By David Eisenhower
Your network is your castle, it just hasn’t been in use for as long as castles have. A castle protects the crown jewels the same as a network protects information, and people have always had their part to play. Computers and networks were joined to create the first versions of the Internet more than fifty years ago. With the first networks the best way to keep the bad people out was to have a strong boundary or perimeter. We relied on firewalls and other devices protecting the boundary, as a moat and high walls once did. Demilitarized zones (DMZ), a term borrowed from warfare, created areas for web servers that didn’t belong on the interior network but still needed some protection. Other devices were configured to raise the alarm when adversaries were approaching, as would a guard keeping a watchful eye. Security experts used to deploy what they called bastion routers on the outer edge of the DMZ to protect the network during major attacks.
When it came to people the rules were simple: those on the inside were deemed ‘trusted’ while those on the outside were ‘untrusted.’ Given how difficult it was for a stranger to get access, the only good way to get into a network was through attacking the boundary. People didn’t always answer the phone, but electronic devices were always running (we hoped). Some folks used precision attacks to get after open ports or protocols and find a way inside, like someone chipping away at the mortar between the stones. Others brought trebuchets in the shape of brute force password attacks to try and take control of the entire firewall. Back then security experts had a chance to see their adversary coming, they just needed to know where to look so they could plug the gap.
Then, as they often do, the adversary changed. At some point someone came to realize that maybe they didn’t need to break down the castle walls to get inside, instead they just needed to convince someone who worked inside to let them in. This method doesn’t require any tools or any knowledge about the network, just a little charm to get a trusted person to give up enough information. By taking advantage of a person’s willingness to help, the stranger can now get access without the trebuchet. This is how people became integrated with the network boundary. Trusted users are now additional guards on the castle wall (I have my shield around here somewhere, give me a minute).
Enter the age of IOT
Soon, the idea of a network’s perimeter would also change. While the castle is strong, it’s usually not self-sustaining. Eventually the drawbridge must open to allow supplies and connections with the outside. Modern networks include things like digital sensors, cellular telephones, smart watches, and other Internet capable devices not designed to be kept within the boundary. The proliferation of these devices, now known as the Internet of Things (IoT), exponentially multiplies the number of endpoints associated with the network. People use cell phones to browse work-related email and files, and often wear their smart devices while they’re working. IoT device manufacturers expect the people who buy them to make sure they are configured correctly, so not all the IoT has strong security by default.
While these devices provide access to networks and information, weak security gives adversaries a new way to attack the network. People will deploy and use wired or wireless devices with their default passwords in place. All it takes is for an adversary to scan for the right signal, figure out what’s in use, and search the Internet for the username and password. You may get a laugh out of that, but you’d be surprised how often it happens! Even with a thorough bring your own device (BYOD) policy in place, information security experts may not have full control over these devices, so they can’t always see the adversary coming anymore. IoT devices can lead to compromise of networks an adversary would not otherwise have access to.
This new era of the Internet magnifies the role that users have, whether they want to believe it or not. We still need great defense for the perimeter, and trusted users must have vigilance to help keep the adversary away from the crown jewels. Luckily the weapons have changed, we’re not swinging swords or firing arrows anymore:
- Complete your annual security training and take it seriously. Know what to look for and when to raise the alarm!
- Use multifactor authentication for all devices you use – whether use at home or at work.
- Change the default passwords to all your devices, especially your wireless fidelity (Wi-Fi) routers at home, so the adversary can’t use them to hitch a ride elsewhere.
- Pay attention to what’s in your personal and your work email inboxes, especially if you check your personal mail while on a work device.
- Ensure you trust the source before you follow any links in emails or text messages, they may take you some place you don’t want to go.
- Be careful with that connection on LinkedIn, make sure you know what you are being recruited for.
- Ask an Information Security Professional where to find additional information on protecting yourself and your devices. Every little bit counts.