Our CSO, Robert Huber discusses the facts and fiction behind air-gapped networks.
SCMagizine – A good myth, like good marketing, plays up the positives. But buyer beware. Air gapped networks—where there is no connection to the Internet or other networks—are like single-use kitchen gadgets. While an air gapped network can work to prevent Internet-based attacks, true cybersecurity requires more versatility and adaptability.
Yet, air gapping holds a particular logic—no connections equals no threats. But believing this assumption is only the tip of the security iceberg. The tradeoffs with air gapping often prove costly, however, with efficiency being the most prominent victim. It’s time to expose the myth around air gapping once and for all.
Facts and Fiction
The belief that digital threats come through an Internet connection is, of course, based in fact. From phishing and ransomware schemes to infiltration through a vendor’s network, it is easy to observe that hacks happen via network connections. From this perspective, it is reasonable to deduce that keeping a network offline would keep it safe. But air gapped networks are no longer the safe haven they once seemed to be.
Human error is one of the main culprits in reduced network security. Air gapped networks, in particular, present the illusion of safety. When things feel safe, people relax, letting their guards down. In the cybersecurity realm, if a security administrator relaxes, so too does their vigilance in monitoring network traffic. This is where breaches in safety protocols—like transferring files on USB drives—can worm their way into networks and introduce threats.
Aside from human error, air gapped networks are no longer the bastions of security. History shows there is always a way in. For example, in Iran at a well-guarded facility, the Stuxnet virus infiltrated an air gapped network through a USB drive. In the same attack, equipment was infected at the manufacturer before it even shipped to the facility. In another comparable scenario, a team at an Israeli university found a way to use malware on a cell phone to extract data from a computer by sensing electromagnetic waves. Furthermore, Agent.btz is a prime example of how USB-based malware infected air gapped classified U.S. military networks years ago. Now, vendor networks or even laptops, which often times maintain connectivity to air gapped networks for support purposes, have become a vector of attack.
The Evolving Standards of Security
Networks and equipment that have traditionally been offline are coming online at an unprecedented rate. Many things that once had an air gap are now accessible. High profile failures, especially with the Internet of Things, from hacking a Jeep Cherokee to taking down essential internet service providers like Dyn, demonstrate the dangers of simply adding connectivity to previously offline items.
While this digital transformation affords many benefits to organizations, managing this newly introduced digital risk is key to moving forward safely. As with any security program, residual risk remains even after adding preventative measures. Continuous monitoring is a must and companies need a detailed plan to cover all contingencies.
Staying competitive means implementing the right solutions. Luckily, recent advances in security allow companies to monitor all of their cyber terrain. From solutions that offer traditional network protection to technology that moves past the basics to provide complete visibility for cloud, hybrid and a mobile workforce, being able to identify—in real time—any activity that doesn’t belong is the only way to ensure the level of safety and attention that threats require. In short, a comprehensive breach analytics solution, regardless of the avenue of attack, provides continuous monitoring of your cyber terrain.
Monitoring, Not Myths
Air gapping a network is a single-use solution to a complex problem. The benefits gained are outweighed by the costs to productivity, ease of use and the assumption of safety that can lead to critical cybersecurity oversights. In the end, smart companies know that they have to rely on monitoring, not myths, to ensure cybersecurity success.
Read the entire article here