing to plan is planning to fail,
something I like to say never declines, but oftentimes to the people behind the scenes, because these companies don't plan properly.
not everyone is going to plan for a pandemic level situation. But that's not the problem.
What we actually saw was that
people had a lot of solutions put in place
that they would be able to use, and for disaster recovery, you have to plan to work remote, or you have to plan if something happens to your physical location. So we actually saw that people had plans, the ones who actually put proper plans in place to move their workforce remote or allow their workforce to continue. Now these plans had to be tweaked a little they didn't necessarily take into account, not being able to be in the office for several months at a time it was more of a short term, in my case short term recovery plan where they were focusing on moving to a new location for a short period of time before getting back into the office, but they did have plans in place. Some of them. The ones that didn't are the ones that we saw scrambling, and that's where mistakes got made, and lots of them. And I'm not just talking about my clients because I'm not gonna say my clients didn't make any mistakes. I had a couple that would just take computers home without pulling us one of the managers made a call, and he was like, or made a decision and he told all the employees. Oh, you guys have to work from home so just take the desktop in the monitor from your workstation and bring it home with you once saw any issues with that and cool the fat until the desktops got to the house, and now they're paperweights because we had so much security on them to prevent them from connecting to any road networks to make all the resources only accessible if they were on the local network, and now all of them all their desktops were at home. So we couldn't actually provide any support for them because our remote connection tools weren't even working because they wouldn't connect to the internet. So then we get a call from that company Why can't we log in. Well, because you never asked us about bringing your desktops home. And then they're like okay we'll give us a way to remote in or to connect to the office.
Oh, you just took home, all of the desktops,
that I would normally have you use to remote into. So I don't know exactly what you want me to do it's going to be very expensive solution. Now when you spin up some virtual machines on Azure, have a VPN set up and have a site to site link. Now it's going to be really complicated, which I have to say they weren't thrilled about,
that's what happens when you have people who don't have it experience or don't have any technical experience making some of the decisions related to it without consulting with the people who have to do the implementation, and I know a lot of it that I've spoken with a lot of friends and colleagues in the industry have faced the same thing, there's a disconnect between what it is capable of doing. And what
I the management believes should be capable of happening.
Um, for some of the companies that we support just to address one of the questions for some of the companies that we support. They've told their, their employees don't plan on coming in until November maybe December you know what we'll probably not even finish, probably won't be in the office for the year. So one of them in New York City Office, probably three months ago just got another office space, a couple floors up from them in the same building, and they're now looking at removing that office space again, because they have the capability for a lot of these people to work remote. A lot of what we're seeing and the kind of limitation. People working remotely is people stuck in an old mentality, or stuck in a mentality of, well, you work in finance, you have to be on site.
We have a lot of technology at our disposal.
We have a lot of ways to secure data we have a lot of ways to provide them this remote experience, you know some of the finance companies that I work with have actually sent the computers home, I've provided a complete workstation for their employees at home. Because essentially for them, they're like okay it's the same expense, except now we don't have to pay for any of the expenses of them being on the property. We don't have to pay for all the lights to be on. We don't have to have 100, square feet of them, for them to work in all these different things that they now don't have to do for an onsite employee, they're like, absolutely. We'll send you home with your workstations.
So a lot of it comes
down to management not necessarily technical limitations. I believe that past COVID we'll see a lot more remote work. And then at the same time we might see an overcorrect of companies trying to drag all their employees back in. We have a couple people now who are fully set up to be remote and they're like we want our employees in immediately. Don't need to be there. It's just the manager wants to see the employees wants to be able to make sure that he or he knows they're working and keeping an eye on them. So in general, larger companies I think are going to adopt adapt a more hybrid remote workforce model maybe not entirely remote, but maybe you'll come into the office every couple, or maybe two, three days a week, and be able to work remotely for the other two or three days in smaller companies I think we'll still jump back to the in person workforce because they don't want to spend the money on it. They see it as a large initial expense. And for many companies, it is kind of a black hole where money just goes and they don't really see the profit, because it doesn't have a line item of sales or how much money they brought in, it is there to support the business.
