The Perimeter Is Dead
For the past 30-plus years, the overarching plan to secure networks and digital infrastructure was one that was predicated on the concept of perimeter-based security. Most organizations across the globe subscribed to the concept and plan that if the walls were high enough and the outward boundaries of the network were hard enough, then the enemy would not be able to "get in." Entire global architectures have been built and deployed to leverage that concept and billions of dollars have been spent to engage in "defense in depth" and the "castle and moat" methodology of security. It has all been for naught.
The perimeter-based model of security has categorically failed to keep pace with the evolution of the internet, the proliferation of devices and accesses, and the explosion of cloud computing and an increasingly mobile and Bring Your Own Device (BYOD) workforce. There is no perimeter anymore. The moment a user can...
A scenario detailing holes in the model
Consider the following scenario. A user who works from home and has administrative rights on their machine (as most do, especially when it is their own personal device) allows their child to use that device because they need it for homework. The little tyke jumps on their parent's overly powerful, overly app-heavy, non-managed device and, instead of going to a safe homework site, they maneuver to what they thought was a seemingly innocuous site that they heard about at school.
This young user wants to see whatever this site has to offer, but in order to do that they must download a plugin on their parent's browser and an app that the site says they need to use the content on the site (remember the child can execute this operation because they have administrative privileges on this machine) – so they do.
Everything on the site works fine, no malware alerts are noted (because the malware they downloaded is new and has no...
A global perimeter falls
Another example of how the technical alignment of the perimeter-based model helps proliferate exploitation and is woefully ineffective at combatting current threat actions comes from an analysis of what happened to the shipping giant Maersk.
In 2017, a Ukrainian company with software used for accounting – the Linkos group – was operating as normal. Unbeknownst to the IT leaders and users at this company, the servers that were connected to hundreds of clients and responsible for updating their accounting software were the launching point for the initial proliferation of the NotPetya ransomware attack.
The Linkos group, which did nothing "wrong" other than be located in a country that was actively being targeted by the military wing of the cyber operations branch of the Russian government, had been the victim of months of covert exploitation conducted to gain a military advantage in the region.
The Russian cyber warfare...
Even compliant organizations' perimeters fail
The Equifax breach offers yet another case study in the dissolution and ineffective nature of the current state of security practices for enterprises. Even those that have spent millions on security and are fully aware of both the location of and the implications of their data security plans will fail epically when any instance of weakness is found in their perimeter-based security model.
Consider the technical and managerial aspects of the Equifax breach. The company had a large budget for their security team, all required and compliance mandated solutions were in place, and broad scope security monitoring and analytics were in place. And yet the entirety of the data repositories for the company, and more than 140 million Americans and over 800,000 UK citizens, was exploited over the course of a near year-long incursion.
The initial impetus for the infection occurred thanks to a vulnerability in the public-facing...
Governments' perimeters fail
Even governments can fall victim to the scourge of this failed approach to security. The US Office of Personnel Management, or OPM, is one of the most critical agencies within the US Federal system. This entity is basically responsible for housing the total collection of all human resource records for every person that is employed by the US Federal Government. This includes millions of current and past Federal employees' and military members' personal information, as well as the results and data for every security clearance investigation that is used by the DoD to validate access for its most secretive agencies and programs. One would think that with this type of data, and knowing the extreme value of this data, the agency would be one of the most secure within the DoD. Not so.
Users, BYOD, and the obliteration of the perimeter
The power that is afforded to users, devices, and applications has exponentially increased over the last half-decade and with the proliferation of that power comes an ever-increasing multi-faceted patchwork of potential future failures for all infrastructures. Add the increasing complexity and reliance that the cloud offers and the problem of maintaining control and management of all those moving parts, which all exist by default outside of the boundaries of any perimeter, and things go from bad to worse at light speed.
In the past, it was a necessity for users to physically be present at their place of employment for them to have any connectivity or access to network systems, and in many cases, even computer technology. Over the last two decades, the reduction in cost of personal computing devices, and the power that those devices wield, has benefited the user population but has confounded infrastructure security. The...
