🤔 Rethinking Cybersecurity | Don't Blindly Trust Silicon Valley 💂‍♂️

In today's interconnected world, businesses are increasingly reliant on technology to keep their operations running smoothly. However, the more we integrate tech into our daily business processes, the more vulnerable we become to cyber threats. The recent SUNBURST saga, which sent shockwaves through the business world, serves as a stark reminder that blind trust in Silicon Valley cybersecurity vendors may not be enough to safeguard your business.

The Monolithic Security Stack

Many businesses rely on a monolithic security stack, often marketed as a Unified Threat Management (UTM) solution, to protect their networks. These all-in-one solutions promise to be the magic bullet for security. But what happens when one component of this monolith is compromised? Like a house of cards, the rest of the system becomes vulnerable.

A classic example of this is the Virtual Private Network (VPN) – an essential component of modern business operations. For true security, the VPN should be a separate entity, residing in a Demilitarized Zone (DMZ) and protected by a robust set of rules. A VPN that lacks a DMZ is inherently insecure, and without Two-Factor Authentication (2FA), it's nothing short of a joke 🤡.

In the case of SUNBURST, many companies and even governments relied upon a dated VPN that was poorly secured and vulnerable and once compromised, provided unrestricted access to resources within the perimeter.

Sievewalls & Stale Rules

A firewall can be a formidable defense, but only when it's correctly configured. The most significant weakness in firewall setups is the overabundance of rules, the majority of which are stale – effectively turning your firewall into a "sievewall" full of holes. A cluttered rule set makes it challenging to respond to threats promptly.

Security is not measured by the number oi rules in play. It is measured by the normalization of rules to the absolute minimum that are monitored and tracked. In this case, automated anomaly detection is key to pick up patterns that are irregular.

The Power of Filtered DNS

Among the most overlooked yet critical mitigations is implementing a filtered DNS. The Google resolver, 8.8.8.8, has the dubious distinction of being a leading cause of exploits. It should come with a CVE vulnerability score of 10. Why? Because it will blindly provide access to unsafe sites. An alternative, such as Quad9, is far safer. A best practice is to create a firewall rule that intercepts and redirects all DNS requests to a filtered DNS entity, ensuring a secure DNS resolution process.

Filtered DNS resolvers automatically stop connections of malware or ransomware command and control servers. An additional feature is also the blocking of ads where a significant number of ads can be malicious. Its a simple and quick way to kill of a huge number of threats with minimal effort.

Harness the Power of Blocklists

Blocklists, available through real-time threat intelligence feeds, play a vital role in threat mitigation. These lists allow you to stay ahead of cyber threats. As soon as a threat is detected anywhere in the world, you have the potential to protect your business by implementing specific blocklists. It's an efficient way to defend against known threats proactively.

A specific business is rarely the first rodeo for an attacker. As in the case of SUNBURST, there where probably a large number of organizations blissfully compromised in ignorance before the attacker circled in on Solarwinds and their customers.

Canary Ports & Secondary Blocks

Canary ports are a gateway for malicious actors looking to compromise businesses. These well-known ports, including telnet, FTP, SMTP, SMB, RDP, and VNC, are continuously scanned for vulnerabilities. An effective strategy is to add IP addresses attempting access to these ports to a blocklist for a set time, typically eight hours. This secondary strategy enhances primary blocklists from threat intelligence feeds.

One packet and the attacker is toast.

Access Mining & Notifications

Implementing access mining tools like SSHGuard to block repeated failed access requests to services is essential. It protects against brute-force attacks and unauthorized access attempts.

Lastly, businesses should establish notifications for access to key resources, such as any login to a firewall. Escalation notifications should be triggered if the access doesn't match a predefined whitelist, ensuring that access to critical systems remains secure.

Cybersecurity is not a one-size-fits-all solution. The blind trust in monolithic stacks can be an Achilles' heel. The SUNBURST incident reminds us that proactive, layered security measures are essential to protect your business. To read more about the SUNBURST incident, check out this link.

---

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa.