In the early days of computing the cyber-security perimeter and the physical security perimeter were one and the same. Access to data implied access to the actual computer or storage media. From there we graduated to closed networks where computers only talked to each other within a building or private network but quickly modems started to allow access by people outside those controlled spaces. The age of the hacker had begun.
The internet and the web blew things wide open with PCs talking to servers, servers to servers, and PCs to PCs in an exponential web of complexity. The walls are full of gates, holes, and tunnels resembling swiss cheese more than an impenetrable barrier.
Today we add to that extreme mobility, smart phones, tablets, and the trend towards employees using their own devices for work (BYOD). People may be working on hardwired desktop computers one moment and working on a laptop at starbucks the next. They use VPNs, public WiFi, and open corporate networks in quick succession as they move through the world. The result is our old security model based around a castle like formation with a bastion wall surrounding the crown jewels no longer bears any resemblance to reality. Now the jewels are spread out in people’s pockets all over the countryside. People take these devices in and out of corporate environments and networks all the time passing constantly in and out of the remaining notional perimeter.
A better approach is to consider the perimeter not as a castle wall to be defended but as a description of all of the surfaces exposed to attack. In that view there is a perimeter around the local network but also a perimeter associated with each device, server and application.
Just as an attacker might try to penetrate an organization by hacking in through the firewall, they might instead compromise a browser which is (or will be) inside that network. The perimeter becomes a membrane separating the sphere of valuable data, infrastructure, or capabilities from the realm of the attackers. Examples of insider threats make this kind of architecture and analysis even more important because the attacker may well already be inside the old style perimeter. Mobility has also brought physical threats to cyber-security to the forefront. While it is difficult to break into a data center to steal storage clusters, it is easy and common for laptops and mobile devices to be stolen. Considerations of the new perimeter need to include the physical envelope of the device and what an attacker with it in their possession can do.
To focus our security efforts we need to consider where this new perimeter is weakest and where it is relatively strong. Many vulnerabilities can only be attacked indirectly. For example, a vulnerability in Microsoft word can only be exploited once an infected file has been introduced to a victim’s computer by email or some other path. On most personal computers the browser is the weakest point because it is directly and constantly exposed to potentially hostile content while simultaneously being one of the most complex and vulnerability rich applications. A recent study showed that 5 of the top 6 applications with the most discovered vulnerabilities in 2015 were browser or browser plugins.
Conventionally a security perimeter protects a small vulnerable region from a much larger dangerous one. An old joke got me thinking about how we can invert that situation:
A mathematician, a physicist, and an engineer are told to build the smallest possible fence around a flock of sheep. The engineer puts a loose fence around the sheep, pulls it as tight as possible, crowding them all in, and calls that the answer. The physicist assumes spherical sheep and calculates the ideal circular fence. The mathematician takes a completely different strategy. She builds a tiny fence around herself and defines that as “outside.”
Similarly we can look at something like a browser and define it as “outside” then build a security perimeter around just that one application. This enables perimeters within perimeters where we might be defending the whole PC against one set of threats while simultaneously defending it against attacks vectoring through vulnerabilities in applications running on that very PC.
The perimeter also needs to extend beyond company owned equipment and resources. Employees and contractors routinely access highly sensitive information from their personal devices. They read company email, access company websites, and often VPN into the corporate network from these non-company endpoints. They can be a rich target for attackers even if they can’t access the corporate network; providing access to corporate credentials, business intelligence, and social engineering data which can be used in follow-on attacks.
The security of employees’ personal devices really needs to be made the company’s business – but unfortunately existing device management practices will not be accepted or tolerated. People are not going to allow companies to monitor all of their activities on their personal devices and home computers, but it is in the best interests of businesses to make sure that those computers are as well protected as possible.
Extending the perimeter to personal computers and equipment means providing the security tools, support, and incentives to make it easy and automatic for employees to secure their devices for their own safety while also protecting their employers.
The old castle wall model of perimeter security is almost worthless and often leads to poorly designed architectures and strategies. The idea of the perimeter as a kind of surface which needs to be considered for security controls and analyzed for vulnerabilities at all levels can lead to greater insight and more effective solutions. By discovering the most important kinds of vulnerabilities and protecting them with appropriate countermeasures at both broad and granular levels we can make great strides in our overall level of security.