MAGNIFY CYBER SECURITY BLOG

Network Architecture, Secure Perimeters,and Exposed VPNs

Part of Secrutiny’s Emerging Trends Podcast Series with Shane Shook, Secrutiny’s Chief Strategy Advisor and a Forgepoint Capital Venture Consultant.

May 2020

Shane has been advising enterprises on Information Technology, Security and Risk Management for over 30 years, alongside providing breach investigation forensics and expert witness testimony.

In our latest episode of Secrutiny’s Emerging Trends Podcast Series, we discussed how to improve your network architecture for a more secure perimeter, gaps in firewall traffic and the dangers of exposed VPNs with cyber security expert, Shane Shook. Discover what’s been happening over the past few months.

What Emerging Trends and Current Events Are Impacting Organisations?

One of the most significant trends is exposed VPNs, an issue that has increased over time due to employees transitioning from office working to working from home. Because of this, organisations are using a variety of different VPNs, which unfortunately, in many cases, are unstable.

For the most part, the majority of compromised VPN access points have been for purposes of coin mining and other run-of-the-mill botnet additions, and not the more sinister access enablement into the internal organisation for other purposes, like fraud or theft.

In addition, Shane highlighted the high volume of organisations that still have, five months after the patches were released, NetScaler’s that are vulnerable to the CVE-2019-19781 flaw; an unauthenticated remote code execution vulnerability in Citrix ADCs and Gateways.

Shane continued: “Even as late as May, a number of our clients still have NetScaler’s that are susceptible to that vulnerability and have been exploited. But it’s not only NetScaler’s, we are finding that a variety of VPNs, in many cases, are not set up in the best architecture.”

Instead of going through a DMZ with some interval VLAN to provide additional protection, these VPNs are often configured as bridges from the outside world directly to the inside of the corporate network. On top of this, for many customers that have North-South network visibility with network traffic monitors, the VPN connectors are outside of the South monitoring.

This means that the visibility of the traffic that might be provided by firewalls or by other types of network traffic monitors, is not available because several of these VPN devices have been thrown in due to the exigent need to support remote working. While in other cases, they were never tested with security in mind when they were implemented to provision remote access to these controlled networks.

What Actions Can Organisations Take to Identify and Mitigate These Cyber Risks?

In regard to the network, there is a single source of truth available to us, and that is the endpoint. The focus on Endpoint Detection and Response (EDR) and Managed, Detection and Response (MDR) solutions that rely on endpoint monitoring tools, is something that the industry as a whole has recognised over the past five years. However, these endpoint monitors, while useful, are not always comprehensive across estates.

Shane added: “An additional source of truth that can be made available and should be made available is to audit the endpoints. If we’re going to monitor the endpoints, we should also audit the endpoints.”

As Shane mentioned, the activity that is performed with a laptop, desktop, or server, or even a mobile device, is evidenced by monitoring or by periodically auditing those devices.

“A cyber risk audit is essentially a script that exercises information about act processes, software configurations, open files, communications and versions of software and its use,” explained Shane.

It’s effective to use a process like a cyber risk audit to evaluate not only the exigent risks, which are things that we can recognise, like malware patterns but also the hygiene risks. Like how many computers have Emily’s username on? We know that Emily only uses her laptop, but when and how were they used? And what network services and port configurations was Emily using on those different computers?”

These are hygiene risks that can help organisations to identify problems in the configuration of the network devices, the network policies and to some extent the acceptable use policy from an HR perspective.

What Else Should Be Considered Vital in An Organisation’s Network Architecture?

Over the past 20 years, the concept of Security Incident Event Monitoring (SIEM) has grown and been adopted by many organisations. There are three essential feeds into a SIEM; endpoint processing and process monitors, Active Directory services authentication and, if available, VPN access directories. A fourth tangent has become the Cloud Access Security Brokers or Data Access Security Brokers, which monitors who’s using what data resources.

“Unfortunately, they largely and nearly always skip over a fundamental precursor, which if they implement a SIEM’s architecture properly, can both protect them legally as well as improve the performance of their Security Operation Centre (SOC) services whether internal or external. This is a concept we call a System of Record (SoR),” added Shane.

A SoR takes the original logs in their native format and stores them in an on-premise location in bulk format. Extracts of recognisable or determinable activities are then forwarded in a more economical fashion and with a higher value because of the coincidence of indicators that organisations gain from the endpoint, the firewall, and the authentication directory services. That coincidental information provides a much more feature-rich and incident rich point of data that can be forwarded to the SIEM.

Episode Highlights

“I would encourage everyone to think critically about their network security posture. This to me, is a combination of the ability to identify exigent risks of things that the world knows about or can know about, by patterns that we can recognise such as programs running from temp folders,” concluded Shane.

Beyond the exigent, we recommend periodically auditing the hygiene of your IT estate and to utilise that data to evaluate the effectiveness of the SIEM logging.  We also recommend considering whether there are gaps in coverage in the security monitoring that the SIEM is meant to evidence, beyond the exigent risk that it is programmed to monitor.

Shane concluded: “So, look for what you don’t know because it’s what you don’t know that will get you in trouble, not what you can know that you are not currently seeing.”

If you have any questions or concerns with any of the topics discussed, please get in touch and keep an eye out for our Summer episode as we catch-up on the latest emerging trends and current events with Shane.