So for them they see it as a black hole.
you don't have a VPN or your VPN is not capable of handling the amount of users you need or doesn't have the throughput, whether it's the VPN or your actual internet connection. People started looking at third party Remote Desktop tools, they started looking at like TeamViewer any desk, Chrome Remote Desktop I'm sure everybody can name probably 10 of them off the top of their head that we've all now heard of and their advertising has really been ramped up. So start looking at all these third party tools now third party tools are great. Except when it doesn't get proper management over them. So, the companies that we work with, we don't always have complete management over their IT infrastructure. A lot of times we just support them. And we'll be looking at computers and we'll be like is there somebody accessing this computer remotely, and they'll be like, I don't, we don't know and I'm like well there's TeamViewer on here and I can see that it's connected to a session, and they'll have no idea that their employees have remote access
or what tools they're using.
When you don't centrally manage that what happens when an employee leaves happens when you have to fire an employee, and now they have a remote access tool on that computer that isn't directly linked to company accounts, you know if you're using the Chrome Remote Desktop that links to a company account if you're using G Suite, we can lock that out immediately and stop the user from accessing it. But if they have their own TeamViewer account set up on there they have their own any deaths, any of these other free alternatives.
They now have a backdoor into our network
through what is seen as a legitimate Access Tool, so it's not like an antivirus is going to pick up TeamViewer and go hey wait a minute, you have TeamViewer is TeamViewer is a legitimate tool that's kind of one of the scary things that people don't think about, they're like I got hacked and it's like well you didn't get hacked you got connected to by someone, a malicious insider who shouldn't have had access. And then Windows Remote Desktop which I'm going to focus a lot of time on, because everybody loves Windows Remote Desktop and doesn't really understand their limitations. it's already built into Windows. So every place that needs to do a quick and dirty solution I found this to be the easiest thing they could possibly implement and make work.
And then the other thing
we saw is if your VPN can't handle
the traffic just move the VPN.
Sounds like a fantastic idea to me. Why do we need the VPN solely making things secure let's just have everyone connect directly. And that's where the really big problems came in with people, allowing direct connections to their network and making it possible for these people to, or for end users to just connect directly to machines they're connecting directly to the router firewall having those connections forward to their machines, which means everybody can get to those connections, and everybody can try attacks on those connections security through obscurity is a phrase mentioned a lot when it comes to RDP Remote Desktop protocol operates on port 3389. It's a known port, everybody knows that Twitter operates on all the scans I'm going to show you come from scanning this known port. But people will do, because they think that they're sneaky is they'll take this port, and they'll change it and they'll say hey instead of connecting on port 3389. We're going to connect on port, 1111, and make it so that nobody would know it so if you're scanning you're not scanning their particular port. The problem is that technology has progressed so far that I don't need to worry about, or I don't need to limit my port scans to only one port for it to be effective. There are so many tools out there that make it really easy for me to just search and find anything that's running on the internet.
One of those is
showing the internet search engine for essentially internet connected devices. So if you think that, oh I'm just one person or I'm a small business nobody's focusing on me. You're right. Nobody is focusing on you. Nobody cares to focus and target you. However, attackers don't manually do this when we're doing our security testing we're not manually going through and typing each number in we're not manually going through and typing each password we have tools for that. So we can use search engines, or products like this will allow us to grab massive amounts of data in, and then run our automated tools against it. So you can see here, using that tool. I searched 43389 for RDP I focused it on the US and New York. And I got thousands, or 10s of thousands of results. I think last time I ran and I got like 25,000 results. And you can actually see the desktop,
of the people that you would be trying to log into or that are exposed to the internet. Now, I should mention that connecting to these desktops in any unauthorized use is definitely a crime. The big use of showed in is for security researchers to see and grab this information so that we can actually form these talks and form these kind of trends of how RDP and how different services are working. I actually use this to monitor my clients they have a really good API that allows me to use it for my security testing as well.
But you can see someone's desktop here.
They had a username there that was, let me know the name of their company or they had it on a domain, I would be able to know exactly what company that belongs to, and know that it's exposed to the internet.
