The adage to 'trust but verify' has morphed into a more ominous refrain for IT professionals and network administrators—'distrust until thoroughly proven.' The days when a firewall was your impenetrable bastion and an antivirus, your digital prophylaxis, are long behind us. In the present, standing resolute on the digital frontier means endless vigilance, scepticism towards unknown threats, and a relentless pursuit of security that matches the innovation of would-be attackers.
However, as organisations shifted online, defenders improved perimeter security, conducted vulnerability scans, and patched systems. Attackers discovered that targeting user devices directly granted instant access to files and resources.
Consequently, many attackers bypassed the perimeter and focused on exploiting client software and phishing emails. Browsers and other endpoint software were vulnerable. It was assumed that Office Macros were present in most targets.
According to the UK's National Cyber Security Centre (NCSC), this resulted in many compromises.
In recent years, security advancements have made it harder for attackers to compromise endpoints via phishing. Software vendors now use defence-in-depth strategies, removing risky features and using sandboxes.
Changes in Microsoft's macro settings have also deterred traditional phishing. Attackers now target vulnerabilities in network perimeter products like firewalls and VPNs, which lack sufficient security measures. By exploiting known vulnerabilities, attackers find it easier to breach these products than popular client software.
Sadly, attackers continue to exploit vulnerabilities in internet-reachable products to infiltrate networks. But the UK government recommends network defenders take several actions, such as:
- Demand security evidence: Insist on proof of secure product design from vendors. It's a crucial part of procurement and network perimeter product assessment.
- Avoid unverified products: Don't allow products onto the network perimeter without proof of secure design. Consider using cloud-hosted products (SaaS) for easier maintenance, but ensure vendors show evidence of secure design.
- Reduce risk in self-hosted solutions: For self-hosted services that are not ready for SaaS migration, lower risks can be achieved by turning off unnecessary interfaces or services in internet-facing software.
- Ensure developer accountability: Make sure in-house services meet secure design standards. Use cloud hosting and serverless tech to minimise potential damage from compromises.
The NCSC has also recommended having a cloud-first approach to security, emphasising monitoring and quickly responding to potential threats. This includes regularly updating software, implementing strong authentication measures, and conducting regular vulnerability assessments.
Additionally, network defenders can implement intrusion detection and prevention systems (IDPS) to monitor network traffic for suspicious activity. IDPS can also block potentially harmful traffic in real time, helping to prevent a breach before it occurs.