Every [Network] Border Needs a [Fire]wall

Image Source: SecurityDistilled.com

Every secure facility depends on one specific entity to keep it guarded, but also allow passage in and out: a gate. Similarly, every secure network relies on one specific entity to allow good traffic in and keep bad traffic out: a firewall.

Cool. What does that mean?

As you use the internet, send emails, communicate with business partners, you are sending and receiving traffic — all of which has to go through one (or a few) different network devices that make sure you’re getting the information you’re supposed to be getting.

On the surface, that sounds pretty straightforward. And probably a lot of people might default to accepting it at that level. In reality, it ends up being substantially more convoluted with a variety of network devices that do a mix of different things. You have firewalls, network intrusion detection and prevention systems, host intrusion detection and prevention systems, demilitarized zones (DMZ), and several other things which I plan to talk about in the future. For this article, however, I will focus solely on firewalls, and therein the difference between two primary types: stateful and stateless firewalls.

Stateless Firewalls

I’ll start with stateless firewalls. These are the most basic, as they generally restrict traffic based on source and destination. That is to say, your security team may have discovered that you get a lot of bad traffic from some IP, 86.75.30.9. So they configure the firewall to block all traffic from 86.75.30.9. Problem solved. No more bad traffic from this IP. Unfortunately, your security team also finds that somehow, a lot of data has been moving from inside your network back to IP 86.75.30.9. The security team takes a look at it and that data turns out to be sensitive, and is not supposed to go outside of your internal network. So the firewall is then configured to block all traffic going to 86.75.30.9. Now, the firewall has a set of rules that block all traffic going to and from that IP, solving the basic problem of bad traffic and data exfiltration.

To get a better understanding of this, consider the TSA (Transportation Security Administration). The TSA is responsible for securing U.S. “transportation systems to ensure freedom of movement for people and commerce,”^1 which most people usually observe via the security personnel who work in airports, processing travelers via luggage and personnel inspections. One component of their job is ensuring that a dangerous individual doesn’t get on a plane with other travelers, endangering them. This individual may be blacklisted^2 and not allowed to fly, so the TSA bars their entry past the checkpoint (like the firewall blocks incoming traffic). On the other end, if you’ve ever traveled internationally, there are some locations where you may not be able to leave the terminal due to one reason or another^3, and so you will be barred from entry into the country (like the firewall blocking outgoing traffic).

Stateful Firewalls

On the other end, stateful firewalls take a different approach to traffic. These firewalls observe the overall context of the traffic that is coming in and going out. That is to say, if you initiate some sort of traffic with a website, a stateful firewall will consider the fact that a connection has been established and potentially allow for something that may not (under normal circumstances) be permitted.

To get a better understanding of this, consider a theme park or club that requires some sort of cover fee. To get in, you pay some fee and they give you something (a stamp, bracelet, etc. — token) to indicate that you are permitted to come and go for some duration of time. If you’re visiting a fair and realize you forgot something in your car, leave, and come back, whoever is working at their entrance will see your token and allow you to pass through without any hassle. Similarly, the stateful firewall may observe something normally suspicious (a download of a file) but permit it because the action was initiated on the user end (that is, you clicked on the download that initiated the file being transferred to your computer).

You Need a Wall…

Firewalls are an important part of your network, whether at home or in the office. They serve as a virtual gatekeeper, preventing the bad from coming in (or leaving) your network, while allowing the good traffic freedom of movement. I hope that this article has helped provide some clarity on the general concept of network firewalls, distilling yet another security-related topic for your consumption.

Until next time, cheers!

References:

[1] TSA Mission: https://www.tsa.gov/about/tsa-mission
[2] Disclaimer: I do not know all the details behind who gets blacklisted by the TSA, and why. I don’t mean to start political debate — merely utilize this example to explain a technical security concept. Don’t dig into it any deeper than that.
[3] This is probably more common in a present-day environment where restrictions due to COVID-19 significantly limit any sort of travel.

Author’s Note
Original securitydistilled.com post, December 7, 2020

Do Some Analytics on That…

Image Credit: Markus Spiske (Unsplash)

What are analytics?

If you’re like me, you may have heard the term “analytics” thrown around a few times. Or many times. I find myself slipping deeper and deeper into the latter population. And I always had an idea for what it meant, but nobody had ever defined it. Worse, when I looked it up, it was always a vague concept that I couldn’t get a straight answer on (see Merriam-Webster’s definition of analytic, as a starting point for why this term as it’s commonly applied today can get confusing).

Let me start with this: it’s not overly complex.