So this is obviously really
bad anytime I can see someone's desktop that they don't want me seeing it. That's a bad day for anyone. And you can see I took out the IP address I'm not trying to make anyone's life easy
VPN, when you're configuring them. One of the important things when you're considering bandwidth. And so one of the questions here is it's not really a rule of thumb that necessarily I go by, because it really goes by the data that you're transmitting over there. So clients that are doing graphic intensive, maybe they're doing CAD work, or maybe they're connecting to mail servers or things your VPS are going to need much more data than you would if you're just doing a regular Remote Desktop through a VPN, which is secure if you connect to a VPN first and then use remote desktop Remote Desktop is a fantastic tool. I'm not hating universally on Remote Desktop. I'm hating on the way that people implement it and expose it directly to the internet as it was never ever supposed to be
So it's hard to give a strict number on how much bandwidth you need and the hardware capabilities of your VPN based on number of users because it really depends on the traffic that they're generating. It really depends on the, the, what they're doing on the machine essentially. So like architects have to use a ton of bandwidth with all their applications and stuff. If you're doing video editing, you're going to need extremely low latency so you'll need a better connection,
things like that really come into play.
So, this is a report or part of a report generated by Sheldon, and you can see that while there are not many Windows XP machines. there are more than zero XP machines. Now, this is not every Windows XP machine that's just connected to the internet that's not what showed me showing me here, it's showing me specifically. Every Windows XP machine in New York that it had scanned that had RDP exposed. Really bad thing is I hope we all recognize that Windows XP is out of support. We all recognize windows
seven is out of support as well.
And server 2008 and server 2003 all out of support. So any vulnerabilities that exist in those products are going to continue to exist in those products. So when you open Windows XP RDP to the internet, there's vulnerabilities there. There's things I can compromise and I'll be in faster than you with a password. That's a really bad system to implement. Now, the scary part is that these places running Windows XP or running server 2003 are usually running it because it's important. They're running it because they have to, because some legacy product runs on it, or it's a server operating their authentication. Something important is probably running on that otherwise it would have been really easy for them to take it down and not leave the connection open.
seeing that obvious problem. I'm not saying I don't have clients that still run Windows XP there are a couple clients that have Windows XP machines, however they are behind firewalls and they are so protected, and they are really just used for running like a legacy application for a dot matrix printer that we still have to use, unfortunately, although dot matrix printers are cool,
don't let anyone tell you otherwise.
Some other horror stories actually was brought up during the pandemic.
So, the client taking home desktops,
obviously the worst thing I've ever experienced.
No, that isn't the worst thing, it's out there though,
when they take them home I no longer have access
and now they can't authenticate anymore,
probably pretty close to as bad as that.
Yeah, I'd say pretty close to as bad
as that is when people started installing or start trying to install software onto their computers for remote access, and instead of their internal it saying no, we're going to manage that the users kept complaining it wouldn't work, and it couldn't keep up with the requests to install all the applications. So they just started giving everyone local admin privileges on their account so that they'd be able to install it.
So now you had a remote desktop
protocol, or remote desktop program installed with local admin privileges, and then it told me that they removed all of the admin privileges from the users after they installed the products, but you can just run an authentication audit and you can see that they all were still logging in with local admins. That's actually what happened to one of my clients in Australia, local admin access on his computer. We didn't fully manage it we just monitor the security of it. And all of a sudden we get an alert ransomware detected. Now, we have a couple layered approach to stopping and preventing these attacks. However, it got through some of my protection got through more of my protection than I would have preferred not far enough for me to actually get super concerned but enough that I isolated the device, and we had to immediately.
Take a look at it turns out
that user had given TeamViewer access to a third party vendor to install an application, and that user still had his remote, or his local admin privileges. So when the remote or the vendor installed installed an application onto the machine. He actually wound up installing Mauer now the vendor actually turned out to be legitimate and we just think that there was malware on the vendors machine which wound up infecting my clients machine when he pulled over the efcs to install the applications, but then ransomware got in his machine it tried, and we were able to see all the network logs that we were blocking it tried to get to the main domain server for that company, so they can infect your policy and push out a group policy to deploy ransomware to the rest of the company wasn't successful. So it started installing applications to exfiltrate the data from his machine. Now luckily we have very aggressive policies on that company. But if we didn't, we wouldn't have been able to detect that as fast as we did and data could have left his computer.
Another thing I'll mention on that that's not directly
related to remote access, but we isolated the device we locked it down.
And then we get
an activity alert somebody plugged the USB into the computer. Now we still had the USB enabled on that computer because we were using it to run some diagnostics we had them take a clean USB and put some software on it that we needed, and then plug it into that computer, because that computer no longer had internet access. So they, we see USB plugged in that wasn't ours. Then we see the autorun file get overwritten. And the ransomware moved to the USB. So I call them and I asked them if they plugged into USB. and the tech, who was working on the support side to get the user set back up and move them over to a new computer told me. Yeah, I told him to plug that in and take off any files he needed, but don't worry I
know there's malware so I told him not to plug it into anything.
