The most recent vulnerability in Microsoft Windows Remote Desktop Services (CVE-2019-0708) poses a high risk to enterprises by potentially allowing remote execution of code. The threat is underscored by the fact that Microsoft has quickly provided a fix for all Windows platforms up to Windows XP. To prevent this vulnerability from becoming the next destructive Internet worm, companies would do well to patch all devices. This topic has been covered also by https://hackernoon.com/ & https://www.gravis.de.
Problem Vulnerabilities
Today, reducing attack vectors is a top security priority for organizations. Remotely executable vulnerabilities that can impact Internet-connected services are one more reason organizations are rethinking their Internet attack surfaces. In reality, many companies are still a long way from doing so, as the results of a recent survey show.
In the State of Digital Transformation EMEA 2019 report, 72 percent of companies stated that the majority of their employees use mobile devices to access applications and data held in the cloud or data center. Almost one-third of decision makers in the UK, France, Germany and Benelux (29 percent) also responded that Remote Desktop Protocol (RDP) is typically used when employees access data and applications while on the move. These RDP services are available online and allow employees to quickly jump into the corporate ecosystem. However, because these RDP services are available online, it is in the nature of the Internet that they are visible to everyone.
SDP reduces attack surface
- A software-defined perimeter (SDP) can help to reduce the resulting attack surface.
- SDP was developed to prevent access to applications from being allowed even by a three-way handshake before a user has been authenticated for authorization.
- Such a procedure differs fundamentally from conventional Internet access models because it implements the true implementation of the lowest access privileges.
The SDP model allows companies to prevent their services such as RDP from being exposed to the Internet, thereby reducing the risk of vulnerabilities such as the recent Microsoft CVE. Zscaler Private Access follows the SDP principle, helping to reduce the likelihood of attackers entering the network. This solution relies on outbound connectivity so that IP of the domain space is never exposed to the Internet. And where no inbound path from the Internet is disclosed, there is no connection or attack surface.
Conclusion
In the current situation, it is once again clear how critical comprehensive patch management is in view of this current vulnerability. Rapid patching minimizes the risk of malware being introduced into devices and the corporate network. The SDP architecture is also recommended for future-oriented adaptation to this type of Internet-based risk, thereby preventing parts of the company-wide infrastructure from being exposed to the public Internet. Hackers cannot attack what is not visible. An appropriate security architecture enables organizations to protect their important assets.
