Cybersecurity BLOG:

Network edge security, the weakest link

Network edge security, the weakest link

What damage can hackers do to a business network?

The network edge is the point of contact with external devices; this is the network Internet connection and also the point of network connection for user computers that are required for staff. Hackers attempt to penetrate the network edge in order to attack the business network.

The data stored in a computer network is a target for hackers who can exploit that access for one of two reasons.

  • Steal information and sell to third parties. Common thefts are credit card information that is then sold on the dark web, or product information such as a military weapon that can be sold to competitors or to foreign countries. Any entity, a business or government department that holds personal information is a target for data theft.
  • Encrypt business information so that it cannot be accessed then demand a ransom to release the data. This is a method of extortion called a ransomware attack. An additional threat is that if the ransom is not paid the data will be deleted or sold to a third party. Typical ransom extortion demands are between $500,000 and $1M, paid using Bitcoin.

In the first case the data theft might be occurring over a long period without knowledge of the business staff that the data is being stolen. The hacker will try to cover his tracks and remain invisible so that data can continue to be stolen over a long period of time. In the second case a ransomware attack is developed over a period of weeks and then when the data is encrypted the element of surprise and lack of preparedness forces the business to pay the ransom quickly.

Any type of data attack should always be reported to the FBI as they have access to information, such as encryption keys, that will permit the business to escape a ransom payment and recover the data. Only about 20% of ransomware attacks are reported to the FBI and so businesses that made payments may have been able to recover without payments. Healthcare entities are a favorite target for hackers and they have a legal obligation to report any data breach to the U.S. Department of Health & Human Services (HHS). Healthcare entities will have to pay a fine in addition to the hackers cost; this includes for both data theft and ransomware.

A hacker will attack the computer network through the network edge to access the data; the network edge is the weakest link in the security of the computer network. Each part of the network edge has weak points that the hacker can exploit. The sections that follow identify weaknesses at specific points on the network edge and the actions that can be taken to improve the security at those points.

Hacker attack via the network connection to the Internet

The network connection to the Internet is the primary point of a hackers attack plan. An attack at this point can be successful if no firewall is installed or if the firewall is not configured correctly. However many businesses install firewalls that block any external attempt to access the network. This type of attack is successful in about 25% of all ransomware attacks when the business does not have a firewall or the firewall is miss-configured.

With a firewall installed any attempted remote access to the network from the Internet will be blocked. However there is one weak point when staffs are working remotely and must connect to the network through the firewall. The remote network connection requires that one or more ports be opened in the firewall, which may also be a point of entry for the hacker. A remote access configuration should require an encrypted connection using a virtual private network (VPN) plus 2-factor authentication to verify the user who is accessing the network. 2-factor authentication means that the user will provide a username and password to login to the network and then the network security device will send a one-time password (OTP) in a text message to a mobile phone that the user owns. The OTP can be a 6-character numeric value. The OTP is then entered to complete the login and authentication process. 2-factor authentication improves security and is used as the standard login procedure by many banks. The firewall can have additional safeguards for remote access, such as specifying the IP addresses that the remote user can call in from if working at home and blocking any other IP address. This method will not be appropriate when users are traveling and connecting from different locations.

Hacker attack made via a user wired or WiFi computer

About 85% of hacker attacks to a business computer network are made through a user computer that has had a virus installed. The virus is installed by tricking the computer user; impersonating a legitimate message of some type with a link that when clicked installs a virus. This type of virus is called a Trojan virus after the Greek Trojan horse story. The virus gives the hacker access to the user computer without the users knowledge, bypassing the firewall, and from there the hacker can attack data servers. A hacker attack that is made using a staff computer is considered to come from within the network, from a device connected to the network edge.

Most businesses install a firewall between the network and the Internet to block a hacker’s access to the network, but small to medium businesses fail to install end-point security systems to protect the network edge. End-point security systems are standard practice for the IT departments in most large companies.

