Securing the network perimeter in a COVID-19 world

During the COVID-19 pandemic, companies stayed operational while keeping staff safe by enabling their employees to work from home. While this kept businesses running, it introduced another risk: security problems at the network perimeter.

Our Security Navigator 2021 report notes that the rush to remote working, combined with a marked rise in discovered vulnerabilities, has led to an increase in exploits effecting remote access and perimeter security technologies.  It highlights the need to invest some thought into a tenable patch management strategy, not limited to but especially focused on perimeter security.

Press reports of pandemic-related social engineering attacks rose substantially during the lockdown period. Still, we saw no evidence that people were fundamentally more susceptible to attacks using these themes, possibly because the warnings about them were so rife. However, we did see a sharp rise in reported vulnerabilities surrounding perimeter security technology.

Companies rely on firewalls, routers, and remote access to protect their corporate networks, which is why it’s so concerning that vulnerabilities in security products like these rose dramatically during the past few months. Our World Watch data showed the number of vulnerabilities in a selection of common perimeter security products jumping from between 10 and 15 at the beginning of March to peak at around 60 in May. This is despite, vulnerabilities for general technology products dropping during the same period, more than halving from a yearly high of 2,200 in April to around 1,000 in May.

An increase in reported vulnerabilities

While perimeter security flaws have been documented for years, we have seen a flurry of discoveries since mid-2019. They began with CVE-2019-11510, a flaw discovered in the Pulse Connect Secure VPN that allowed arbitrary file reads. This flaw, which Pulse announced in April 2019 along with a patch, posed a potential weakness to thousands of the company’s VPN servers.

More vulnerabilities surfaced in other devices, including F5’s BIG-IP products. The same researchers who discovered the Pulse bug also highlighted another, CVE-2019-1579, in Palo Alto’s PAN-OS. This flaw was used to compromise a system at a major ride-sharing company before being revealing. Another, CVE-2019-1580, also allowed for remote code execution via the Palo Alto SSH device management interface.

Another bug allowing remote code execution (CVE-2019-19781) surfaced in Citrix’s Application Delivery Controller and Gateway servers at the end of December 2019. A flurry of new flaws emerged this year, targeting equipment from Juniper, Cisco, and once again, Pulse Connect Secure.

These security flaws are more than academic exercises. Threat actors have repeatedly used them to target companies. The NSA warned in October 2019 that nation states had used the original Pulse Connect Secure Bug in attacks. They had also used Palo Alto’s CVE-2019-1579 and a June 2019 bug in Fortinet’s FortiOS system (CVE-2018-13379) that allowed an unauthenticated attacker to download system files.

Exploits involving perimeter security products escalated during the pandemic. The UK’s National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory detailing attacks against security infrastructure, in April 2019, citing the mass move to remote working during COVID-19 as a key factor.

Patching is still a problem

Companies facing these issues are also taking too long to patch. We analyzed 168 security product vulnerabilities over a year and found fewer than one in five were patched in seven days. Over half of them took between one and six months to patch, while 14% took even longer than that. That gives attackers plenty of time to compromise and exploit systems undetected. This is partly due to the complexity of the security product ecosystem, and the newly critical role remote access plays in enterprise IT architecture, which makes the risks associated with patching or upgrading perimeter systems much harder to contemplate.

No wonder, then, that patching is among the most common recommendations that we make in our Signals advisories, featuring along with vulnerability management and software inventory in 36% of them.

Despite the early warning and patch availability for the April 2019 Pulse Connect Secure bug, CISA warned again three months later that it continued to see wide exploitation. It was forced to do so again in April as the problem continued.

Nation-state actors continue to exploit the original Pulse Connect Secure bug a year after the NSA’s original warning. In October 2020, it featured in the NSA’s list of top vulnerabilities exploited by Chinese state-sponsored hackers. On that list were the Citrix ADC/Gateway bugs published in December 2019 and remote access/proxy bugs discovered this year.

The danger of exploits increases over time

Leaving these bugs unpatched even for a few days is dangerous, as attackers have been reported exploiting bugs in the wild just days after they are published. Over time the risk of leaving a system unpatched increases exponentially. That’s because other, complementary vulnerabilities may appear, enabling attackers to combine them with older flaws in a process known as exploit chaining.

For example, almost a year and a half after the publication of the Fortinet CVE-2018-13379 bug and a year after the NSA’s advisory about exploits in the wild, CISA was forced to issue another advisory about it. In October 2020, it reported that threat actors were now chaining the vulnerability with another – the infamous Windows Netlogon elevation of privilege flaw. Together, these exploits allowed attackers to compromise all Active Directory services, enabling them to grant themselves access through legitimate remote access tools. What was already a critical Fortinet bug with a 9.8 severity score had become even more toxic.

What can companies do to mitigate these problems, especially in a pandemic situation where remote working has become a part of everyday life? The obvious answer is to patch early and often.

This requires an inventory of your internet-facing remote access technologies and their configuration. It also calls for a vulnerability management program to notice vulnerabilities and apply patches quickly. These are not core competencies for many companies, especially in times of hasty migration to home-office and extended demand for remote access. A feasible alternative is to let an external provider handle the patch management as a service, either in general or specific to security products.

One of the advantages is that required configuration changes in said tools can be taken care of as part of the service. Adding the benefit of experts testing the new setup and its consequences beforehand this is a very attractive approach. The radical solution is to outsource perimeter security in parts or completely. Managed Security Service Providers (MSSP) offer an effective and secure way to do this. In this case patch management may be left entirely up to the service provider.

Like everything else in your IT infrastructure, network perimeter security requires maintenance to be fully effective. Diligent and methodical management now will help avoid catastrophe later. Find out more about the dangers facing your network perimeter during the pandemic, and how to resolve them, by downloading our Security Navigator 2021 report.