Changing the Perspective of Perimeter Security Practices
Best practices for network security tell us that we should have a layered defense in place to stop a variety of attack methodologies, and provide multiple ways to catch someone trying to sneak onto our networks. What if that isn’t actually the most efficient methodology? What if there is a better way to defend our networks that we have been overlooking all this time? If your firewall could successfully block 100% of all bad traffic, would you keep your other security devices? If your IPS could detect and stop 100% of all nefarious attempts to access your network, would you have a need for layered security? Simple methods exist today that could streamline the process of network defense, eliminate the need for some of the overhead, save your organization valuable resources, and make the job of perimeter security so much easier.
In 2015, someone hacked in, and successfully absconded with more than 20 million files from the U.S. Government’s Office of Personnel Management (OPM) network. In 2013, something similar happened with systems used by the retail giant Target. And the list goes on. We have all heard the stories of personal financial data being stolen directly from company databases that were not properly secured. We should have learned our lesson in 2013. But we didn’t, and then Home Depot, just like Target, was hit as well with more than 50 million customer credit card numbers being transferred into the hands of criminals. Both companies were forced to pay out millions of dollars in lawsuit claims, but we still didn’t learn our lesson. Anyone charged with protecting data should have taken a close look at these two epically large hacks, and looked for out of the box solutions to keep it from happening again. The FBI pointed the finger at China for the OPM hack, and later arrested a Chinese national they believed to be involved when he flew to the U.S. for a conference. But in the world of computer security, we just shrugged our shoulders and continued doing the same things we have done for years.
When I first heard of the OPM hack, I immediately thought that if OPM had simply blocked China’s IP address ranges, this massive data theft would have never occurred. But there’s an even better method that is just as easy and could have kept it from happening. I tend to be a little revolutionary in the way I think, so I can’t help but wonder if OPM’s networks could have been spared by simply only allowing access from trusted locations. Let’s be honest for a minute, we know a lot of nefarious hacking activity comes out of China, so why don’t we just block the IP ranges used in China? Wouldn’t that make things a little simpler? Why is it that, even after so many major breaches, so few people take this seriously? Why do we let something so simple, like a few rules in a firewall, keep our networks in danger? Of course, Chinese hackers are not the only threat, we could also easily add the North Korean used ranges to the list as well. But if we use this method, and continue adding blocks for the IP range of different nations we don’t trust, we will likely end up with a block list that is way too long to manage. It’s a method that would work, but it isn’t the most effective. There are still plenty of potentially bad IP addresses in your own nation, as well as foreign ones, so it is essentially impossible to block everyone who might be bad. That’s where we have to flip the model and take a different approach.
The traditional method of blocking places an entry into the firewall for each IP address or IP address range that needs to be blocked. This traditional blocking method can eat up a lot of lines in a firewall. A lot of blocks equals a lot of lines, and a lot of lines on the access list translates to more work for the firewall because it will have to check every incoming packet against each IP address on the access list. This method turns access list management into a nightmare. The constant adding and removing of blocks based on current threats has never been an efficient method, and yet we continue to use it. Add to this that the standard final line on an access list is an implicit allow statement which allows all traffic not being implicitly blocked on previous lines to traverse the network.
This is where we have failed in our attempt to secure our networks. We block a few potential bad guys, then allow connections to and from the rest of the world. This is not an effective approach! This approach requires constant changes and updates to the block list as we detect nefarious traffic attempting to come into our networks. Security teams must stay on their toes, constantly looking for the next attempt to break in, so they can counter it with a block. Let’s be honest here, it’s a horrible method, and it’s a major reason why we need other security devices and techniques in place. We place an intrusion detection system in place to notify us when someone is trying to surreptitiously access our networks. We create DMZ’s to isolate public facing machines. And the list goes on. We should still use some of these methods, but we need to restructure how they are used.
You may be wondering at this point about specific issues that could feasibly be stopped by changing our methodology. For starters, a rogue employee would not be able to upload sensitive data to a personal server in his house. A hacker in China would not be able to take control of your customer database. A government organization would not be able to monitor your internal network activity. And even the dreaded malicious links sent through email could be automatically thwarted.
That’s the reality we could have on all of our networks. So how do we decide if changing the methodology will practically work for us? That depends on the type of business you operate and where your customers and suppliers are located. Small organizations that only conduct business at a local level can be transitioned quite easily. The same is true for larger organizations that only conduct business at a national level. Even companies that conduct international business could use these techniques, albeit, with a slightly adjusted architecture.
We have come to rely too much on additional layers of security instead of implementing simpler solutions that are so much more effective. Proxy servers are another great example of our mis-focused reliance. Yes, they filter web traffic and can keep a list of sites from being accessed. But they are limited to a very specific scope and are primarily used to keep users from accessing known bad websites. The need for a proxy server to act like a security gateway could be eliminated altogether.
My message here is simple: Stop It! We can be much more creative in our methods, and in the process, eliminate a lot of risks. Most IT professionals already know this to be true, it’s not rocket science. But most organizational leaders are either unaware of these capabilities or are afraid to implement them. If you are in a position to make a change, I highly suggest you contact the Lloyd Research Institute for a free consultation. Here’s the bottom line, we can exponentially lessen the threats to our networks and save time, money, and resources at the same time, if we are willing to think outside the box. We would love to help you think outside of the box with your security solutions, sign up below for access to our free video with incredible tips about cyber security and to schedule a free cyber security consultation with a proven expert in the field. Flipping the model is not as difficult as you may think, and we can help you through the process. The value of simplicity in cyber security has always been overlooked, but now it is time to put some proven practices into place.