Well, I don't know if you've ever met an end user, but an end user is not going to follow instructions, especially if they now have a hard drive with the files that they need sitting on it that you just told them don't plug into anything. So as soon as he told me that disable USB ports for the rest of the company on every one of their machines. We didn't see him actually try to plug it in, but at that point you really can't trust the user. And then I asked him okay so how's that user going to get data off of that hard drive if you told him to never plug it in anywhere. And it was silence. So then we actually had to go in we sanitize the hard drive were able to set up a sandbox machine and get what we needed off of there while it was secure, and make sure nothing came with it, we're able to just take the raw files,
which isn't generally something we like to do but these were files that were irreparable we couldn't lose them. So we had to take them off and then we isolate the machine again.
Basically a response to that
but the users, and even tech support people doing first line support aren't necessarily thinking about that aren't necessarily thinking about what needs to be done to properly securities machines.
So I've already started talking about ransomware, but we've seen a massive increase in ransomware with the font or the I shouldn't say fines. The extortion or the blackmail attempts, the numbers are getting absolutely insane. There is actually, so I'm going to tell a little personal story of my data being stolen with ransomware, not by a company I manage, I would never admit to that. So, a company that my school my previous school had worked with to give all of our data to actually got breached. Now, the scary part is that in their statement. They said that they were breached in February. I think it was February 7 they were breached. They didn't discover the breach until May 20. Now, for anyone counting. That's a long period of time, had someone in their system for that long period of time, and they didn't realize it. Now, their statement was the scariest thing I've ever read their statement said that they have the best cybersecurity experts working at their company, they responded quickly once they discovered the threat to mitigate anything and stop
them from doing any damage
took several months to find out there was a threat you don't get to play the, you have the best cyber security experts card anymore. Now, what scared me even more is that they said, well, they had access for the entire time but we think they only got a backup file it didn't have any real information in it. And then they said that they paid the ransom against everyone's recommendation, they paid the ransom to the attackers. They then told us in the email. Don't worry. We have confirmed with the attacker that they have deleted all of the data they took from our machine. That is the single most naive thing that a company has ever said, and I am so glad they're not one of my clients. If you get your data stolen, with ransomware, or you get your data stolen with any type of malware. You should never, ever, ever trust the attacker. The attacker is incentivized to lie. The attacker also now knows that company will pay ransoms. They also know that if they just say hey we still have the data, they could probably get more money out of that company because that company very clearly doesn't want to lose that data is an extremely poorly written statement that I genuinely want to know who was on the board, or who read over that statements that yeah that sounds like we did a good job.
And that's a personal experience of my data that was breached.
I've had clients who came to me after they were breached and now we manage their security where we took over there ransomware and they were basically being blackmailed. The new fun thing with black with ransomware is not only you lose your data if you don't pay. It's now will release your data. If you don't pay. And this has proven very effective because the only thing scarier than losing all of your company data is having all of your company data put on the internet for everybody to see your client information your employee information, everything. Terrifying for business. That's ending for a business.
And somewhere attacks are probably happening on your computer without you even realizing it. Windows Defender has come a long way and does a great job of protecting you. You'll probably see notifications that have blocked threats, you probably might have low level ransomware from plugging in USB keys in our 4500 devices that we control, we clear about 60 threats of debt. Now, most of these threats if I'm being completely honest come in
people downloading emails. If you get an email, and this is the one I see the most if you get an email that says unpaid invoice urgent bunch of exclamation points, and you don't have an invoice that needs to be paid. Don't click it. I've had a user, keep clicking the, the link and it kept popping up or antivirus kept notifying them hey, you have something malicious there,
don't do that again. Did it
several times over and over and over again, and we get the alert ping ping ping ping alerts that this user is doing something. So we immediately lock the user out. Turns out he was just the bill processor so anything that went to his email he just assumed was legitimate because it was supposed to be forwarded from other people. So he just kept trying to download this EFC thinking it was an invoice because he had no knowledge of the fact that EFC is not a document, even if it was a document those can contain viruses too, but he kept trying to download it and in fact his machine. So luckily we were able to stop that. But we are very aggressive policies in place. A lot of people will think, oh I have an antivirus I'm good to go. That's absolutely not the case. We have threats that get passed into our normal antivirus on a fairly regular basis. One of the things that we're able to deploy with enterprise protection is actually our enterprise pattern recognition and sandbox. So instead of just looking at if a file is known as malicious it's now looking for patterns, it's seeing what that file does and making sure to track it back and making sure that the
that the file isn't going to do anything permissive once it gets onto their system.