With little or no cybersecurity investment, the network edge is the weakest link and for this reason is the preferred attack method for hackers.

Computers that are permanently connected to the network can be made very secure through a number of steps.

  • Install anti-virus software and update the security files daily.
  • Ensure that operating system security updates are installed as soon as they are available.
  • Install locks on USB connectors to prevent flash storage drives being plugged into the computer.
  • Ensure that only authorized software is installed on the computer; verify if the operating system has a feature to prevent software being installed.
  • Install all business software applications in the cloud and provide users with browser-only computers such as the Google Chrome operating system.

Mobile computers that staff connect to the business network and use in other locations are the least secure and the probable vectors of most hacker attacks. The business has no control over the use of mobile computers.

It is recommended that the business should provide staff members who prepare work outside the business with two computers; one that is wired into the business network and has the protections listed, and a second mobile computer for work at home and while traveling. The data files that are used by both computers are stored in the cloud and checked for viruses. Viruses can be attached to documents such as Microsoft Word. The mobile computer should never be connected to the business network.

Zero-trust authentication for users and computers

Zero-trust authentication means that each time a computer and user connect to the network the identity of the computer and of the user have to be authenticated. The computer connects to the network via the end point security product and this product implements the authentication process.

The identity of the computer can be verified simply using the computer MAC address, or verified using a combination of parameters, MAC address, operating system type, browser type, etc. Because it is possible that a hacker may substitute a computer unregistered MAC address with a registered one the endpoint security product should check for duplicate MAC addresses.

The identity of the user of the computer can be verified by entering a password, this is called single factor authentication. However the hacker may be able to steal passwords to connect to the network. A method of user authentication that is more secure is 2-factor authentication. A mobile phone number is associated with the users password. When the user logs in with the password a code is sent to the users mobile phone as an SMS message. The code is valid for a short period, for example five minutes. The user enters the code following the password. 2-factor authentication is the standard used by organizations such as banks to minimize the risk of a hacker attack.

Network restrictions for users and computers

Once the user computer has been authenticated onto the network, restrictions can be imposed that protect computer and the network.

When the computer connects to the network the DHCP service will issue an IP address and provide a range of IP addresses that the computer can access, as determined by the Netmask. The edge security product can put additional limits on the range of IP addresses that the computer can access to prevent the computer accessing servers that are not required by the computer or user. The LAN network can also be divided into VLANS that provide a limited range of IP addresses that are specific for a device or for a group of devices. These steps can prevent a device having access to critical infrastructure that a hacker who has control of the computer might wish to attack.

A computer has two types of risks to have a Trojan virus installed when accessing the Internet.

The first risk is from emails that have a malicious link or attachment and when clicked install the Trojan virus onto the computer. The hacker’s message is designed to impersonate an email that might be sent out by an authentic source, such as a bank or an e-commerce site like Amazon. The message will stress the urgency of clicking the link to prevent some type of catastrophe. A business email server can be configured to remove links and attachments from emails, and then the business can provide staff with a safe method to transfer information. The edge security product can be configured to block access to personal email servers like Gmail or Yahoo to eliminate a risk of opening a hacker’s attachment on a business computer. The staff member can access personal emails on a mobile device that is not connected to the business network.

The second risk is from one of the malicious websites that impersonates a legitimate website, and when opened installs a Trojan virus onto the computer. There are services like Cisco Umbrella that catalog malicious websites and the end point security product can be configured to forward website requests (DNS requests) to a Cisco Umbrella subscription account that will then block access to the malicious website.

