The Juniper issue that Administrative Access (CVE-2015-7755) allows unauthorized remote administrative access to the device. Péter Gyöngyösi, product manager of blindspotter at Balabit have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Péter Gyöngyösi, Product Manager of Blindspotter, Balabit :
The recent news of the backdoor inserted into the authentication methods of certain Juniper devices once again highlights the importance of a multi-layered, defense-in-depth approach to security. Software running on hundreds of thousands of appliances will always be an attractive target to attackers: if you manage to insert a backdoor unnoticed, you are gaining access to a large number of devices worldwide. Even though we rarely hear of such large scale, high-profile cases like this one, it’d be foolish to think no adversary ever tried a similar approach or that none of them succeeded. This simple thruth is that to truly protect your infrastructure, you must not rely on a single line of defense.
The most important building block of a multi-layered security infrastructure is reliable log management. One of the easiest way to detect logins using this particular Juniper backdoor is to take a look at the logs: when the attacker logs in, the log message is different from a normal login and says that the “system” user logged in. The attacker, gaining top-level access to the system, could remove their traces from the logs, however, if proper log management is set up, those log messages are immediately sent to an independently controlled, central log management infrastructure, making it impossible for the attacker to hide their doings. Building a tamper-proof, zero-message-loss log repository can really help the real-time analysis and forensics work done in any security team.
Having an independent layer of authentication in the form of Identity & Access Management (IAM) tools in front of these devices is not only useful for operational reasons, to make granting and revoking access easier. In most configurations, users working in an environment where IAM tools are deployed no longer authenticate on the target systems directly, making it much more difficult for the attacker to exploit such vulnerabilities. Privileged users’ activities can be monitored through the administrative protocols such as SSH, RDP, VNC, Citrix ICA, Telnet and others. In case of detecting a suspicious user activity (for example entering a destuctive command, such as the “delete”), Privileged User Management tools can send an alert or immediately terminate the connection.
Of course, basic log analysis only helps if we know what to look for and there are attacks and potential backdoors that an independent authentication layer won’t protect against. A good security system also finds the “unknown unknowns”, things that noone expects: and that’s exactly what makes them interesting. By analyzing the normal, business-as-usual behavior of administrators working with these devices it becomes possible to identify malicious access as those will most certainly be anomalies. An attacker comes from different network segments, works differently, acts differently from the legitimate users. The power of big data analytics, for instance, User Behavior Analytics tools, can help companies find such outliers and find attackers even if they manage to infiltrate their perimeters through a backdoor or a 0-day vulnerability.[/su_note]
[su_box title=”About BalaBit” style=”noise” box_color=”#336588″]Balabit – headquartered in Luxembourg – is a leading provider of contextual security technologies with the mission of preventing data breaches without constraining business. Balabit operates globally through a network of local offices across the United States and Europe together with partners.
Balabit’s Contextual Security Intelligence™ Suite protects organizations in real-time from threats posed by the misuse of high risk and privileged accounts. Solutions include reliable system and application Log Management with context enriched data ingestion, Privileged User Monitoring and User Behaviour Analytics. Together they can identify unusual user activities and provide deep visibility into potential threats. Working in conjunction with existing control-based strategies Balabit enables a flexible and people-centric approach to improve security without adding additional barriers to business practices.
Founded in 2000 Balabit has a proven track record including 23 Fortune 100 customers amongst over 1,000,000 corporate users worldwide.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.