The current situation has forced most companies to start working remotely. Hackers see this as the perfect opportunity to exploit vulnerabilities. Every time a remote employee connects to the company network, it is an additional access point that can be exploited.

Active Directory (AD) is the core identity and access platform for companies around the world. If you want to secure your corporate’s network better, you need to protect the remote use of these AD credentials.

Phishing the Most Vulnerable

Hackers are taking advantage of the coronavirus outbreak to create new phishing email campaigns. And just like the disease itself, the threat actors are focusing on the most vulnerable, your new remote workers. What they do is tempt their targets with URLs or document downloads of safety documentation or infection maps. They are using public fear to increase the likelihood that users will click on a link or open an attachment.

Cyber attackers want to compromise corporate credentials to then be able to move laterally within your network to find something they can exploit (valuable data, applications, systems…). The problem is, like with coronavirus, you might not even know you’ve been infected. According to the Ponemon Institute, it takes 191 days on average to discover a breach.

The Threat Surface is Expanding

In such periods, having a poor protection of Active Directory logins might put your organization at risk. Nowadays, since most businesses are forced to work remotely, this threat surface has expanded exponentially.

Because of the current situation, most companies had to rush into remote working without having any time to properly prepare such a change. This makes the risk even higher. Many businesses have rushed to allow Microsoft remote desktop (RDP) access to allow users to access desktop resources without having to be physically in the office.

For a large number of businesses, the priority has been the continuation of operations, leaving little attention for cybersecurity.

How do you protect remote AD login credentials?

Remote desktop access is extremely beneficial for organizations when it comes to remote working. However, it is not fully secure as it is only protected by a password. Here are three recommendations to protect your remote AD connections:

• Strengthen passwords
• Use a secure virtual private network (VPN) for all remote desktop access
• Enable two-factor authentication on these remote desktop connections

By doing this, you can significantly improve the security of you remote employees.

Two-Factor authentication (2FA) on Active Directory connections enhances security by asking employees to present two pieces of evidence when logging in. UserLock works closely alongside Active Directory to offer 2FA and full access management on all Windows logins and RDP sessions. 

Below is a full list of recommendations written by experts in order to fully minimize the risk:

1. Enforce an equipment policy for remote employees: If possible, use the equipment available, secured and controlled by your company. When it’s not possible, give clear usage and security instructions to your remote workers.
    
2. Secure external access: Use a VPN (Virtual Private Network) to secure connections to your network. If possible, limit VPN access to only authorized machines. Any attempt to connect from another machine must be denied.
    
3. Reinforce password policy: All passwords have to be long enough, complex and unique for each equipment used or service. For more security, activate two-factor authentication on remote sessions, especially for logins to the corporate network.
    
4. Implement strict security updates policy: As soon as they are available, you need to deploy them on all device in your information system. Threat actors can quickly exploit those vulnerabilities.
    
5. Ensure backup of data and activities: Backups might be the only way for your company to recover its data after an attack. You need to perform and test backups regularly to make sure they are working.
    
6. Adopt professional antiviral solutions: They’re a good way to protect companies from common viral attacks, but they can also sometimes protect from phishing, or from certain ransomware.
    
7. Implement logging of the activity: Set up systematic logging of all access and activities of your equipment (servers, firewall, proxy…), and workstations. This might be the only way to understand a cyber-attack, the extent of it and how to remedy it.
    
8. Manage the activity of all external accesses and sensitive systems: In order to detect a suspicious access which could be the sign of an attack, you should monitor RDP sessions and all access to files and folders. If possible, real-time alerts and an immediate response allow you to act before any damage is done.
    
9. Promote awareness: Remote workers must be given clear instructions on what they can or cannot do. Users will often be the first barrier to avoid or detect attacks.
    
10. Get ready for a cyber-attack: No organization, whatever its size, is completely immune to cyber-attacks. Assessing the different possible attack scenarios is a good way to prepare for it and anticipate the measures to be taken to protect your company.
     
11. Managers: get involved! The implication and responsibility of managers in security measures have to be exemplary to ensure the adhesion of employees.

About the Author

François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. 

IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.

 Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.