Let me clarify: it doesn’t have to be overly complex.

An analytic, singular, is a tool or line(s) of code that enable the discovery of “something.” That’s pretty much it. So if that’s the case, analytics, plural, would be a series of these tools or line(s) of code that enable you to find one or more “somethings.”

To distill this a little bit, let’s say I go to google.com to find a restaurant for my wife and I to go to. We’re going on a date, so I’d like it to be fancy. We would also like to try something close by our zip code, 12345. Lastly, we’re both in the mood for Italian food. Given each of these requirements, I could separate each like they are individual analytics:

  1. Fancy restaurants
  2. Italian restaurants
  3. Restaurants near 12345

So there are my analytics. When strung together, these might read: “fancy Italian restaurants near 12345,” which will help me find (hopefully) one or more options that fit the desired type of restaurant for our date night. If I want to scope it down a little more, I can run some more analytics (i.e. restaurants that require formal attire, restaurants that only serve in the evening, restaurants requiring a reservation).

Let’s Find Evil!

In the world of cyber security, each of these analytics is a tool that allows us to find some form of vulnerability or malicious activity. Simply put, I may want to find a malicious program running on my computer. A way to do this would be to write a script that looks for whatever that malicious program might be (perhaps a .exe file, which is simply a file that is executable — it starts, it runs, it does something). So my analytic would look for meaningoflife.exe, and if it finds meaningoflife.exe then my analytic has served its purpose and (unfortunately) I have found what turns out to be something malicious on my computer.

Altering this slightly as we head deeper into the concept, maybe I know what meaningoflife.exe is, and it’s a perfectly good program that my computer needs to properly execute some important function. So that original analytic is a dud, then, right? Not exactly. Let’s say a vulnerability tied to meaningoflife.exe is discovered. That vulnerability may launch a process that does something like call out to a command and control system that enables Mr. Adams (arbitrary name selection) to do something malicious on your system. That said, if I know that meaningoflife.exe has this vulnerability and some process (we’ll call it process 42) might execute when I start meaningoflife.exe, I need to create an additional analytic that looks for the execution of meaningoflife.exe in conjunction with process 42 being initiated. If I find these two things together, I’ve found the vulnerability.

Semantics

Jumping back to the specific use of these words, where I’ve most often been confused is when people say things like, “we do analytics.” Why? Because we don’t do lines of code. We run lines of code. We create lines of code. And usually our analytics are enabled by some sort of tool — like Powershell (Windows scripting), or BASH (Linux scripting) — through which they are able to detect something. We “run analytics,” perhaps. But saying things like “we do analytics” really just confuses the concept for semantic reasons. Unless you’re just trying to say that you specialize in building analytics. But even then, that’s not how I think most people are using it. So, to be clear, it can be confusing. But it doesn’t have to be.

Further Reading

A great resource for looking at some analytics is the MITRE Cyber Analytics Repository, which has a great name that describes exactly what it is. If you’re not familiar with MITRE, it is a not-for-profit organization that is focused heavily on research and development related to technical problem sets. As it relates to cyber security, MITRE is the organization responsible for developing the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Matrix, which is a great resource for digging deeper into a variety of different adversary tactics. If you’re even remotely interested in digging into the world of cyber security, this is a great place to start looking at the massive variety of vulnerabilities that adversaries employ.

Until next time, cheers!

References:

  1. “Analytic” defined: https://www.merriam-webster.com/dictionary/analytic
  2. MITRE ATT&CK Matrix: https://attack.mitre.org/

Author’s Note
Original securitydistilled.com post, November 18, 2020

Distilling “Cyber”

Image Credit: Adi Goldstein (Unsplash)

If you have your eye on the broad landscape of technology, you will find that the term “cyber” continues to grow in popularity, not unlike similar buzzwords like “data,” “analytics,” “AI,” “ML,” and others. This is significant, because cyberspace is the digital landscape that connects all our data, enables us to employ analytics, and catalyzes the other two (for example).

What is important, I believe, is that we understand and use these terms correctly — in this case, I’ll narrow my discussion down to “cyber” and its related terms. I do this because with these technical terms it’s important to understand that these words have particular meanings, and in some cases, those meanings have specific implications. What I would like to do here is create a baseline as I continue to research and develop a body of knowledge related to security — be it cyber, information, or other — in an effort to educate and create awareness among others. If I’m helping you learn, encouraging discussion, and getting people thinking, than I will consider my efforts a success.