So drive services,
protect users in a broad sense.
So, the difficult part about protecting
users from Drive services is drive services especially paid ones if you use like enterprise Google Drive want limited access to your files or you want them to have limited access to your files. So part of what you have to do is balanced, do I want them to be able to access my files so they can scan them for something malicious or do I want my files to be kept safe and secure only from me. So a lot of clients that we see getting viruses from malware actually have shared Dropbox folders or a Google File Stream or something on their machine, and then we pick it up with our antivirus. Now the great thing that Google or Dropbox will do is if our antivirus deletes it from their Dropbox, it'll actually save it back to their computer because it will think that it got accidentally deleted. I know resync, and the file will come back to their computer over and over and over again. So what we have to do is we actually have to monitor these alerts and we have alerts set up specifically for if it's coming from a drive or a Dropbox, so that we can then say okay we need to access to that or you need to delete that file from your Dropbox, because realistically that Dropbox is probably linked to multiple computers or they might even go to their personal computer and go and download a file, and then their personal computer could be infected, which now the people working from home can make their entire network infected. And it's an even bigger issue.
So, RDP, which most people wind up using because it's easy. There's a couple of tools that you can actually install to secure your RDP a little more. And I think I have the slide on them at the end is
VPN itself is an insecure protocol.
So one of the things that people think is okay I have a really strong password. And one of the problems is that a strong password doesn't always protect you, because as an attacker I'm not always logging in with a password. The attack that I'm doing isn't always necessarily brute forcing brute forcing would be trying passwords over and over again until I get it. So in those situations having a strong password wouldn't protect you, because I'm now attacking the program the protocol itself, get access to your system. There are a couple of applications that you can install that'll help block any incoming connections from certain IP addresses. That'll lock accounts out after multiple failed attempts
RDP actually only puts the logs of failed attempts in your event viewer,
which most people don't go and regularly view.
Nobody's going into their event viewer to check what's going on with their computer. Really, realistically, most people see an event viewer.
For the first time, when they're
watching a YouTube video of like a someone a scammer online trying to infect your computer, and they show like oh look at all these errors that are occurring. And it's them causing the errors, but realistically end users aren't going into that. So for someone trying to personally protect their machine. You should install another application to monitor and block these connections, my actual recommendation for secure access to your machine is not to use remote desktop protocol or Windows Remote Desktop protocol. If you don't have a proper VPN, I would never expose Windows Remote Desktop protocol over the internet if it's not on an enterprise system and not hidden behind a VPN. So for a personal user or even for companies, small businesses that are trying to save money I would use, maybe a free or low cost inexpensive alternative, so that you're completely bypassing Windows desktop. Any desk has a really affordable plan. A lot of these companies are saying, or offering free plans for like under five users or something like that. Remote PC is another good one. I think their pricing is like $20 or $5 for 20 users for a year or something like that. There's a couple of really good companies out there making good strides. And you should always look for ones that have been reviewed by tech magazines or tech websites and stuff.
How do you fight stupidity stupidity can't be fought with, you cannot win against stupidity, or you can do is lock systems down completely unrelated to remote access, but the dumbest thing, and also the smartest thing at the exact same time that I've ever seen somebody do, is they had barcode scanners at their workstations, and they use that to log into their or they logged in from their computers there and they were on a warehouse for what they started doing instead of actually setting new passwords, is because the barcode reader is just read as a USB keyboard, they would actually just pick an item, and when they had to change their password they would just scan that barcode. So like they would flip the phone over and use the barcode from the phone as their login so all they had to do was scan the phone to log into the computer. It was single handedly the dumbest and smartest thing I've ever seen done by an end user solution to that was to a, make sure that their manager spoke to them because not everything is an IT problem some of it's a management problem, despite the fact that managers try to make everything, and it problem.
And then we locked out that device
sled It couldn't be used before the user had logged in. So fighting stupidity really comes down to. Putting management in place where managers are actually having proper oversight of their employees and putting tools and group policy or putting security measures in place to stop people from making decisions.
