In today’s complex IT environment, an abundance of legacy infrastructure combined with a lack of visibility and patching make network edge devices a major security risk. It’s therefore no surprise that compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium sized businesses.
That’s according to statistics from Sophos’ Annual Threat Report, which shows firewalls, routers, and virtual private networks (VPNs) accounted for initial compromise in nearly 30% of all incidents over the last year. VPNs were cited as the most frequently compromised, accounting for over 25% of all incidents, as well as 25% of ransomware attacks.
The large number of end-of-life (EOL) devices exposed to the internet are adding to the problem. These are often low on a firm’s patching priority list, despite the fact they are a highly effective method for infiltrating networks, according to Sophos.
It’s clear that network edge devices pose a risk, so what practical steps can businesses take to ensure they stay secure?
The major edge risks
Edge devices — including firewalls, VPNs and routers — remain among “the most exploited entry points into business networks”, particularly where firms are relying on large amounts of legacy infrastructure, says Dave McGrail, head of business consultancy at Xalient.
The ease at which network edge devices can be targeted and compromised makes them an attractive proposition for adversaries seeking a quick route into businesses. When they become neglected, they represent “low-hanging fruit” for attackers, McGrail says.
Edge devices are high value targets because they are directly exposed to the internet and easily searchable through tools such as Shodan.io, also known as “the Google for internet connected devices,” says James McQuiggan, security awareness advocate at KnowBe4.
Making things worse, many organizations are still running devices that have reached the end of their life, says McQuiggan. “That means no updates, no patches and no support. They are basically open doors as cybercriminals will store exploits of these devices, especially when they know they're almost at the end of life. Once no more updates are being released, they target those devices and leverage their exposure to gain access.”
Another challenge is, some firms are relying on default configurations or services that aren't being used, but are running in the background. “Attackers know this and they're scanning for it. Once discovered, they can exploit it to gain access without the organization being aware,” McQuiggan warns.
Securing edge devices
Securing edge devices is crucial as remote and hybrid working continues to be the norm. As VPNs and secure gateways continue to enable hybrid work and remote access, they will be targeted as “high value entry points,” says Dray Agha, senior manager of security operations at Huntress.
Taking this into account, the future of edge security will demand “deeper visibility into encrypted traffic, authentication events and access logs, along with faster detection and response to prevent attackers from using these gateways to pivot deeper into environments,” he predicts.
Yet securing network edge devices can be challenging. Even something as simple as downtime to apply patches to edge devices can be difficult, Martin Saunders, CTO of Bluefin Cyber points out. So much so it is often easier to pre-agree a regular outage window for patching, without having to consult the rest of the organization every time, he says.
Even so, there are steps you can take to ensure you are in a better position to manage the edge security risk. Visibility is key. Start by getting a complete inventory of all edge devices in your infrastructure, McQuiggan advises. “Organizations can't protect what they don't know exists.”
Getting the basics right is also important. “Quick wins” include multi-factor authentication (MFA) and patching, says Agha. “Edge devices are notoriously porous when it comes to additional security tools and solutions.”
To boost the security of network edge devices, lock down your configurations, adds McQuiggan. “Disable unused ports and services, change default credentials and use strong authentication through single sign-on, and take advantage of MFA for remote access.”
You can also decommission legacy VPNs, says McGrail. “VPNs are increasingly seen as brittle and vulnerable.”
Meanwhile, monitoring is “critical,” says McQuiggan. “Set up logging on your edge devices and integrate that data into security monitoring tools. Watch for changes in behavior or unexpected connections, as they could be early warning signs.”
Agha agrees. He also recommends “continuous security monitoring” alongside the ability to respond to and contain security threats. “As edge devices contain few security features themselves, being able to forward the logs from edge devices to a centralized, monitored location allows for detection and alerting of anomalous activities.”
Limit damage and reduce risk
There are also ways to limit the damage if you do get hit by a cyber-attack. A robust security architecture will help to reduce the impact of a compromised edge device by making it more difficult for an attacker to move around an organization’s network, Saunders says.
In addition: “Regular and lightweight external vulnerability scanning can identify the vulnerabilities associated with missing patches, misconfiguration and credential weaknesses.”
At the same time, it makes sense to reduce your exposure to risk in the first place. “Disable public-facing admin interfaces,” says McGrail. “Use zero trust network architecture (ZTNA) to enforce secure, identity-aware access, minimizing your attack surface exposure on the internet.”
It’s also a good idea to train staff on the risks network edge devices pose. As part of this, train your teams to test and review incident response plans with scenarios starting at the edge, McQuiggan advises.
Securing network edge devices can be complex, but it is possible to reduce the risk by combining policies with technology to gain visibility and limit the damage if you are hit by an attack. When buying new devices or replacing them, you should also ensure you are managing your vendors. “Select vendors with strong patch management track records, open vulnerability disclosure processes and modern security stack integrations,” says McGrail.
