Blog / Defending Against Unknown Vulnerabilities… You Gotta Keep’em Separated!
Another day, another rash of news about Ransomware, COVID-19 and someone getting phished for tens of thousands of dollars. Sometimes it’s enough to make a person wish they were in another line of work. Is there a job opening for a person to put lines on paper, maybe? Folding cardboard boxes, JUST SO?
Today, however, I ran into something interesting: A new vulnerability called “Ripple20.” The interesting thing about it is that the vulnerability exists in a library of code. This code library has only one job, which is to handle network traffic. This implies that it gets used by all sorts of different organizations, since it saves them the time and effort of creating this on their own. Due to the nature of things, this indicates that network devices that use the affected library could be instructed to execute arbitrary commands, simply by sending a packet or two to them (or through them.)
There were two things that I noticed about this:
First: The researchers who discovered this, disclosed it to the impacted establishments responsibly, but were surprised that many of the outfits seemed to be more concerned with how the disclosure of this would impact “their brand.” Many of the organizations listed were not small; Rockwell Automation and Schneider Electric are two that are listed. They show up in a lot of different devices in northern Alberta, like HVACs and the equipment in Water Treatment plants. Certainly, not Fly-By-Night organizations that might abandon a line of products, just because it was Tuesday.
Second: The scope of the vulnerability. All you need to do is send a properly prepared packet or two to a vulnerable device, and you can get it to do anything you want. No form of User Authentication is needed. The vulnerabilities lie in how the device looks at and handles packets, so that once they get to the device, it’s all over. The only defense is to upgrade the firmware on your device, assuming the vendor released a patch. In this situation I’m certain most of the vendors have released patches for the affected appliances.
The thing is, a lot of the gadgets are things that you don’t generally want to mess around with. Upgrading an operating system on your computer is easy. The worst thing that can happen, is that all your data is lost, and you need to reinstall. When you’re talking about upgrading something like an HVAC or a Water filtration system, the worst thing that can happen is the upgrade fails terribly, your device no longer works, and there’s no way to recover it. Blow up your HVAC at -30 out, and your building will get cold real fast…
All this trouble caused by a simple library of code intended to simply send and receive network traffic! The thing is, this happens all the time. Organizations make use of other people’s code to handle portions of what their device does, and because it saves them time and resources, they don’t have to build that component themselves. That creates a situation like this, where a device is vulnerable to an attack, due to an error partly because an organization did not build and does not maintain. This can lead to problems, if the actual component developers can’t or won’t repair the issue.
Since the nature of this attack is simply to send some special network traffic, how could you go about protecting yourself from this sort of thing? You do it the same way that you protect yourself from IoT infection, by using Network Segregation.
Splitting up your network, so that only certain devices can talk to each other, is an uncomplicated and highly effective method of increasing your Security. Think of it like an organization in an office building:
IoT gets its own floor
Servers get their own floor
Workstations get their own floor (with limited access to the servers’ floor)
Honestly, if your institution is growing so big that this sort of separation is making things crowded, then you should start splitting based on departmental distribution:
HR gets a floor
Accounting gets a floor
IT gets a floor (with access to other floors)
Even if you simply detach your network based on which devices are “High Risk”, this will give you a degree of disengagement that can help contain (or prevent) a cyber attack. Having a secure design and layout for your network, helps limit the scope of a strike, and protects your valuable information. To make a simple analogy, it’s just the same as how bars on your windows help prevent people from breaking in.
If you have any questions about Network Segregation, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.