How safe are we when the systems designed to save us fail? In the last few months a number of high impact vulnerabilities have been discovered in security perimeter equipment (i.e. security devices that are supposed to protect your internal network from the evils lurking on the Internet). Remember the vulnerabilities found in Citrix Netscaler, and more recently in F5 and Palo Alto, to name just a few.
Who broke the cybersecurity egg-basket? These publications often had sample code that showed how easy it was to exploit their vulnerabilities and malign elements on the internet did not hesitate to weaponize them to gain access.
A lot of technical analyses followed. Publications, companies and individuals combined forces to find vulnerable devices on the Internet and help secure them. It is of course very important to fix the immediate problem and help secure internal networks again as soon as possible. However, if we look a little beyond that first triage, we may need to start reconsidering the current security models and find a new way of managing our information security.
Most organisations still follow a security model that keeps bad actors out (i.e. external Internet based threats) and fully trusts that their internal network will be safe. But if these bad actors can cross the perimeter, there are no other real defences to stop them once inside. I have seen this model on many occasions and refer to it as the (Kinder) egg model. The goodies are inside, and if you break the outer shell, you have unrestricted access.
The egg shell for information security is built with firewalls, reverse proxies, VPN tunnels and all kinds of other solutions and products. If you can do a scan of your perimeter, you will probably see more ‘doors’ in it than you expect, and some doors are stronger than others. And only one door needs to break for the bad actors to cross the perimeter. Not to mention all the cloud based services being used, third party networks, remote management services and of course, all the work from home solutions that have been implemented.
One can wonder if this egg model of (only) protecting your perimeter is still sufficient. It is still based on the assumption that you can prevent bad things from happening, often by deploying technical solutions.
In my opinion, this model no longer holds. We are slowly seeing a paradigm shift from prevention to “assume breach”, where we need to assume some actor has breached our perimeter and has gained access to (parts of) our internal network. If we work from this assumption, we can see that we need to protect our internal network just as much as our perimeter. Therefore, segregating your internal network into zones, to limit the impact of a breach and give each asset the protection it requires, is a necessary step. By building internal boundaries we will not prevent a breach from happening, but we can limit the impact as much as we can.
And internal segregation is just one piece of the puzzle. If we follow the “assume breach” approach, we also need to be able to detect those breaches as quickly as we can, and respond accordingly. This means that your security budget should be balanced between preventive measures (the boxes with blinking light all vendors want to sell you), detection measures (collect important log data and analyse it automatically, but also train your staff in recognising ‘strange’ behaviour) and responsive and corrective measures (this is mainly a people thing, your staff needs to know what to do in case of an incident).
As is now apparent, handling the “assume breach” paradigm becomes less dependent on technology and more on the people in your organisation. The old cliche that people are your weakest security link no longer holds in my opinion. With proper awareness and training, your people can become your strongest security control, both for detecting bad things that happen and resolving them in a quick and effective manner.
Stay safe!
Arthur Donkers
