Jump Out of the Box and Into the Cell
How the Cisco Vulnerability Further Demonstrates the Need for Cell Structure Security.
February 15, 2016 by Pete Kofod
The technology sector was rocked again by what will likely prove to be a catastrophic security headache. Cisco announced on February 10 that a critical vulnerability in their widely deployed Cisco ASA Firewall appliance had been found and recommended system administrators patch their systems immediately. For those interested or affected, the details can be found here.
There is a saying among technology professionals that nobody ever got fired for buying a leading vendor solution. The belief is that selecting industry leaders mitigates both technical and strategic risk. While industry leaders have rightfully earned the leadership mantle in the technology industry, the expression serves as an indictment of organizations' technical leadership on several levels.
As a matter of sheer principle, it suggests a lack of professional rigor by "going with the crowd." It may offer advantages in terms of long-term technology viability, economies of scale as it applies to acquisition and support costs, and the ease of staffing. There is a flip side of course. Security problems are magnified.
Who's Minding the Firewall?
In the case of the Cisco ASA firewall, Cisco claims that over one million of these appliances have been sold. Cisco ASA firewalls, particularly the lower end models, are often used to grant VPN access to remote, sometimes unmanned, facilities. Unmanaged by technical personnel, these firewalls are exclusively used by end users who need remote access. In fact, it is quite conceivable that these systems have no administrator or owner. I expect to see sites including warehouses, utilities facilities, and "closets" getting exploited over the next months. Unlike desktop operating systems in which end users are notified of vulnerabilities via updates, there is no mechanism of notifying end users that they may be using a highly compromised system.
Exploiting "Best Practices"
The second issue is the reflective acceptance of "best practices" without analyzing whether the spirit of these practices are indeed being met. Continuing with the ASA vulnerability as a case study, two "best practices" include Central Authentication and Defense In Depth. The ASA can reasonably be considered the first line of defense. VPN services delivered by the ASA are often authenticated using a central authentication database such as Microsoft Active Directory. Assuming a catastrophic compromise of an ASA, including the ability to modify code, is it a far fetch to assume that the code could be used to obtain Active Directory credentials from other users logging in via VPN? Once those credentials are compromised, is it then unreasonable to assume that other internal systems, relying on the exact same authentication mechanism, may have been compromised?
Complete compromise of Central Authentication systems is the holy grail of attackers. It affords the ability to "return to the well."
You Must Prepare for Compromise
A missing "best practice" is mitigating loss post-compromise. Organizations may have disaster recovery policies and procedures in place, but there is no industry "best practices" for containment. Defense in Depth speaks to prevention by employing heterogeneous security architectures to provide diversity. As we have seen, however, Central Authentication can make that collapse quickly.
Organizations, already taxed for time and resources, find it difficult to discuss issues that lie beyond standard security practices. In other words, developing a mitigation framework is "outside the box."
Traditional risk analysis centers on evaluating probability and effect, and most mitigating strategies address probability only. Cell Structure Security is a concept that can be used to change that. Cell Structure Security assumes compromise (assigning a probability of 100%), and focuses on mitigating effect. You need to adopt Cell Structure Security.
In The News 2.2.2016
In the News 11.11.2015
TSF allows legacy applications to meet cloud requirements