Ensuring your cybersecurity is nimble enough to deflect cyberattacks that change by the day is a difficult task for SMBs today, and a challenge before every IT managed service provider (MSP).Island hopping – the practice of leveraging one company’s compromised network to take advantage of or jump to another target company – now occurs in half of all cyberattacks. MSPs have become a desirable target for criminals, in no small part because of their enhanced access to other networks.Essentially, an MSP is a target because of its customers. That’s why it’s so critical MSPs take the same steps to lock down their networks as they do for their customers. Previously, we covered how MSPs should implement a layered security strategy to create a comprehensive defense against cyberattacks, and steps for ensuring the environment is as secure as possible. Additionally, there are some ongoing efforts MSPs can practice daily in service to their own security. Some are a “set it and forget it” effort, but others require continued attention over time. None will happen spontaneously.Given the continuous and concerted use of RDP to compromise MSP networks, it would be wise to eliminate all use of RDP in favor of a more secure commercial alternative.You should also consider monitoring for network intrusions, looking for multiple failed logon attempts in event logs, which is capable in Windows 10.
Guest blog courtesy of Webroot. Read more Webroot blogs here.
Disable Known Malware Extensions
Any attacker bent on infecting an endpoint needs to run code that will help install malware. So, it makes sense to block any filetypes that are both a) frequently used with ill intent and b) rarely or never used without ill intent. To block these malicious extensions, some form of endpoint protection is required (or, in the case of executables, application white/black listing). Group Policy even has simple functionality that allows those files you want to run, and blocks those you don’t.The following is a non-exhaustive list of common malware extensions that can be blocked through application white/blacklisting:- Executables – Users shouldn’t need to launch an application that doesn’t pertain to their work. Files with extensions such as EXE, COM, BAT, and MSI are usually not essential.
- Scripts – Users should seldom, if ever, need to run scripts of any kind. Files with CMD, VB, VBS, JS, HAR, PS, and other scripting files can be safely blocked.
- Shortcuts – While not malicious per se, shortcuts can easily link to malicious payloads. File types include LNK, INF, and SCF files.
- Self-Extracting Archives – These files hide their contents, while allowing malware payloads to run once extracted. Include files with SFX extensions in this category.
- Web Application Files – Malicious HTML applications can hide within files displaying HTML, HTM, and HTA extensions.
Secure Remote Access/Remote Desktop Services
Beyond email-based phishing attacks, unsecure remote desktop access is increasingly being exploited via Microsoft’s Remote Desktop Protocol (RDP) running on machines connected to the internet. Searching the internet for commonly used RDP ports (the default port of TCP 3389, for example) is all a cybercriminal need do to gain access to unsecured endpoints. Unpatched Windows endpoints may still be operating on default security settings that allow unlimited login attempts without being locked after an excessive amount of failures. It’s only a matter of time before a machine with this gaping security hole is exploited.Steps for addressing unsecure RDP ports include:- Using a firewall to eliminate RDP access from outside your network
- Requiring the use of two-factor authentication
- Configuring endpoint password policies that limit the number of login attempts before locking the account
- Using a remote access solution that relies on a less common port
