Mitigate cyber breach losses by containing the cell
- By Pete Kofod
- Feb 19, 2016
The technology sector was rocked again by what will likely prove to be a major security headache. Cisco announced on Feb. 10 that a critical vulnerability had been found in its widely deployed Cisco ASA firewall appliance and recommended system administrators patch their systems immediately. For those interested or affected, the details can be found here.
There is a saying among technology professionals that nobody ever got fired for buying a leading vendor’s solution. The belief is that selecting industry leaders mitigates both technical and strategic risk. Yet while the major vendors have rightfully earned the leadership mantle in the technology industry, the expression also serves as an indictment of organizations’ technical leadership on several levels.
As a matter of simple principle, it suggests a lack of professional rigor by “going with the crowd.” The popular solution may offer advantages in terms of long-term technology viability, economies of scale in acquisition and support as well as the ease of staffing. There is a flip side, of course: Security problems are magnified.
Who’s minding the firewall?
In the case of the Cisco ASA firewall, the company claims that over 1 million of these appliances have been sold. Cisco ASA firewalls, particularly the lower end models, are often used to grant VPN access to remote, sometimes unmanned, facilities. Unmanaged by technical personnel, these firewalls are exclusively accessed by remote end users. In fact, it is quite conceivable that these systems have no administrator or owner. I expect to see such sites -- including warehouses, utilities facilities and “closets” -- getting exploited over the next months. Unlike desktop operating systems in which end users are notified of vulnerabilities via updates, there is no mechanism for notifying VPN users that they may be using a highly compromised system.
Exploiting “best practices”
The second failure of leadership is the acceptance of “best practices” without analyzing whether the spirit of these practices is indeed being met. Continuing with the ASA vulnerability as a case study, two “best practices” include central authentication and defense in depth. The ASA can reasonably be considered the first line of defense. VPN services delivered by the ASA are often authenticated using a central authentication database such as Microsoft Active Directory. Assuming a catastrophic compromise of an ASA, including the ability to modify code, is it far fetched to assume that the code could be used to obtain Active Directory credentials from other users logging in via the VPN? Once those credentials are compromised, is it then unreasonable to think that other internal systems, relying on the exact same authentication mechanism, may have been compromised?
Complete compromise of central authentication systems is the holy grail of attackers. It affords the ability to “return to the well.”
Defense in depth speaks to prevention by employing heterogeneous security architectures to provide diversity. As we have seen, however, central authentication can make that protection collapse quickly.
Prepare for compromise
Strategies for mitigating loss after a compromise often go unaddressed. Organizations may have disaster recovery policies and procedures in place, but there are no industry standards for containment. Organizations, already taxed for time and resources, find it difficult to discuss issues that lie beyond customary security practices. In other words, developing a mitigation framework is often “outside the box.”
Traditional risk analysis depends on evaluating probability and effect, and most mitigating strategies address probability only. Cell structure security is a concept that can be used to change that. It assumes compromise (assigning a probability of 100 percent) and focuses on limiting effects by immediately isolating the affected cell and collapsing it instead of permitting it to spread potential contagion. Individuals, teams or firms responsible for securing networks need to adopt cell structure security.
Pete Kofod is founder and CEO of The Sixth Flag, a workspace-as-a-service company offering virtual workspaces with industry-leading security features.