Security at the edge

Andy Swift at Six Degrees explains how to prevent exploits through proactive defence 

 

Following a recent series of high-profile attacks, edge and network border defensive technologies from companies including Citrix, CrowdStrike, Fortinet, and Palo Alto have been making headlines for all the wrong reasons. Although the cases were all very different, each vendor exposed vulnerabilities resulting from combinations of poor coding and weak security practices. 

 

Concerns continued to mount as organisations realised that the devices they installed to bolster security at the edge of their networks had become entry points for hackers, threat actors, and the wider cyber-criminal community. These worries are well founded. After all, if cyber-criminals can get a foothold, they can control the entire network behind the device and the outward traffic flow. 

 

Time to get your house in order

I’m not looking to name and shame these vendors. There’s a broader—and, I think, more helpful—discussion to have about how organisations that deploy these devices should protect their network borders and gateways. 

 

First, we have to take a deep breath, step back, and understand that these and similar devices are not infallible. Having accepted that fact, we have to look at the extent to which our cyber-security principles and processes may need to be tightened up around these devices. We often see a lot of presumption that ‘security devices’ don’t themselves need security best practices applied to them, which, when one considers the level of control they operate with within an system or environment, is drastically misplaced.

 

Implementing policies and measures to protect network boundaries can be frustrating, especially after purchasing a device that was supposed to do all that. But even if we pretend these issues were never exposed, it would still be good practice to check device configuration, limit exposure to the internet, and review default logging and alert settings.

 

In other words, to take some proactive and protective steps ourselves to limit the viability of an attack; assume the devices may one day be compromised and base the application of policy around that ‘what if’.

 

Minimise exposure to the internet

Misconfigured devices—or those just plugged into the network and left to run with default security settings—can unintentionally expose management interfaces and protocols to the internet and make them visible to anyone who wants to find them. Start from the premise that very few things ever need to be entirely Internet facing; unless the service it provides is intended for general public consumption, access to it should be restricted on a zero trust/needs must basis. 

 

Limiting the locations from which a device can be accessed is also a good idea. These locations must be predictable so that rules, permissions, and access controls can be applied, and red flags can be raised if abnormal access attempts are made. Funnelling all device access through a VPN or jump box will ensure the location is always predictable—and there is a controlled route and path to the device. Limiting access to pre-agreed office locations will also work if installing a VPN is not an option. 

 

Comprehensive pen testing 

Pen testing is extremely useful in this scenario as it can identify misconfigurations or unnecessary direct exposure to the internet, allowing admins to tighten security controls and block potential attacks. I’ve seen a growing number of organisations that limit the scope of tests to internal components or a small selection of external environments, while neglecting a more holistic test—don’t be tempted to follow suit. It could mean you miss potential vulnerabilities at the network perimeter. There is a time and place for targeted tests, but a holistic test can provide insight into potential issues and risks associated with wider interconnectivity of environments that may not be apparent on a more concentrated test.

 

In reality it’s good practice to routinely pen test as many of those external facing services as possible and build a complete picture of any cyber-security gaps. You can then take necessary actions to address them, even if there are no ‘vulnerabilities’ listed in your test results or scan results. Pay attention to service and management interface exposure in particular, and always ask yourself if access to it can be restricted. 

 

Don’t rely on default logging and alerting

Default logging settings on edge and network border defensive technologies are often inadequate for tracking and analysing potential threat exploits. Organisations tend to hold device logging and alert data for just a few weeks. This makes it difficult to conduct the necessary forensics work and understand attack origins—particularly in instances of zero-day attacks, where exploits could have been active for several months.  

 

We’ve also found that organisations tend to focus their logging and alerting efforts on the inner parts of their network rather than the activity at its borders. This can limit the scope and scale of forensic investigations after an attack. From a proactive standpoint, regular (and ideally real-time) logging analysis also helps flag abnormal behaviour on the network and detect potential threats. 

 

Defensive technologies

Plugging in any networked device and just leaving it to run is never going to be the best approach to cyber-security. This is particularly true of edge and network border defensive technologies, given their critical role and uniquely vulnerable position at the intersection of public and private networks. 

 

Sadly, we live in a world of ingenious, tenacious cyber-criminals. We must, therefore, not be complacent. We should assume that all network devices—even those designed to keep out threat actors—can and will be compromised. 

 

With that in mind, we need to establish the degree to which we are prepared for an attack and what we can do right now to limit our vulnerabilities. When we’re talking about edge and network border defensive technologies, it comes down to three key areas: limit internet exposure, specify predictable access locations, and don’t rely on default logging and alerts. And make sure you carry out regular, comprehensive pen testing. Don’t let complacency turn your organisation into a new cyber-crime statistic.

 

---

 

Andy Swift is Cyber Security Assurance Technical Director at Six Degrees

 

Main image courtesy of iStockPhoto.com and olm26250