Vulnerabilities / Threats

1/29/2019
02:30 PM
Henry Harrison
Henry Harrison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Remote Access & the Diminishing Security Perimeter

Where security really matters, the enterprise is only as secure as the endpoints it allows to access its sensitive core systems.

Long gone are the days of the physical perimeter, where a company's IT infrastructure was entirely on-site. Today's increasingly decentralized enterprises depend on a workforce that operates both at home and on mobile devices, working together with the help of cloud-based services. Yet the death of the traditional perimeter does not mean the end of security architecture. Instead, we need to recognize that it is all about trust.

As little as a decade ago, most organizations assumed that their security protection was robust, and few had deployed security operations centers or other cyber monitoring solutions. The concept of "zero trust" was a useful spur to action: work on the assumption that any of your resources might be compromised and put monitoring solutions in place so that you can take remedial action if you find something is amiss.

But when designing underlying cyber protections, too many architects are taking zero trust to be the primary objective. This is a misinterpretation. In the first instance, we should look to protect our resources from attack. What zero trust reminds us is that we are fallible, and that we should put in place backup plans in the form of monitoring and incident response for the (hopefully rare) cases where our protection plans fail.

Zero Trust at the Endpoint
Where we see this misinterpretation most frequently is in the context of the user endpoint, where many enterprises are making plans that can be summarized as "Don't worry about the endpoint: We'll just assume zero trust." There are cases where this is a reasonable decision, made in the full understanding of the risk. But in too many cases, the risks are poorly understood.

In many ways, this is a legacy of decades of remote access solutions built around the traditional security perimeter. In the threat environment of years past, the critical risk for remote access was that an unauthorized individual would seek to connect to the remote access portal. The critical controls were passwords and two-factor authentication. But in the future threat landscape, this risk is joined by another: a legitimate user connects but the machine they are using to do so is not fully under their control.

This is not hypothetical. It is a risk that has played out in the real world, albeit in a different context — Internet banking. Here is a real-world case study where high-value systems are accessed from endpoints that have few, if any, controls, and which must indeed be treated as zero trust.

Man-in-the-Browser: A Cautionary Tale
In the early days of Internet banking, the risk was unauthorized access, and banks developed varying levels of protection ranging from passwords, of which only some characters are used for each logon, to two-factor authentication. But the more sophisticated attackers then turned to a far more pernicious mode of attack: man-in-the-browser.

With a man-in-the-browser attack, a user connects using his or her valid authentication methods. But the web browser has been compromised, and what the user subsequently sees is not what the website says, but rather what the attacker displays. What the website sees is not the user's input, but the attacker's input.

Even two-factor authentication (2FA) techniques can be subverted in a man-in-the-browser attack. We have seen real-world instances where users have entered their 2FA details to approve a valid transfer, but what is actually approved instead is a malicious transfer set up by the attacker.

Furthermore, 2FA works best when used sparingly. If 2FA is used too frequently, two things happen. First, users get frustrated and efficiency suffers. And second, users become too accustomed to entering their 2FA details and are more easily convinced to enter them by an attacker (such as the man-in-the-browser) — making it easier for an attacker to bypass the control.

Benefits & Risks
Clearly, banks have decided to persist with Internet banking despite these risks; the business benefits are worth the risk. But despite heavy investments in cyber and fraud monitoring, there are significant losses suffered every year. The calculus is that (given transfer limits) any individual loss will be manageable and that the aggregate costs can be passed on to customers.

In other contexts, however, that calculus may be different. Individual cyber incidents that affect an enterprise's core systems may have far higher impact than the loss of funds from any single bank account. In these cases, man-in-the-browser (or equivalent attacks) could be catastrophic — anything that the valid user can do, the attacker can, too.

Where this is the case, we must see zero trust as a backup in case of failure rather than the primary plan. In today's enterprise architecture, user endpoints are probably the hardest elements to secure. But regardless of how frustrating it may be, where security really matters, the enterprise is only ever as secure as the endpoints it allows to access its sensitive core systems.

Related Content:

Henry Harrison is co-founder and CTO at Garrison, and a seasoned IT industry executive, serial entrepreneur and the brain behind Garrison's core technologies. Henry has a background in leading the development of innovation in cyber security and Garrison was founded to create ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
vadim@newedge.io
50%
50%
[email protected],
User Rank: Apprentice
1/30/2019 | 9:23:55 PM
Device compliance is and has always been a part of user authorization
The author is implying that legacy/existing remote access solutions rely on authentication as a sufficient mechanism of providing access (see quote below). That assertion is incorrect, as any commercial VPN/NAC vendor, such as Juniper, Cisco, Pulse Secure to name a few have a comprehensive mechanism of device compliance verification as a part of the authorization process. Same applies to a modern "Zero Trust" vendors, like New Edge, for example, which uses Device compliance as a part of a policy calculation.

"In many ways, this is a legacy of decades of remote access solutions built around the traditional security perimeter. In the threat environment of years past, the critical risk for remote access was that an unauthorized individual would seek to connect to the remote access portal. The critical controls were passwords and two-factor authentication. But in the future threat landscape, this risk is joined by another: a legitimate user connects but the machine they are using to do so is not fully under their control."
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/29/2019 | 3:24:36 PM
On the physical security perimeter .....
Some time ago my wife, daughter and her daughter, Cariana, 3 years old, came to visit my work and obtained visitor ID badges.  Cari had lunch in the cafeteria - loved Pizza - and met my colleagues in the malware forensics department.  All were enchanted.  Then came time to go and in the lobby this little 3 years old takes all three badges and says " these have to be returned" --- she then walked over to the security desk to hand them in.  The woman there wants to adopt her on the spot.  Moral of the story: a 3 year old got the rules of physical security BETTER than some employees do. 
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...