A Case for Lockdown and Isolation (and not the Covid kind)
A reader wrote in expressing concerns over a vendor software management platform that had 3rd party module vulnerabilities [1]. Reasonable risk assessment if you ask me. This comes along with the two "One Liners'' we posted yesterday [2] [3]. This sounds like a case for isolation and or lockdown. Considering 2021's climate, let's be clear here, Digital not Physical :).
The problem space is the attack surface. Good thing, we've known about this for years. Bad thing, human behavior has not changed (that we are aware of) for a very long time [4]. Given that we have something we can affect and something that is HARD to change? How do we approach the risk of vulnerabilities in our management plane? Lets also add into this problem space the idea that we cannot isolate everything (again, only talking digital here).
Now that I've said something that most of us have heard over and over and over and ........ over? What can we do?
The Model: Zero Trust (micro-segmentation, take your pick, but you get the idea)
note: Not all Zero Trust interpretations are equal, I use John's (shameless name drop) [5] [6]
The Use-Case: Critical Asset that is Vulnerable
In this example we will use a device that is still running ‘telnet’ and can’t be patched nor upgraded. And before you ask? YES, in 2021, this still happens! The device type really does not matter, could be an old accounting mainframe that still is in production, or a critical building management system, and or legacy networking hardware that ‘just cannot be pulled yet.’
Risk analysis can help in replacing this asset, but that is a different road and a layer 8+ problem [7].
A Solution:
Put simply? STICK something in front of it. Not all something’s are equal, so let’s get into the details of one way (yes, I’ve done this) to solve it. It is possible, using off the shelf technology, to put an encrypted layer with Multi-Factor Authentication (MFA) and allowing access by user/group.
<user> - <Clientless VPN and or firewall> - <HTML5 to telnet proxy> <legacy client>
The clientless VPN solutions would be configured to use the organization's regular IDaM infrastructure with full group / user restrictions. This would point to an HTML5 proxy that provides a TLS interface to the telnet client. As long as the VPN / Firewall solution supports it, SAML becomes possible, along with MFA [8].
This is not easy, but also not impossible and remember, just because MFA is being “picked on” (probably with good reason) doesn’t stop us from using it [9]. A wise Groot once said ‘It’s better than 11%’...
Conclusion:
Those highly vulnerable critical assets can be protected, and this risk can be mitigated. The best solution would be to replace these devices, however, we know that is not always feasible. Find your most fragile devices and architect a Zero Trust posture around THOSE assets. The question that John Kindervag has told me he gets the most is “Where do I start?” and your most fragile assets seem like a good place as any.
“Perfection is a road, not a destination” Chiun, Remo Williams
If this topic is interesting, please comment and I can dive deeper (what vendors I used, how I deployed it, results (good btw)...
Let us know in the comments.
[1] https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11172&cat=SIRT_1&actp=LIST
[2] SonicWall releases Security Notice: Email Security Zero-Day Vulnerabilities https://bit.ly/3eh1r9n
[3] PluseSecure Out of Cycle Advisory: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/
[4] https://www.researchgate.net/profile/Nigel-Nicholson-2/publication/13115707_How_hardwired_is_human_behavior/links/5405e3580cf2bba34c1ddd0e/How-hardwired-is-human-behavior.pdf
[5] http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf
[6] https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
[7] https://blog.paessler.com/is-it-possible-to-monitor-osi-model-layer-8
[8] https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/
[9] https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
Comments