Devices at the network’s edge such as VPNs, gateways and border defensive technologies have become a top target for attackers, state sponsored and otherwise, writes Andy Swift, pictured, Cyber Security Assurance Technical Director at the cloud services company Six Degrees.
Last year, a series of high profile attacks on devices produced by companies such as Citrix, CrowdStrike, Fortinet, Palo Alto, and most recently SonicWall highlighted the scale of this growing and systemic risk. Indeed, according to the UK’s National Cyber Security Centre (NCSC), the routine exploitation of zero-day vulnerabilities is now the new normal. It’s a chilling warning for end-user organisations. Devices like firewalls and VPN gateways that were once trusted to keep networks secure could become a potential infiltration point for hackers and other threat actors.
With that in mind, the organisations that deploy these devices will need to reframe their thinking and implement policies and measures to ensure their network boundaries are appropriately protected; after all, being a defensive security tool doesn’t mean it doesn’t require protection itself.
Recognising the exploitation risks
Cybercriminals are intent on targeting critical flaws in products and tools produced by today’s high profile technology vendors. Having compromised these systems, they can then proceed to manipulate and disable security features, alter configurations, and infiltrate networks undetected. The fact that security researchers continue to expose critical severity vulnerabilities in edge security appliances, many of which remain active and concealed for months before discovery, should give organisations pause for thought.
The assumption that security devices are secure by default and therefore don’t need security best practices applied to them is a misplaced one. Instead, organisations need to accept that these devices are potentially fallible and open to exploit and take action to mitigate this risk. Sitting as they do at the network perimeter, edge devices such as perimeter firewalls and VPN gateways are directly exposed to the internet and have limited protection – making them a tempting target for cybercriminals. In addition to this, threat actors will take advantage of issues such as misconfigurations and the fact that many organisations focus primarily on endpoint security and will undertake limited or inadequate monitoring of their network security devices. What steps should organisations take to protect their critical infrastructure against this threat?
Protecting network boundaries: build strong security foundations
Having assumed the network defensive technologies they deploy could one day be compromised, organisations should pursue a number of measures to protect their network boundaries and minimise the viability of an attack. As a first line of defence, organisations should minimise the number of internet-facing systems and ensure the devices they deploy are appropriately configured. Simply plugging devices into the network and letting them run with default security settings exposes their management interfaces and protocols to the internet and makes these visible to anyone who wants to find them. The vast majority of vulnerabilities against such systems over the past year are often mitigated by simply ensuring access to management interfaces and sensitive protocols are carefully restricted and controlled.
Ideally, access should be restricted on a zero-trust basis and the locations from which a device can be accessed should also be limited. This will enable organisations to control and monitor their access points and receive alerts if abnormal access attempts are made. To maximise control and minimise exposure, funnelling all device access through a VPN or jump box will help ensure that the location is always predictable and a controlled path to the device exists. Limiting access to pre-agreed office locations is also an option if installing a VPN isn’t an option.
Extend visibility into network activities – all the way to the edge
The default logging settings on edge and network border defence technologies are often inadequate for tracking and analysing potential threat exploits. This leaves businesses unprepared for advance threats. Typically, organisations only retain device logging and alert data for a matter of weeks. This can later make it difficult to conduct a forensic analysis and understand the origins of an attack. That’s especially the case for zero-day attack events, where breaches may have been carried out before vulnerabilities were disclosed.
Staying ahead of the cybercriminals depends upon undertaking the comprehensive, and ideally real-time, monitoring of all traffic and event logs. That includes extending the monitoring of network activities all the way to the edge, rather than simply focusing efforts on the internal enterprise network alone.
Undertake pen testing at the perimeter
Undertaking regular perimeter penetration testing (pen testing) to assess the security of the organisation’s external network boundary is another must have. Rather than limiting pen tests to internal environments or a small selection of external environments, organisations should adopt a more holistic stance and aim to actively hunt down any potential weakness and vulnerability in perimeter defences such as firewalls and routers.
By routinely scanning these external services, organisations can identify any misconfigurations and spot instances of unnecessary direct exposure to the internet. Armed with these insights they will be able to tighten security controls and comprehensively map any potential cyber security gaps and risks in their high interconnectivity environments. To maximise outcomes, organisations should also take steps to limit the potential for service or management interface exposures, applying access restrictions wherever possible.
Avoid complacency, take a proactive stance
With cybercriminals actively targeting the edge and network border defensive technologies that sit at the intersection of public and private networks, organisations can’t afford to be complacent. Today’s organisations need to assume that all network devices, including those designed to keep out threat actors, can and will be compromised. Having adopted this ‘what if’ mindset, organisations can then apply proactive security practices to fortify their borders. Top areas to focus on include implementing robust configurations, specifying predictable access locations, improving logging and system monitoring to extend visibility into network activities including the edge, and conducting comprehensive pen testing.