To begin, I would like to reference two separate resources: The National Institute of Standards and Technology (NIST) and the Merriam-Webster dictionary. The first is an organization committed to, as the name implies, standards and technology. It is also responsible for publishing many documents that tie into the “cyber” discipline and serves as a standardized library of references related to cyber (and information) security. The second is an American-based dictionary responsible for standardized definitions of English words. I will note that both of these are based in the United States, so whatever biases come with that will naturally be present in this writing. That said, let me begin by taking a look at some definitions.

Cyber

First, NIST defines “cyber” as “refer[ring] to both information and communications networks.”[1] Merriam-Webster defines it as “relating to, or involving computer networks.”[2] This is good. Both sources agree and so we have one less thing to worry about.

Cyberspace

Regarding “cyberspace,” the two differ somewhat, with NIST defining the term as, “A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controller”[3] and Merriam-Webster defining the same as “the online world of computer networks and especially the internet.”[4] In any case, I will assume that we can agree: cyberspace is the space (or domain) through which all of our networks and associated devices are connected. This is a simplification.

Cyber Security

Finally, “cyber security” is defined by NIST as “the ability to protect or defend the use of cyberspace from cyber attacks,”[5] while Merriam-Webster defines it as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”[6] The first defines it as something you have while the latter defines it as something you do, leaving some disparity between the two definitions. Otherwise, these definitions are similar enough to communicate the bottom line: cyber security involves the defense of systems operating in cyberspace against cyber-based attacks.

Now that I’ve laid out some definitions, I would like to provide some conceptualization. Please note my approach here is very simplified, but my intent is to provide a good point of reference particularly for those who are not as familiar with the concepts.

It’s like the suburbs…

Many Americans live in the suburbs, which I’ll define as a cluster (or clusters) of houses that generally sit on the outskirts of a large city. These clusters house people, allowing them to live nearby urban centers without having to necessarily deal with the sounds, sights, smells of inner-city living. For this example, your computer is represented by a house in the suburbs. This house is surrounded by a handful of other houses (your TV, game console, and other IoT devices) that sit on a street. That street is your home network (local area network, or LAN). Your LAN is connected to other networks outside of it, and to simplify it I will say that your LAN is connected to a variety of other LANs just like your street may be connected to several other streets (whether directly or indirectly).

Collectively, your LAN (or street) and all of the other LANs (streets) in a geographic area make up a wide area network (WAN). The city you live on the outskirts of is the internet, where websites are hosted, data is stored and accessed, cat pictures and videos multiply, and you go every day (for work or play). In a sense, all of this is like cyber. Networks connected to networks, LANs connected to LANs. Correspondingly, cyberspace would be the roads through which each of these networks are connected, enabling us to travel from our home PC to somebody’s website (like this one).

Now we can circle back around to cyber security. Cyber security is the capabilities, or the actions (depending on your definition), that can be implemented to protect each of these houses, apartments, and inner-city sites. “Wow, that’s really vague,” you might say. And you would be right to say so. But that is how broad the term “cyber security” can be, and why 1) we can’t just throw it out loosely as a catchall, and 2) why we need to work on understanding it a little bit more.

Why do I say this? Because you do not secure a house the same way you secure a street, a neighborhood, an apartment complex, a parking garage, a shopping center, a government building, and so on. It is like saying, “we need security” and leaving it at that. You might be right, but unless you’re a person so high up the chain in an organization where you have a staff of people under you figuring out all of the details, you risk sounding ignorant. What’s more, if you don’t actually know what you’re asking for, you run the risk of many different perspectives on what “right” looks like. This can lead to things like embellishment or gold plating, resulting in too many dollars spent (or not enough spent) to satisfy whatever requirements you may have supporting a desired end state (previously defined as “security”). At that point, if you are not educated enough, the idea that somebody is going to secure each of the houses using laser guided missiles sounds great. That should do the trick.

To be clear — I am oversimplifying. What I want to highlight, however, is the fact that we need to move towards a better understanding of these technical terms and their related concepts if we are going to be effective in their employment. There should be no argument that cyber, cyberspace, and cyber security are all important — so if that’s the case, why wouldn’t we give them a little bit more time and attention so that we can make more informed decisions?

References
[1]: https://csrc.nist.gov/glossary/term/Cyber
[2]: https://www.merriam-webster.com/dictionary/cyber
[3]: https://csrc.nist.gov/glossary/term/cyberspace
[4]: https://www.merriam-webster.com/dictionary/cyberspace
[5]: https://csrc.nist.gov/glossary/term/Cyber_Security
[6]: https://www.merriam-webster.com/dictionary/cybersecurity

Author’s Note
Original securitydistilled.com post, November 11, 2020