By Rodman Ramezanian - Global Cloud Threat Lead, Skyhigh Security
October 22, 2024 3 Minute Read
As a cyber security professional at Skyhigh Security, and as a technologist dedicated to defending our nation’s critical assets, I’ve spent years watching threat actors probe and exploit internet-facing edge devices – those critical gateways that connect our corporate networks to the wider digital world. That’s why I warmly welcome the Australian Cyber Security Centre’s (ACSC) latest edge security guidance on securing these vital infrastructure components.
The timing couldn’t be better. We’re seeing an unprecedented surge in sophisticated attacks targeting edge devices, from next-generation firewalls to load balancers and VPN concentrators. These aren’t just network components anymore – they’re the first line of defense in an increasingly hostile cyber landscape. When compromised, they can provide attackers with a privileged foothold in our networks, potentially exposing sensitive data and critical systems.
The fundamental issue with VPN technologies, for instance, lies in the fact that they create a public access point; a constant target for attackers probing for weaknesses. Successful authentication (or exploitation) using VPN allows both users and attackers onto your network. With high potential rewards, VPNs remain a prime target. Past, present, and future attacks prove this – lucrative data makes them a relentless bullseye for cybercriminals.
And as the old saying goes – “if you’re reachable, you’re breachable.” What have we learned from recent threats?
- Insider Threats and Social Engineering: Lapsus$ showed us the sheer impacts of leveraging edge-based remote access technologies by exploiting trusted insiders and social engineering.
- Ransomware: Campaigns like *Qilin*, *Akira*, and *Fog* continue to target organizations globally relying on VPN and static credentials into edge-based technologies.
- Vulnerabilities: Critical flaws and zero-day vulnerabilities in edge devices from Fortinet, Check Point, Ivanti, and others continue to leave organizations exposed.
- Targeted Campaigns: Attackers continuously target edge-based VPN technologies from Cisco, Check Point, and others to breach networks using stolen credentials.
What makes ACSC’s latest guidance particularly valuable is its holistic approach to edge device security. Rather than focusing solely on technical configurations, it emphasizes the importance of comprehensive security architecture, proper access controls, and continuous monitoring. This aligns perfectly with what we’ve observed in the field: successful edge device protection requires a layered strategy that combines robust technical controls with sound operational practices.
Their guidance touches on Multi-Factor Authentication (MFA) as one important mitigation strategy, but I’d add that much more is needed to supplement MFA these days. In many of the aforementioned cyber attacks and threat campaigns, attackers have very easily circumvented MFA with what’s known as MFA Fatigue or Bombing techniques.
So, you might be asking: what else should we be thinking about?
“Zero Trust” may immediately come to mind here. Unfortunately, Zero Trust has been hyped out of all rational proportions. All the buzz seems to side-step a fundamental point: Zero Trust is not a product, and I commend the ACSC for not suggesting so. While a product or service can indeed be part of a Zero Trust security strategy, no single product can satisfy all Zero Trust requirements and transform your organization. Zero Trust architecture requires coordinating multiple systems – from identity and authentication services to data classification engines.
Unlike traditional VPN systems that tend to trust users once they’ve connected to the network, Zero Trust architecture continuously verifies every user and device attempting to access resources, regardless of their location or previous access. This constant verification becomes crucial in today’s world where work happens everywhere – from office networks to home Wi-Fi to coffee shops – making it harder to maintain security by simply trusting everyone inside a corporate network perimeter.
Where I’d expand on ACSC’s guidance is the need for a risk-based transition from traditional edge security. While cloud-delivered security services offer compelling advantages, a hybrid approach often makes more strategic sense. Some critical systems and sensitive data may need to remain on-premises due to regulatory and/or sovereignty requirements, data sensitivity and classification, latency concerns, or business continuity considerations.
The key is to modernize edge security while acknowledging that different parts of your infrastructure may require different approaches. This might mean maintaining some on-premises components and infrastructure that still support Zero Trust principles for specific use cases while adopting cloud-delivered security services for others, ensuring each choice is driven by risk assessment rather than following a universal cloud-first mandate.
These guidelines remind us that edge security extends beyond patching and firewall rules. It’s about building resilient systems that balance security with business needs. As hybrid work and complex digital supply chains become the norm, the new edge security guidance from ACSC offers a solid foundation for protecting our crucial network entry points.
While some may argue that the new edge security guidance from ACSC is not exhaustive or prescriptive enough to “cover all bases” so to speak, it serves as an important reminder and call-to-action to reevaluate the heavy reliance on traditional edge and perimeter-based technologies, which are still prevalent in our government and critical infrastructure sectors, despite so many evolving threats.
Back to Blogs