Digital threats may be closer than you realise

Digital threats may be closer than you realise

Defending a perimeter is a concept that is as old as the first time anyone had something of value. And there is a natural perception that we can better control and keep an eye on something in close proximity to us.

It’s tempting for organisations to see their computer systems in the same way, to hold them physically very close. But in the context of a modern enterprise trying to become digitised as fast as possible to keep up with and beat the competition, the abstract nature of blending on-premises, cloud and partner resources can blur the lines in favour of the bad actors. We have to start thinking of all of our computing resources as being in hostile territory.

“Zero trust” is a term that has been used recently to represent a set of principles that help network defenders see their home networks as hostile territory. A person who walks through a cyber-security vendor hall, or consumes marketing collateral, might come away with a lot of conclusions about exactly what “zero trust” is, but I think that the penny has finally dropped and everyone now understands that this is very important to get right.

Taking advantage of vulnerabilities in on-premises systems is one beachhead that has recently become popular with attackers. Ultimately, systems that are on-premises are there because they are sensitive – well-known examples include the Microsoft Exchange server, SolarWinds and even the holy of holies, Microsoft CA. Many organisations have moved on and started to use cloud versions of their email server, their security management and their public key infrastructure (PKI), but tens of thousands of organisations haven’t, and have suffered.

What all of these trusted on-premises systems have in common is that their vulnerabilities have invited attack, and enabled the attacker to establish a beachhead. In the case of Microsoft CA, recent research shared at the Black Hat conference has introduced tools to attack configuration weaknesses and steal root keys to forge identities in-home networks. Thankfully, researchers have also released tools to help mitigate those weaknesses, but it requires work and technical knowledge to do it right. We have to face the fact that these on-premises systems are showing their age. Keeping ageing systems close to the chest, and placing too much trust in what is nearest, is becoming a weakness, not a strength.

Call it zero trust, or whatever you need to justify the effort to change, but the age of overestimating behind-the-perimeter systems is over. The new perimeter is the identity of the nodes connected to you. Using the right credential form factor is important to express that identity. Digital certificates are the right form factor in many cases, and lifecycle management of those identities has evolved to handle the scale. Protecting the integrity of data going across hostile network boundaries starts with authenticated sessions with encrypted communication. The goal is that, in the event of an attacker achieving a beachhead, their next lateral move in your network won’t be as easy as it is now.

For more information visit

Originally published on Business Reporter