Data networks are not secure. If the breach statistics from the past decade don’t tell the story itself, the all-too frequent news items concerning network and other device vulnerabilities should be enough to give IT and cybersecurity professionals sleepless nights.
Data networks are the lifeblood of modern communications. Businesses depend upon them to access business-critical data, services and applications; retailers depend upon them for eCommerce and consumers depend on them to post their latest selfie or status update.
Given the sensitive or confidential nature of much of the business data using public and private networks, you might think these systems are secure by design. Unfortunately, the truth is more troubling.
Network device security vulnerabilities
The reality is, any network connected device is subject to a degree of risk that could expose it to security vulnerabilities. It’s why vendors openly publish vulnerability announcements and security patches. However, best practice and the adoption of a “secure by design” approach ensures that vulnerabilities (even amongst security products) are rare.
There is a notable difference between the performance of purpose-built, dedicated security devices and those that feature “embedded security”. The latter do not always reflect the secure by design ethos; resulting in more frequent vulnerability notifications.
We’ve been syndicating news stories about network device vulnerabilities for years now. Back in 2015 we were commenting on the security vulnerabilities found in routers, modems, IP cameras, VoIP phones and a variety of other networked devices. A year later and Cisco was announcing a known vulnerability that affected over 840,000 devices worldwide.
Fast-forward to 2019 and the world is a different place. OK, it’s not. In fact, it seems like we’ve learned very little over the past five years. We have continued to hear about vulnerabilities, including devices with embedded encryption. In April 2019 the US Department of Homeland Security’s cybersecurity division published an alert highlighting a flaw found in several enterprise VPN products.
The vulnerability affects products from Cisco, F5 Networks, Paolo Alto Networks and Pulse Secure. The affected devices store authentication and/or session cookies insecurely as plain text; giving hackers access to network applications without having to log in.
May was no better, it kicked off with Cisco announcing 41 security alerts on a single day. One of the alerts concerned a potential critical threat to the SSH key management for the Nexus 9000 series Application Centric Infrastructure mode switch software.
A matter of days later and Cisco was hit again with news of two new security flaws in its enterprise routers, switches and firewalls. One of the flaws, known as Thangrycat, allows hackers to bypass Cisco’s Trust Anchor module – a hardware security module that is the root of trust for tens of millions of devices.
The Sisyphus analogy
Organisations that rely solely on embedded devices, devices with “embedded encryption”, or even just security patches to protect their network data are condemning themselves to a future of onerous and futile labour. Constant patching causes unnecessary cost, business disruption and dooms cybersecurity professionals to a never-ending list of monotonous tasks; adding significantly to the total cost of ownership for their core infrastructure.
There must be a better way to securely protect your network data. Wait, there is a better way!
Security without compromise
Cybersecurity solutions can be categorised as one of two types: prevention and protection. Both form part of best-practice security strategies, but the reliance on prevention alone has proven to be ineffective.
In the event of a breach, the only way to ensure the integrity and confidentiality of your data is to protect it with encryption. As data moves across IT networks dominated by mobile workers, borderless infrastructure and billions of connected IoT devices it is exposed to a varied and expanding threat landscape.
Not all encryption solutions are created equal. As we’ve seen from the vendor announcements earlier this year, embedded network/security devices and devices with “embedded encryption” are just not cutting it. If you want to protect your data, you should to be using purpose-built, dedicated encryption solutions; either high-assurance hardware or a virtualized/software alternative.
What constitutes a high-assurance solution? For a hardware module to offer high-assurance encryption it needs to include four key features. First, it needs to be secure, tamper-proof hardware, dedicated to network data encryption. Second, the encryption keys should be stored client-side only, so nobody else can access them. Third, it should offer end-to-end encryption. Finally, it should utilise a standards-based encryption algorithm.
When choosing an encryption solution, we also suggest you look for third party validation. Certification by any of the leading independent testing authorities (FIPS in the US, Common Criteria or NATO) acts as confirmation that the solution offers a proven degree of data protection and is suitable for use with sensitive or confidential information.
For long-term data protection, look for a solution with cryptographic agility. As we enter the world of the quantum computer, organisations need to think about protecting their data in the medium to long term from the threat of “capture now, decrypt later” attacks on data with a long life.
If you’re worried that hardware encryption is beyond your means – either because it seems too expensive, too complicated or simply not suited to your business, check out our companion graphic: Dispelling the myths of Hardware Encryption.