By Brian Miller, Security Consultant, SpearTip Cyber Counterintelligence, bmiller@speartip.com
Nearly every day I’m asked if an impressive firewall configuration is enough to prevent malware from entering a company’s environment, or I overhear someone’s overconfidence in their own security architecture. Unfortunately, no matter how many rules you write, or ports you close, utilizing firewalls as your go to defense against your organization’s cyber adversaries is a recipe for ransomware!
To answer this question, it is important to first consider the purpose of these security elements in your security architecture and environment. A firewall serves an advantageous and necessary purpose to your organization, and should be managed properly and frequently. However, really understanding the firewall’s purpose will help you to understand your weaknesses. The firewall’s purpose, whether protecting the network or a singular host, has one job: only allow safe traffic in and out. “Safe” traffic being deemed by your IT team.
This opens a few problems for an organization and a few opportunities for the bad guys. If your organization doesn’t have a dedicated IT Security team, it can be difficult for the network admin alone to focus on current threats and organizational vulnerabilities. Without this constant intelligence gathering, bad guys are going to take advantage of new access techniques and neglected vulnerabilities, which grant them access through the firewall and onto the host system. In addition, you can write as many firewall rules as you want, any security professional will tell you that your companies biggest vulnerability is your users, and users who are ignorant of cyber hygiene best practices frequently and unknowingly invite bad guys in, bypassing the firewall.
This gets the bad guy to your host where the antivirus or host based IPS is supposed to kick in. Unfortunately, again, unless the exploit is old enough that antivirus managing companies have had time to write a patch against the threat, and then consecutively your team follows good patch management practices and applies the patch to each of your systems, your hosts will not recognize the infection. (Equifax breach) This puts your entire enterprise at risk, and possibly spreading the infection across the network because you have no other security measures in place to protect against the most critical exploit: zero-day malware.
A decently talented hacker can find his or her way through your firewalls and avoid antivirus detection with little effort. However, once on the system, the activity is still detectable, but requires a much more advanced detection and mitigation system. To catch malicious activity as it happens in it’s infancy on the network, every host and operating system in the environment needs to have active memory sensors looking for activities such as power-shell commands launched from a word-file executable that can cut the transmission and report the activity to a qualified team of engineers who can diagnose the infection and eradicate the exploit. Unfortunately, hiring a team with this skill set is difficult to find and more importantly often cost prohibitive.
If your organization has or hosts clients and/or employee personally identifiable information, (PII) or falls under one of the many heavily governed compliance standards such as HIPPA or Sarbanes Oxley, you are a constant target, and keeping your information secure is imperative to the success of your company. I encourage each of my Information Officer and CEO friends to ask your teams, “What is our plan for zero-day risks such as new ransomware, as well as, what is our incident response plan to such an event?” If you get back the same blank stare or shoulder shrug I normally see when I ask teams that question, you’re at risk, and I’d be happy to help!
NOTE: SpearTip will be featured in a “Cyber Awareness” live video webinar hosted by AIM and sponsored by Danna McKitrick on January 23, 2018, at 2:00 p.m. CST. Click HERE to register for the webinar.
