In May, Microsoft released fixes for BlueKeep, a critical remote code execution vulnerability in Remote Desktop Services that affected older versions of Windows. Even though Windows 8 and 10 are not vulnerable, the flaw was so dangerous that it warranted a patch to older systems and an aggressive publicity campaign from Microsoft to ensure that it was installed.
BlueKeep: Why the Fuss?
The fixes were necessary because all a user has to do to get infected is join a network, trusted or untrusted. “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” according to a Microsoft blog post.
In other words, conventional endpoint security platforms such as anti-virus and EDR cannot prevent this type of exploit, and user awareness training will not help either. Since no user action is required, the mere act of connecting a user’s laptop or phone to a network while an infected device is connected to the same network is enough. According to CISA, “An attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs.”
Will a Firewall or VPN Keep Users Safe?
Since worms are exploited over a network, in most scenarios an enterprise firewall or VPN cannot mitigate an exploit such as BlueKeep.
- Firewall: A firewall can block the RDP port, which may prevent BlueKeep from getting inside the LAN. This is not always feasible—some employees may require remote RDP access from outside the network. But more importantly, it will not prevent the exploit from spreading inside the LAN if, for example, it is brought in by a laptop that was infected outside the perimeter.
- VPN: Using a VPN while working from Starbucks, the airport or home will protect a device from infection over the local network. But most VPN deployments are not “always-on” and actually leave the roaming laptop vulnerable to infection while using untrusted, public networks. The result is that the device can still get infected, so the next time it connects over the VPN, the VPN will actually enable the infection to spread to the LAN.
Dual-defense: Zero-trust Network Security and a Software-Defined Perimeter
The best defense against the next vulnerability such as BlueKeep will address two scenarios: preventing a user device from getting infected in the first place, and preventing an infected device from spreading the worm across the network.
Because devices get infected simply by connecting to a network, the first layer of protection is ensuring that users don’t connect to high-risk networks such as free public WiFi hotspots. As explained above, a VPN can keep users off the public network, but most organizations only require a VPN for accessing applications in the data center or a private cloud. Users are generally allowed to access the internet over public WiFi to avoid latency and backhauling costs.
The next line of defense is segmenting the network to reduce the attack surface. While most organizations embrace this best practice, the ultimate goal of micro-segmentation—limiting access to the most granular level possible on a per-user and per-service basis—is complex and generally out of reach.
One method being used to accomplish this is the implementation of a zero-trust software-defined perimeter to provide micro-segmented access to network resources, whether a device is used at the airport, in the office or anywhere in between. The zero trust security model is based on the belief that no device should be automatically trusted: all access must be continuously authorized and verified. In a zero-trust model, users have a unique, fixed identity and micro-segmented access to only the resources that they need. Everything else is isolated and hidden from view—meaning that an infected device would have very little impact on the network as a whole.
While all SDP solutions provide granular access controls, many do not protect devices from getting infected on a public network. Only an always-on SDP solution can route all traffic—including web traffic—over a secure network and prevent that initial infection. Look for an SDP solution that is built on a zero-trust cloud network to get the most complete protection from the next BlueKeep.