We see it over and over and over again with breaches:

1. attackers got in via RDP (Atlanta, Ryuk)

2. attackers got in via VPN (Pulse Secure, SonicWall/Akira)

3. FTP credentials were guessed or brute-forced (SamSam, General Scanning & Attacks)

4. File transfer products exploited (Accelion FTA, MoveIT, GoAnywhere MFT)

5. Firewalls exploited via their management interfaces (Juniper ScreenOS backdoor, PanOS vulns, FortiGate 0days)

Each of these examples represent old ways of accessing services. For each, there are now better, more secure ways of performing each of these functions, without exposing these services to the public Internet. These are also some of the most popular attack targets for attackers!

That’s why I think of this as the asbestos of IT.

Asbestos was also very useful, but dangerous to humans. As soon as we realized this, we labeled it as a dangerous substance and started replacing it with safer materials. The time has come to replace outdated, dangerous protocols with more secure alternatives.

The key to replacing each of these services is to find alternatives that don’t require exposing TCP/UDP ports to the public Internet.

1. Replacing RDP: There are a TON of options here. You likely have something built into whatever tool you use for managing your mobile devices or servers. In liu of that, I personally like RustDesk, because it doesn’t require you to trust a third party like AnyDesk and TeamViewer do - you can set up and manage your own server. It does still use a direct TCP connection, however, so you’ll need a modern VPN technology, which brings me to…

2. Replacing VPN: Whether you call it ZTNA or SDP, the big innovation here was allowing access without opening ports. I use Tailscale, which is how I get to RustDesk on my hosts (I don’t bother with the RustDesk server, I just connect direct client to host). I recently tested RustDesk over Tailscale, on an iPad, from Delta’s in-flight Wi-Fi, and it was like I was sitting right in front of my studio PC. I was very impressed.

3. Replacing FTP: There are so many options for file sharing or file transfer that we’re spoiled for choice. The replacement depends on your use case. Publishing files to a web server? Use GitHub or other code deployment tools. Business to business transfers? S3 bucket (or GCP/Azure equivalents). Consider something like ShareFile, Dropbox, Box, Google Drive, OneDrive for human to human file sharing.

4. Replacing old-school file transfer products: See #3 above.

5. Firewalls getting exploited via management interfaces: Don’t ever share management consoles on Internet-exposed interfaces! See #2 above

As always, some caveats: yes, I understand your vendor requires you to use FTP, there’s not much you can do about that, except to fire your vendor, or ensure there’s nothing too sensitive being transferred.

There are other reasons you might not be able to get off legacy protocols. Document them, put mitigations and detections around them as best you can, and be ready to respond to any incidents that come from using them.

If you can ditch legacy protocols, however, the reduction in attack surface will be worth it and you can sleep that much better at night.