Network connection of IoT devices

Many networks have devices connected to them that are not user computers but part of the universe of the Internet of things (IoT). This category includes a wide range of equipment, from smart building air conditioning controls to manufacturing equipment controllers. Great care must be taken with these devices to ensure that they do not have an alternative path to the Internet that the hacker can use to access the network. An example of this is an industrial controller that has a 4G wireless interface for the manufacturers maintenance access. In general IoT products have no cybersecurity protection and so are unprotected if the hacker is able to access them. Each business must verify what products are connected to the business network. If there are any doubts the business should call in a security expert who can scan the network and identify connected devices and then inspect the devices. Any IoT device should be included in the device authentication process before it is permitted to access the network. The network administrator or IT service provider will probably not be informed if an IoT device is changed during a maintenance procedure. Device authentication will ensure that the administrator or IT service provider is made aware of any changes to the devices connected to the network.

Methods of minimizing the risk of a hacker attack

A mobile device such as a laptop might be connected to the business network and also to the users home network. Even though the mobile device is authenticated to access the business network and the user provides the authentication credentials it is still possible that the device is infected with a Trojan virus that was installed during connection to an unprotected network.

A business should provide staff with two computers, one permanently connected to the business network and a second computer that can be connected to other networks, but never to the business network. The business should provide a secure cloud service where the user can access data files from both computers.

Advanced hacker detection methods

Cybersecurity-monitoring solutions are built using AI that monitor what a user is accessing on the business network while keeping a log of network use. If a hacker gains access to a user computer via a Trojan virus then the hacker will try to access the data servers. The characteristics of the computer network access will change and the change of use will be flagged by the AI system. The administrator can be informed to investigate, or else the user computer can be disconnected from the network and loose the device authentication permission until the device has been investigated. The AI cybersecurity monitor is cloud based with a security appliance installed in the network that is monitoring data traffic and passing information to the cloud AI. The cloud AI will send alerts to the system administrator.

Comprehensive network security plan to minimize a hacker attack

A comprehensive network security plan to minimize the risk of a hacker attack has four components.

  • Upgrade the network design to add end-point security measures.
  • Constantly update all software with security patches as soon as they are released, this includes patches for operating systems and applications programs.
  • Provide continuous training to ensure staffs awareness of the risks posed by hackers and teach how to recognize a potential hacker attack.
  • Prepare and test a recovery plan that can restore the network to normal operation if a hacker attack has occurred, without paying the hackers ransom. This plan will include offsite secure data backup that the hacker cannot access, disk drives prepared ready to install in servers, and IT services to identify the path of access before the network is reconnected to the Internet.

Cybersecurity has a cost but this is the cost of doing business in an environment that requires computers and a connection to the Internet. Furthermore the cost of cybersecurity is much less than the value that hacker will demand after planting ransomware and locking the business data.

Final comments

It is essential to take steps that will protect the network edge from hacker attacks. Hackers have automated the process of data theft and ransomware. There are illegal businesses that provide ransomware-as-a-service where the thief pays a fee to a company to hack into a business network and plant ransomware. These services are available in countries that are not friendly with the USA, and so they are immune from prosecution. Some of these groups are state sponsored criminals while others are criminal gangs.

The ransomware-as-a-service permits groups with no technical skills to exploit ransomware and so terrorist organizations and organized crime groups are extorting money-using ransomware. This is the reason that ransomware attacks are increasing exponentially.

Any business that has been hacked will be hacked again as the weak points and methods of entry to the network will be shared between the thieves.

If each business implements the recommendations listed in this article then the scourge of ransomware can be dramatically reduced, forcing the criminals to move on to the types of theft that require less work.

It is very important that if a business is hacked with ransomware the FBI should be called in immediately for two reasons.

  • The FBI may have the encryption keys that were recovered from hackers and will release the encrypted data.
  • The FBI can track and recover ransomware payments that use Bitcoin.

Law enforcement needs the help of hacking victims in order to identify the hackers and potentially block their activities.

Readers are invited to share this information with others. If any reader has a question regarding this information please contact us via our contact page.

Recent Post

Authonet engineers
June 3, 2023

Protect your business from an expensive ransomware attack. Unfortunately ransomware attacks have become a ...

Authonet engineers
June 4, 2023

Cybercriminals are attacking business IT infrastructure to steal and sell information, and for extortion using ...