My local supermarket is usually where I buy alcohol. Almost without fail, my purchases are rung up by someone not old enough to legally drink. As a result of this, every time I buy alcohol, the teenage cashier has to call for Customer Service to come and check my ID (which is no longer flattering at 36, trust me). They swipe the bottle through the scanner and then hand it back to the teen who then puts it in a bag for me.
Most people don’t mind the delay. We’ve all accepted that this is a safeguard to ensure that teens cannot sell alcohol to other teens and also to make sure ID is checked. Putting on my IT Security and Analytics hats for a moment, I start to find flaws in this process.
The cashier can quickly inspect and validate all of my items, efficiently processing them so I can pay and take them outside of the secured perimeter of the store. When alcohol appears, this “firewall” understands that this is traffic it’s not allowed to inspect, so it forwards the request to the Threat Management system, aka Customer Service, who will then validate the request for purchase.
This process is essentially the nuts and bolts of a perimeter-based security system in a network. This is also a deeply flawed process that leaves large portions of the network exposed to attack and can also allow viral infections to spread.
The Major Flaw of Every Security System
Tech security is built by humans, and it’s in our nature fall back into old patterns for verification. We’ve been doing this for thousands of years, from the old counting system of putting the product count in a sealed jar and sending it with the shipment for the receiving end to verify, to having to go through a body scanner at the airport. Pick virtually any major security or filtering method we, as humans, have employed and you will find one common issue between all of them: trust.
By nature, we are inherently trusting people. Depending on the security system, we rely on at least one element in this process of verification that is based purely on trust. For instance, Customer Service at the supermarket trusts the teen to alert them to an alcohol purchase, bag it and give it to me once I’ve paid. Some systems will allow the teen’s login to accept alcohol, some will not, however, both methods employed still have the teenager handling alcohol in the process.
Buy a ticket at a movie theater and beyond checking the ticket when you walk in, the theater trusts you not to be armed. At the airport, the TSA trusts that the general public is not capable of disassembling and hiding weapons in such a way that a worker paid slightly more than a fast food employee can’t detect it.
These varying degrees of trust are based on necessity, cost and also logic. A movie theater doesn’t need an armed brigade to body scan every patron because the chance of a serious incident is very low, despite the horrible situation in Colorado a few years ago. However, an airplane can be hijacked and used as a weapon. Hence, the greater the risk to humanity, the less trust the security team and filters should have.
In both cases, cost is weighed into this as it relates to the severity of possible threat. Movie theaters do not spend a good deal of money on security beyond a few guards or employees checking to ensure the person has paid, and this is usually fine. Movie theaters tend to be safe and are considered low priority targets, so security can be lax and it’s usually not an issue.
Securing an airport, however, is a different animal. A good deal of time and money is invested in ensuring that points of entry into the airport are secured, guarded and blocked. Equipment is purchased to scan and check all passengers and personnel coming into the airport. The real threat of terrorism against our air transportation infrastructure warrants the sometimes outrageous cost to ensure security.
Unified Threat Managed Firewalls > Perimeter-Based Firewalls
So, why are corporations overwhelmingly leaving their computer networks open to attack by running a network security philosophy that is flawed by trust and antiquated? Perimeter-based firewalls only check traffic in, and hopefully out, at the perimeter but do nothing to check internal communication between computers, devices and servers. It is trusting and authenticating computers when it’s very possible it shouldn’t be.
Unified Threat Managed (UTM) firewalls are better in that they’re validating inbound and outbound traffic against known threats. They look for patterns and data that could signify infection or malicious intent, but like a standard non-UTM firewall they do nothing to check and protect computers within the network while they’re communicating.
Locally installed virus scanners are notorious, despite their own claims, for catching only a fraction of infections; they miss Crypto malware and usually lag 24 hours or more behind in definitions because of how the virus companies release updates. Most UTM firewalls are also in a very similar boat though that is changing thanks to a few leaders in the field and the increased competition to put forth a truly secure UTM firewall.
The truly best security posture an IT security professional can take is to see the flaws of these conventional configurations in the networks they manage. They need to realize that the only true stance is to divorce themselves and these networks from what has held security back for ages: trust. Networks need to be the tinfoil-hat-wearing, “everyone-is-out-to-get-us” paranoids. Everything is suspicious and should be treated as such.
The Zero Trust Model
A while back, Forrester Research came out with such a model. One that has been proven effective time and again and should be applied to all networks and infrastructure that need serious defense. This model is simply called “Zero Trust” and it’s as simple on paper as it sounds.
A network with Zero Trust assumes that all computers, servers and devices within the defense perimeter are threats, as well as threats to everything else, before they prove themselves. In essence, every time a computer wants to talk to another entity on the network within the perimeter, that traffic is analyzed for threats via an internal firewall that updates itself throughout the day with the latest intelligence and virus definitions.
This updating, known as Zero Day, requires the firewalls be from a company that is constantly sandboxing and analyzing threats in the cloud. They then write inoculations for said threat and immediately push them to the firewalls globally. This defensive stance enhances security and filtering drastically in that the time it takes from discovery of a threat to inoculation of the network can be as fast as half an hour if it’s coming from a top tier firewall provider.
Typically, in a Zero Trust network with Zero Day updating, a crypto infection cannot spread beyond the infected computer, meaning that server shares and other assets are safe from attack. Think again of being in a supermarket — every time you add something to your cart, there is a security guard there checking what you added and making sure you didn’t pocket it instead.
Application Whitelisting
Yet…this isn’t paranoid enough. Threats can still slip through even though we’ve vastly mitigated this possibility. Enter Application Whitelisting. On top of the internal firewalls scanning all traffic for threats, the best firewalls will also do Application Whitelisting so only allowed traffic can pass through the firewalls.
For example, if a network only allows 3 applications to be used on its network, then why allow all other traffic as it could be potentially malicious? It cuts down on network traffic, and those whitelisted applications are still scanned for threats because while they’re allowed through the firewall, it doesn’t necessarily mean they’re clean.
This stance is the best possible method to ensure no threats can go in and out. This would even apply to mobile devices like phones and laptops that should be connected and running their internet traffic through a Zero Trust, Application Whitelisting firewall via a VPN connection 24/7.
Clients with this level of security don’t get infected. They simply don’t. This is like going to the grocery store and before you enter, Security approves your shopping list, follows you around the store checking you constantly so you can’t deviate or try to sneak something into your cart and then walks you to your car after helping you check out. The odds of infection are so incredibly low that we never have to worry about it. Investing in a network that has this level of security is obviously more expensive than simply buying a firewall, but it pays off in the long run since no time will be lost to infection cleaning or lengthy restorations of data.
When you’re planning or reviewing your IT security remember that you’re only as strong as your weakest link. Don’t be the supermarket.
LOCK DOWN YOUR NETWORK
FREE PENETRATION TESTING COURSE
- Social engineering
- Port scanning
- SQL injecting
- Anti-virus evading
- Client side attacking