<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.default, li.default, div.default
{mso-style-name:default;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">CoIT Members:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Cybersecurity Advisory<o:p></o:p></span></b></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">>>>>>>>>>>>><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Cyber threat actors are leveraging open Remote Desktop (RDP) ports to compromise systems and also spread ransomware. Access to systems over RDP has been reported
through brute force, dictionary, and stolen credentials compromised and sold on the dark web. This is a elevated risk indicating active efforts against public and private sectors.
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Recommendation:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Block all public access to RDP: 3389 TCP/UDP or RDP custom defined port/application.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Best Practices:<o:p></o:p></span></p>
<p class="default" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">The following list includes self-protection strategies against ransomware campaigns targeting RDP/3389:</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"> </span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.55pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Back up data regularly</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.55pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Verify integrity of back up process</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.55pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Keep software updated</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.55pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Use strong passwords to protect RDP credentials</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.55pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">If possible, use two factor authentication</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Audit who accesses RDP</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.4pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Establish whitelist access for RDP</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.4pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Consider disabling RDP if not in use</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.4pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Change RDP port from 3389 to another unused port</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.4pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Block RDP via firewall</span></b><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.4pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Audit logs for all remote connection protocols</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.4pt;margin-left:.25in;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Audit logs to ensure all new accounts were intentionally
created</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="default" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:Symbol;color:black">·</span><span style="font-size:7.0pt;color:black"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Scan for open or listening ports, and mediate</span><span style="font-size:13.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Administrative Note This product is marked TLP:GREEN. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community,
but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP: GREEN information may not be released outside of the community. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If you have questions about this advisory, please let me know.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-family:"Calibri","sans-serif";color:#1F497D">April Goode MBA SPP<br>
Director of OneNet Strategic Planning and Communications<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-family:"Calibri","sans-serif";color:#1F497D"><br>
</span></b><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><img width="212" height="75" id="Picture_x0020_1" src="cid:image001.png@01D34F18.2EDF6C80" alt="OneNetBluBlk_rgb"><o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="https://onenet.net/national-weather-center-tour/"><span style="color:blue">Learn how OneNet powers weather prediction
at the National Weather Center.</span></a></span></b><u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:blue"><o:p></o:p></span></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Oklahoma State Regents for Higher Education<br>
655 Research Parkway Suite 200<br>
Oklahoma City, OK 73104<br>
P 405.225.9251<br>
F 405.225.9250<br>
Toll-free 888.5.ONENET<br>
<a href="mailto:april@onenet.net"><span style="color:blue">april@onenet.net</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
</body>
</html>