Applications add to insecurity
When one realizes the flaws that VPN technology introduces to the enterprise perimeter security model, one can see there are certainly issues with that approach. Adding to that issue, but also closely coupled with remote work and the BYOD movement for the workforce, is the issue of application security. Applications are what everyone, everywhere, on every device, uses to interact with and access the tools they need to do their jobs and conduct tasks in their daily lives. These applications are in many cases built with a focus on speed to production in mind, not security. That fact means that many of those applications that are used are basically built to be insecure.
According to a study jointly conducted by the Ponemon Institute and IBM, more than 50% of enterprises have 0% of their security budget aimed specifically at application security (Ponemon Institute, 2016). Over 40% of enterprises do not scan the code that runs their applications for...
Authentication methods failed
The password: the single most prolific means of authentication for enterprises, users, and almost any system on the planet is the lynchpin of failed security in cyberspace. Almost everything uses a password at some stage. Basically, every application that is used, as well as every VPN, and even every machine on the planet uses a password for its means of authentication, as do administrative tools and internetwork shares and firewall systems. Everything, everywhere, has a password.
While that seems like a relatively simple and useful means of implementing security via authentication, passwords are only secure if they stay unknown to those who aren't the user of that password.
Over the past half-decade, almost every major instance of repository for usernames and passwords has been breached at one time or another. In 2019, an independent researcher released a list of over 700 million known breached emails and usernames that could...
IoT devices poke holes in any perimeter
Internet of Things (IoT) devices are now some of the most prolific network-enabled assets on the planet. Over 6 billion of these devices are known to be currently connected to the internet as of 2019. All these 6 billion devices are web-enabled, app-enabled, require passwords for authentication, and are usually developed and built in nations that are known to have adversarial ties to government hacking organizations. In other words, they are guaranteed to have some level of insecurity from the day they roll off the manufacturing floor. And most, if not almost all, enterprises have some form of an IoT device in their network somewhere.
Whether it's a smart TV, smart thermostat, wireless printer, internet-enabled camera, or some other device somewhere in an enterprise, it is a certainty that an IoT device exists in that infrastructure.
The use of proprietary wireless signals and protocols within IoT devices is the main avenue...
You can't fix stupid, or evil
In a perfect world, no human would ever touch a network. Machines would do everything and humans would simply benefit from those interactions. Machines operate logically and solely with a focus on function. They aren't easily tricked and are not typically open to influence via social means. But, for the time being, we don't live in that science fiction world where machines do everything for us. We still have users, and those users touch our networks, and their actions and issues introduce avenues of exploitation that can cripple what might have been a secure network. We must consider the following:
- The most secure network is the one that no human ever touches. The second that a human puts their fingers onto a keyboard, the threat of compromise via human means, social engineering, phishing, and other standard methods becomes a reality. While technology is relatively binary in nature, humans are not. We are open to influence, fear...
The perimeter-based security model is outdated and has unequivocally failed to secure businesses and enterprises across the planet. However, it is not because the basic concept of a secure edge is a failure. It is instead the proliferation of technology combined with the interconnected nature of current infrastructures that make this approach to security so ineffective. The very connectivity that is a boon for mankind, enabling business and everyday life, is its own worst enemy. A failure within one perimeter eventually will lead to a failure in many, and on and on it goes.
While the perimeter-based model of security has proven itself inefficient and a purveyor of failure, there are now issues far beyond those high walls that will afflict cyberspace for the coming decade. The time to understand what those items are and explore how they might be used for malevolent purposes is now, before they become problems that expand beyond the bounds of any...
- Brandom, R. (2017, October 3). Equifax CEO blames breach on a single person who failed to deploy patch. Retrieved from theverge.com: https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony
- Constantin, L. (2019, October 30). Credential stuffing explained: How to prevent, detect and defend against it. Retrieved from csoonline.com: https://www.csoonline.com/article/3448558/credential-stuffing-explained-how-to-prevent-detect-and-defend-against-it.html?utm_source=twitter&utm_medium=social&utm_campaign=organic
- Government Accountability Office (GAO). (2018, August 1). Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. Retrieved from gao.gov: https://www.gao.gov/assets/700/694158.pdf
- Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Retrieved from wired.com: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed...