A recent article on databreachtoday.com detailed how Chinese hackers were targeting security and network appliances.
Specifically, it references research conducted by Mandiant that takes a deep dive into how threat actors are targeting technologies that do not support endpoint detection and response, enabling access to critical networks assets and data.
In the original Mandiant article the authors recognise the common exploit of zero-day vulnerabilities with custom malware as an initial threat vector. The article outlines two specific scenarios where Fortinet solutions’ vulnerabilities were leveraged to gain network access, one where the device was exposed to the Internet and another when it wasn’t.
Security is not just a tick box exercise
Network security is not something that should be trusted to a device that has “built-in” security features, or a device that serves multiple roles, such as a router or a switch. If you’re really looking to develop a zero-trust architecture, your security devices should be dedicated to the function of security – high assurance hardware that offers authenticated, end-to-end encryption of network data. Nothing less should do.
There are a lot of dual or multi-function devices out there that use MACsec or IPsec to provide data security. However, there are a number of drawbacks with these solutions. In the case of the MACsec standard, it was not originally designed for WAN or MAN security. In the case of IPsec, a software encryption solution, it imposes considerable bandwidth overhead and management complexity. Neither meet high assurance encryption security standards, EG: secure key management and end-to-end, authenticated encryption. For more on this, check out our technical paper: Ethernet WAN Encryption Solutions Compared.
Authenticity, integrity, and confidentiality
The role of encryption is not just to provide long-term protection of data in the event of a breach. GCM – an encryption mode for symmetric key block ciphers – delivers both confidentiality and authenticity of data in motion. GCM is a preferred mode of operation for modern network security devices and protects against the injection of malware and rogue data. For example, Senetas CypherNet hardware encryptors leverage GCM mode to deliver authenticated encryption at speeds of up to 100Gbps, with minimal overhead and latency.
How to separate the best from the rest
The network data security marketplace is a crowded one, with a plethora of vendors competing for a share of the US$20billion+ market. How can you tell which solution is right for your business and provides the right level of security assurance for your zero-trust architecture? Third-party validation, in the form of independent certification, is an excellent way to assess the security credentials of any device.
Across the world, a number of independent standards organisations and testing authorities have been established. In the US, the FIPS 140-2 standard adopted by NIST is a common benchmark. Elsewhere, Common Criteria’s EAL 4+ has been widely adopted, with additional standards introduced by the Defence Information Systems Agency, the Australian Signals Directorate, the French Network information Security Agency and NATO.
Whilst many of these institutions have military sounding names, the standards they have set are widely adopted throughout industry and commerce. Devices that are recognised as being “suitable for government and defence use” provide businesses with the assurance that they can securely handle sensitive corporate data. For more details on the certifications held by Senetas encryptors, take a look at our Encryptor Certifications Technical Paper.
Making zero trust a reality
The constant litany of breach incidents across the world demonstrates that there is still some way to go before zero-trust becomes a reality for most. Paying mere lip-service to network data security is not a viable approach in a landscape featuring constantly evolving cyberthreats. Zero trust means guaranteeing the confidentiality, integrity and authenticity of data at all times. In short, zero trust architecture demands high assurance protection.