Like I'd mentioned.
Everyone falls victim to ransomware, the bigger ones are the ones we hear about but small businesses fall rent victim to ransomware every single day. A lot of them wind up having to pay the ransom because the small business doesn't have necessarily the backups in place, you know off site backups or backups not connected to the network. So they wind up having to pay for this ransomware, and we're seeing that more and more as COVID occurs because now it's even worse because now people are working from home, a Garmin just got hacked, they just confirmed that they were attacked with
And I have to say, I'm sorry if anyone here.
Works or is associated with the government but their PR statement was the worst thing I have ever seen. It took them way too long to confirm that there was an attack it took them way too long to acknowledge their outage. And the fact that it was capable of dropping their mail servers, their support lines, their connection to their server to the watches, basically everything shows that they had very little segmentation, or somebody was using a privileged account that was infected. And then that managed to spread and infect everything else. Either way, policies were either not non existent not followed, or just people made workarounds that became permanent fixes and nobody
went back and fixed any of them.
So business change control policies.
I could do a whole day talking about policies and talking about how we change things. The most important thing. And I'm going to just reiterate this over and over again is speak to the people are actually qualified to approve changes. If we're talking about from an administrative standpoint and getting change orders and like least privilege, granting users access and things. We want to make sure that that's actually coming from somebody who has the know how to make that decision. You don't want just a manager saying yeah this person needs access to this, this, this and this and this. You want it to kind of come with the role and say okay well they have this role so they need access to modify this, they need to be able to read these files. We want granular control to make sure that nobody is given too much permission on the system.
procedures and logging in place to check to monitor everything that's changed. We want to make sure that files are remaining or have high integrity so that they're not being changed or modified by anyone that shouldn't change them for our backup servers, we basically set them so that only certain processes can write to them, and then any changes that don't occur on our schedules or any changes that occur that are irregular get flagged immediately and get investigated. But to be honest, there's huge expenses associated with all these things I could stand here and tell you that there's a great way to do it and stand here and tell you that there's a perfect plan. But the very truth of the nature is that there's not a perfect plan that it's expensive to implement these changes, and it's expensive to do it the proper way. It's more expensive to not do it the proper way. And get breached. I've been speaking a lot about ransomware, but I'm just going to point to the RDP port, pulling this data from shoden if we were looking at it, we saw that there was a decline. And then there was a spike, and decline and now if we were to pull this data out till now, we'd see an increased an increased amount of RDP available to the Internet, and that's really a terrifying fact, the fact that RDP is still widely used, and it's still being widely implemented as a valid way to expose computers to the internet.
Let's see. So just to wrap up looking forward. Companies need to focus on hybrid cloud has come a very long way. Cloud is now, affordable, and scalable, which is the biggest thing. Microsoft has virtual desktops, Amazon has workspaces both allow you to very quickly and cheaply deploy virtual desktop experiences to your employees and have them login securely both have their own way to securely log users in Amazon's is a little bit more succinct if you don't have an office 365 subscription already. Then you just download their application you log in, but it's highly scalable and controllable and manageable from a one central point. And it should already be something you're thinking about with your business continuity if your location is no longer accessible, you can no longer have people working from there. How do you respond to that. So really implementing some cloud control and implementing some features in the cloud. In order to scale this in order to make it so that if a server in your office goes down, you didn't lose access to all the files.
And then lingering problems,
securing an employee's network and an employee's device, I mean we run into this problem now with companies not being able to provide as many devices are not wanting to, and you really have to watch out what in what control you implement on their device, because it's a personal device can't lock everything down and you have to worry about the other devices on their network.
I think I'm getting the
at the end.
You're doing very well Christopher Thank you very much, caught up really for all the questions that we have, and your presentation was excellent. Thank you very much for sharing did you want to add something else to your to your talk.
No that was, this was right the end I think I hit everything I wanted to hit I think I was trying to keep track questions I think I hit, most of them. Yes.
I couldn't keep up with you.
Thank you so much for I want to. On behalf of all the top 2020 attendees presenters and volunteers. Thank you very much. We really appreciate you sharing your project with us today Christopher.
Thank you. Thank you for having me.
Okay. We'll be back at the top of the hour for our next talk who has your face the fight against US government surveillance and agencies used to face recognition. Until then, check out our fresh tracks and bumps, See you soon. Take it away, grab control.