Nearly every day, I’m asked if an impressive firewall configuration is enough to prevent malware from entering a company’s environment. Or I overhear someone’s overconfidence in their own security architecture. Unfortunately, no matter how many rules you write, or ports you close, utilizing firewalls as your “go to” defense to stop your organization’s cyber adversaries is a recipe for ransomware!
To answer this question, it is important to first consider the purpose of these security elements in your security architecture and environment. A firewall serves an advantageous and necessary purpose to your organization, and should be managed properly and frequently. However, really understanding the firewall’s purpose will help you to understand your weaknesses. The firewall’s purpose, whether protecting the network or a singular host, has one job: only allow safe traffic in and out. “Safe” traffic being deemed by your IT team.
This opens up a few problems for an organization and a few opportunities for the bad guys. If your organization doesn’t have a dedicated IT Security team, it can be difficult for the network admin to focus on current threats and organizational vulnerabilities, alone. Without this constant intelligence gathering, bad guys will take advantage of new access techniques and neglected vulnerabilities, which grant them access through the firewall and onto the host system. In addition, you can write as many firewall rules as you want, any security professional will tell you that your company’s biggest vulnerability is your users; because, users who are ignorant of cyber hygiene best practices frequently and unknowingly invite bad guys in, bypassing the firewall.
This gets bad guy to your host, where the antivirus or host based IPS is supposed to kick in. Unfortunately, again, unless the exploit is old enough that antivirus managing companies have had time to write a patch against the threat, and then consecutively your team follows good patch management practices by applying the patch to each of your systems, your hosts will not recognize the infection. (Think Equifax breach!) This puts your entire enterprise at risk. Furthermore, the infection could potentially spread across your entire network, because you have no other security measures in place to protect against the most critical exploit: zero-day malware.
A decently talented hacker can find his way through your firewalls and avoid antivirus detection with little effort. However, once on the system, the activity is still detectable, but requires a much more advanced detection and mitigation system. To catch malicious activity in its infancy, as it happens on the network, every host and operating system in the environment needs to have active memory sensors looking for activities such as power-shell commands launched from a word-file executable, that can cut the transmission and report the activity to a qualified team of engineers, who can then diagnose the infection and eradicate the exploit. Unfortunately, hiring a team with this skill set is difficult to find and more importantly often cost prohibitive.
If your organization has or hosts clients and/or employee personally identifiable information, (PII) or falls under one of the many heavily governed compliance standards such as HIPPA or Sarbanes Oxley, you are a constant target. Consequently, keeping your information secure is imperative to the success of your company. I encourage my Information Officer friends to ask their teams, ” What is our plan for zero-day risks such as new ransomware, as well as, what is our incident response plan to such an event?” If you get back the same blank stare or shoulder shrug I normally see when I ask teams that question, you’re at risk, and I’d be happy to help!