Want security? Next-gen startups show how old practices don't cut it

Stop hackers from walking on the eggshells protecting your datacenter

Sysadmin Blog In case you hadn't noticed, IT security sucks. There is a chronic lack of people trained in IT security, people who will listen to IT security, and even a lack of agreement on how best to go about IT security. Fortunately, a new generation of startups are helping to tackle the issues.

No matter how good a sysadmin you think you are, your network will eventually be compromised. This is a huge problem, because "eggshell security" is still the dominant security model in most data centers.

Eggshell security is the traditional model of having a hardened outer layer of edge defences and a network that is essentially wide open, once the attacker has made it past the perimeter defences.

Administrative account and password reuse is rampant, few systems behind the outer defences have proper firewalls, security auditing is practically nonexistent, and file shares that are open to any user are everywhere.

I am aware of medical insurance companies running thousands of servers with databases of critical subscriber information without anti-malware protection, let alone proper intrusion detection. Retailers with SQL databases filled with millions of credit cards that don't require even the most basic authentication. Law firms with file servers whose entire contents can be deleted by the first person who plugs a notebook into an Ethernet jack on the wall.

Eggshell computing is a fantastically stupid concept, yet our entire industry is addicted to it. We focus on "the bad guys" battering down the WAN with port scans and spam. We ignore the insider threats from people downloading malware, being malicious, or even just Oopsie McFumbleFingers YOLOing the delete key.

This has to change.

Beyond prevention

There are four pillars to Modern IT security: prevention, detection, mitigation, and incident response.

Prevention – those eggshell shields around the perimeter of the network – is only the first pillar of modern IT security. Here you have things like patching, firewalls, security access lists, two factor authentication, and any other technology you can think of whose primary goal is to prevent security compromises from occurring in the first place. Prevention is not enough on which to base a modern IT security plan.

Detection – real time monitoring for a variety of breach types combined with periodic scanning – is the second layer. Think intrusion detection systems, mail gateways that scan for credit card numbers (or large volumes of data) moving through email, or auditing systems that comb logs looking for things untoward. A frightening number of organisations have no detection systems whatsoever beyond basic endpoint security.

Mitigation is not a technology so much as a series of best practices. The idea is to assume that you inevitably will be compromised and to design all aspects of your network so that a compromise of any given system cannot result in a compromise of the entire network. Think of it as taking the basic premise behind eggshell computing and never doing anything like that, ever.

Incident response follows from mitigation. Accepting that your network will inevitably be compromised, what do you do about it? How do you prevent a malware infection, external malicious actor, or internal threat from escalating their beachhead into a network-wide compromise?

Incident response activities typically involve quarantining systems, imaging them for forensic purposes, reloading from clean backups, redoubling patches, alerting law enforcement and customers, as well as not returning compromised systems to service until the means of compromise has been discovered and countermeasures are deployed.

This last is huge. It's a very difficult and tangled web and relies as much on having monitoring systems that aren't terrible as it does upon good planning and design. Attackers can go from a single beachhead to owning your entire network in minutes. Relying on human response times to incidents is proving inadequate, even for those organizations with the best monitoring, mitigation, and planning.

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022