Cybersecurity 411: Tech Myths
A firewall is absolutely necessary for network protection, but it often provides little more than a false sense of security. In this third part of his cybersecurity series, Jeremy Rasmussen advises on additional precautions you should take.
This is the third in a series of articles to inform multifamily professionals of the current cybersecurity threat-scape and recommend best practices for dealing with these issues. Read part one and part two.
Busting Myths About Cybersecurity Technologies
“We’re secure. We have a good firewall,” is like saying: “My home is secure, I have a good lock on the front door.”
Certainly, that front door lock is a requisite part of home security, but it provides no protection against someone coming in through the back door, a window, or driving a truck through the wall. It also doesn’t work very well if you open the front door and let someone in. In the same way, a firewall is absolutely necessary for network protection, but it often provides little more than a false sense of security.
Firewall Precautions
A firewall is a device that enforces an access control policy between two networks. Typically, the first network is your own corporate network and the second is the internet. All devices on your corporate network and the internet have an I.P. address so that data can be routed to them. Think of it like your home address that allows the post office to deliver mail to you. A firewall is configured either to allow or block data from going from one I.P. address to another.
For example, you might like to have a rule that says: Block all I.P. addresses coming from North Korea from connecting into my network. Firewalls also generally block all external connections that were not initiated from inside your network. That is, someone trying to probe your corporate network from the internet will be blocked, but someone trying to connect to Google or your property management software cloud service from inside your network will be allowed.
While a properly configured firewall is absolutely critical to keeping out bot-nets (autonomous networks of malware) and script kiddies (unskilled individuals who use freely available hacker tools), the reality is that most hackers will try to go around the firewall.
When we perform penetration testing for organizations, a typical first step is to send a phishing email to an employee, harvest credentials, use these to login to the system, attempt to escalate privileges and pivot to other systems, and leave a backdoor for later. As you can see, a firewall does very little to stop us in this scenario.
Antivirus Protection
A question we often get is: “What antivirus do you recommend?”
This is almost a religious choice. There are so many options out there already, and many more coming on the horizon daily. In fact, if you look at the list of cybersecurity firms that are considered “unicorns” (start-up companies valued at over $1 billion), four of the top 10 provide endpoint protection. But again, I can tell you that our pen-test team rarely cares what antivirus a company has, because we are going to go around it with phishing, passive network surveillance and other techniques that won’t trigger host-based alerts.
Let me explain how most antivirus products work. Malware (short for “malicious software”) tries to modify your system to steal data, record keystrokes, or allow a hacker remote control over your system. Antivirus (aka “endpoint protection”) attempts to stop malware by looking for a program “signature” that indicates the program’s binary structure appears similar to known malware in the antivirus’ database. While some endpoint protection can “sandbox” (create a virtual machine around) malware to try to contain it, it must first be detected. If there is no known signature for the malware (aka a ”zero day” attack), then it can’t easily be stopped. In addition, some malware is polymorphic – that means it changes its “signature” each time it infects a system. Even modern antivirus that uses patternless detection or techniques to try to block bad behavior, has a tough time stopping malware it has never seen before.
Worse yet, I recently presented a talk at a security conference on JavaScript-based ransomware. Such malware is not a binary executable; instead, it runs using a computer operating system’s own trusted components that antivirus can’t block – or else it would break the computer. I have painted a bleak picture – firewalls that can’t stop anything and antivirus that can’t stop anything. Unfortunately, this is the new normal, and we must deal with it. But how?
The reality is that effective cybersecurity can’t come from a single product such as a firewall or antivirus software. It comes from a comprehensive framework that encompasses:
- Prevention
- Detection
- Reaction
- Continuous feedback/improvement
Even if you can’t prevent something that circumvents your protections, you must have visibility into your enterprise via continuous monitoring and effective incident response protocols if you hope to contain the threat.
Jeremy Rasmussen is chief technology officer & cybersecurity director of Abacode, a company based in Tampa, Fla., that provides all aspects of cybersecurity for growing organizations and employs global thought leaders and industry experts in ethical hacking, digital forensics and corporate governance.