The Incredible Expanding Attack Surface
GOT YOUR CUSTOMERS’ PCS AND SERVERS safely protected against the latest security threats? Good! Now what about their fish tanks?
That’s right, fish tanks. In a much-discussed incident disclosed last year by security vendor Darktrace, hackers once worked their way past network defenses at a casino through a vulnerability in an aquarium equipped with an internet-enabled thermometer. Hard to blame the casino’s IT provider for failing to anticipate that exploit. These days, attacks are coming at companies large and small from some pretty unusual places.
“You have all kinds of technology entering the office, whether it’s refrigerators, or light bulbs, or keyless entry systems, [or] security cameras,” says Robert Boles, president of BLOKWORX, a managed security service provider in Reno, Nev. Moreover, he adds, the companies that make those devices tend to be far more interested in minimizing time to market than in sealing out would-be intruders.
The upshot for channel pros, of course, is a significantly bigger and more varied attack surface to monitor and protect. Shielding clients from today’s continually proliferating threat vectors is possible just the same, experts say, with the help of some new tools and old best practices.
Unacknowledged Entry Points
Ironically but perhaps predictably, the technologies responsible for the worst of today’s new risks are the same ones empowering businesses with potent new capabilities. Take cloud computing, for example. Microsoft’s Office 365 productivity suite gives users anytime, anywhere access to information and other people, but also offers cybercriminals a rich new set of data repositories to target. You’re not just getting email with Office 365, observes John Pescatore, a director at research and training organization SANS Institute who studies emerging security trends.
“You’re getting OneDrive, which is storage in the cloud. You’re getting SharePoint. You’re getting all these other services, and other ways users can inadvertently leave sensitive data [exposed],” he says.
Thanks to the Internet of Things (IoT), meanwhile, everything from thermostats and whiteboards to heating systems and fire alarm panels are now potential entry points for uninvited intruders as well. “They can use that as a launching point to get to the rest of your network, get on your desktops and your phones from there and maybe into your access points, and then be able to monitor all of the internet traffic, including when you log into your bank account,” notes Richard Stiennon, chief research analyst at security consultancy IT-Harvest.
Breaching IoT hardware is often all too easy, moreover, thanks to weaknesses like default passwords that vendors say nothing about and users neglect to change. Boles, for example, recalls logging into a video surveillance system installed for one of his clients by another technology provider and finding 12 previously unknown administrator accounts in use. “The very thing that they had brought in to secure their environment was actually making them more vulnerable because the cameras that they were watching were also available to the world to watch,” he observes.
Test, Isolate, and Restrict
Boles and other security specialists point to a number of techniques channel pros can use to combat threats like that. For starters, look for every opportunity to shrink the attack surface by retiring systems no one really needs. “There’s on-premise gear that is just kept around for no compelling business reason whatsoever,” observes Ian Trump, chief technology officer for Octopi Managed Services, a Canadian managed security service provider and U.K.-based cyberthreat research lab.
Trump also recommends testing new hardware and software in a safely isolated lab environment before putting it into production. Many vendors offer partners not-for-resale copies of their products that are perfect for this kind of evaluation, he notes.
- CLOUD-BASED SOLUTIONS and IoT devices are adding a wide range of new and often poorly protected threat vectors to SMB networks.
- SHRINKING THE ATTACK SURFACE by retiring unneeded solutions and deploying NAC systems is an important remediation measure.
- SO TOO IS TESTING new web-enabled devices in a lab environment prior to deployment, changing default passwords, and keeping them
- RESTRICT POTENTIALLY VULNERABLE SYSTEMS to isolated network segments and equip them with strictly defined access control lists.
Step one after installing devices that clear your tests should be changing their default password. “It immediately takes you out of the realm of 200,000 devices that will be involved in some botnet because only the devices with the default password are discoverable,” says Stiennon. Keeping newly deployed systems patched is another simple but frequently forgotten step, he adds, as is confirming an update’s validity before rolling it out. Attackers are increasingly using phony patches as a way to break into otherwise well-protected networks.
If even patches aren’t trustworthy, though, nothing is, so Boles counsels channel pros to restrict IoT devices and other especially vulnerable assets to their own strictly segmented network. “As IT professionals, in order to minimize risk we kind of have to protect clients from themselves,” he says. “Putting those things in their own little space is key.”
So too is limiting what can communicate with those things via access control lists that lock out everything but a short list of explicitly authorized people, processes, and applications. For example, most video surveillance solutions these days are proxied to a user’s network by the manufacturer through a cloud-based host. “If there’s the ability to restrict inbound sessions to only those IPs, we suggest that,” Boles says.
Utilizing products with cloud-based hosts is a good idea more broadly. Anthony Polselli, owner of Natural Networks, a provider of managed network and business VoIP services in San Diego, deployed such an offering when one of his clients needed a web-enabled HVAC system. “Instead of opening up ports on the firewall, that system reports back to a central cloud controller, and then the app authenticates to the cloud and commands go through there,” he says.
Of course, the devices you’ve carefully deployed and secured yourself aren’t the ones you most need to be concerned about, so equip your customers with network access control (NAC) solutions too. Such products keep an eye out for surprise newcomers to a client’s environment and shut out resources that shouldn’t be there. “You can’t even think about a security strategy until you know what’s on your network,” Pescatore notes. Cisco and other leading vendors build NAC capabilities directly into many of their products these days, he adds.
Finally, as any organization’s biggest attack surface is its people, not its hardware, end-user security training is a must. Pescatore recommends doing that more than just once a year. “It really has to be kind of regular, once a month, maybe once every other month,” he says.
In the end, though, no amount of diligence will protect your clients completely from today’s ceaselessly innovating cybercriminals. “They will never miss an opportunity to make a dollar,” Trump observes. On the other hand, channel pros who take the right steps can go a long way toward keeping the dangers of an ever-sprawling attack surface in check. “I’m not going to say utopia is achievable,” Trump notes, “but I am going to say that Hell is avoidable.
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.