How Boundary Devices Present Both Protection and Risk

Scott Walsh

|

August 20, 2024

boundary device cybersecurity tips

Year-over-year, cyber insurance claims frequency increased by 13% in 2023, and overall claims severity increased by 10%, resulting in an average loss of $100,000, according to Coalition's 2024 Cyber Claims Report. The escalating frequency and severity of cyber insurance claims underscore the imperative for businesses of all sizes and industries to take steps to safeguard their critical information from opportunistic threat actors. A good place to start is ensuring the security of any boundary devices, which businesses often rely on to protect their networks and data against cyberthreats.

Boundary devices like VPNs, firewalls and routers are vital gatekeepers of business networks, sitting between the business and the public internet and monitoring traffic flow. These devices provide organizations with several benefits, including remote work connectivity, data security, regulatory compliance and affordable security controls. For example, VPNs enable secure remote access, allowing employees to work from anywhere while ensuring data is encrypted and protected from interception. VPNs also encrypt data in transit, making it unreadable to unauthorized users. Meanwhile, firewalls act as a barrier between secure internal networks and untrusted external networks by monitoring and controlling both inbound and outbound traffic.

These devices are also usually more cost-effective than physical security measures because they leverage existing internet infrastructure to create secure private networks, optimize network performance and provide administrators with tools to manage traffic and bandwidth effectively.

Additionally, businesses in select industries may be subject to strict regulatory requirements regarding data protection and privacy, and boundary devices can help ensure compliance with these regulations by securing data and mitigating the risk of breaches. 

Boundary Device Risks

Unfortunately, the technologies that help mitigate the risk of cyberthreats are also prime targets for attacks. While boundary devices have many benefits, they come at a cost. The vulnerabilities within the devices can create gateways for threat actors to bypass authentication checks, run arbitrary code or commands, trigger denial-of-service (DoS) attacks, carry out cyber extortion or use the client network to perpetrate more attacks.

In the first quarter of 2024, new critical vulnerabilities emerged impacting VPN devices from Ivanti and Fortinet, along with previously disclosed vulnerabilities impacting SonicWall firewall devices. Zero-day vulnerabilities in boundary devices are particularly concerning because they can be exploited before developers can release a fix. These exposures could lead to unauthorized access, data breaches and service disruptions.

Meanwhile, cybercriminals are utilizing strategies such as attacking remote desktop protocol (RDP), which can be exposed through the firewall. Phishing is another challenge for firewalls. As these attacks involve tricking users into opening an email or clicking a link seemingly from a trusted source, the firewall does not reduce risk because the user is already inside the trusted network when they make the connection to the malware payload. Once this malware enters the network, the end user may be unaware.

Firewalls are only one piece of the security puzzle, but they still underscore the importance of limiting what is exposed beyond your network perimeter, as it gives adversaries more opportunity to attack the inside of your network.

Key Steps to Mitigate Boundary Device Risks

While boundary devices may ultimately get phased out and eventually move to the cloud, they remain indispensable in this remote-first world. In the meantime, the following steps can help protect your organization:

  1. Be vigilant when selecting a boundary device. As seen this year, cybercriminals target certain technologies more frequently than others. When evaluating devices, consider their vulnerability history and the vendors’ responses to previous exposures.
  2. Sign up for vendor advisories. Vendors typically publish advisories and share important information, so businesses must pay attention when they receive an alert. Ideally, businesses should sign up for these alerts at the time of device implementation, but it is never too late.
  3. Establish a regular patch cadence and be responsive. Staying informed about new vulnerabilities is only half the battle—businesses must also act quickly. Prompt patching of all software and firmware can help businesses significantly reduce the likelihood of an attack. Establishing a regular cadence is a smart risk management strategy, but businesses must also be comfortable deviating from that cadence if a critical patch is released before a scheduled update.
  4. Confirm that all boundary devices are configured properly. In addition to promptly patching technologies with known vulnerabilities, businesses can configure their boundary devices to reduce the chances of a cyberattack. This includes enabling multi-factor authentication, limiting access privileges, avoiding shared accounts, enforcing lockout policies, and providing administrators with their own accounts with privileges based on their individual responsibilities. Regularly reviewing these settings is a good practice, especially if your business has undergone a significant change.

Response Planning for a Recovery-in-Depth Approach

With bad actors leveraging organizations’ boundary devices to access internal systems, every organization needs a plan that includes reporting obligations and ensures a recovery-in-depth approach.

As part of this plan, businesses should periodically review and assess their reporting obligations to ensure all key stakeholders understand the requirements. Assigning clear responsibilities for keeping current on these obligations—such as who in the business is responsible for monitoring and maintaining the list of reporting obligations—is key to ensuring the organization is truly prepared to respond. Doing so can also empower teams during a crisis and help avoid confusion later.

There are no silver bullets in cybersecurity. When an organization’s cybersecurity measures cannot prevent threat actors from infiltrating its network, incorporating a thorough recovery approach alongside insurance coverage can help the organization return to normal business operations with minimal losses.

To implement a strong recovery-in-depth approach, organizations should take the following steps:

  1. Create an incident response plan specific to your business—and test it. It is never a bad idea to prepare for the worst. A good incident response plan will outline how your organization will respond to a breach in four key event stages: detection, analysis, recovery and post-incident. Use this opportunity to test the restoration of your backups as if you have had to rebuild a system from scratch.
  2. Collect security data to detect and respond to threats quickly. Reliable logging systems must be in place to perform proper analysis, get to the root cause of what allowed the breach, and identify what was compromised. It is impossible to retroactively collect this data, and without it, you cannot truly understand what happened.
  3. Analyze the data and build an accurate timeline of what happened. This analysis will help determine the extent of the breach, highlighting which machines host sensitive data and which need to be analyzed first to minimize loss.
  4. Take steps to recover data to resume business as normal. Everything learned through the analysis stage will enable execution of the recovery process. This often includes restoring from backups, notifying customers or stakeholders, and working with incident response firms.
  5. Reflect on lessons learned after an incident. An incident response plan should be a living document. After a cyber event, update it to better address the challenges faced during recovery.

While boundary devices provide important protections, if left unchecked, threat actors can exploit them. As an alternative approach to remote access and network security, businesses can consider the secure access service edge (SASE) model. This emerging cloud-based architecture integrates security into applications and networking functions to help businesses avoid critical vulnerabilities, especially those affecting boundary devices. SASE requires an upfront investment in time and resources, however, which not every business can afford. Organizations can also employ a more modern security solution, such as a zero-trust architecture, which has more fine-grained access controls and a better security track record.

Critical vulnerabilities and evolving cyberthreats demand businesses take a proactive approach to mitigation strategies, including vigilant device selection, timely patching and proper configuration. By prioritizing cybersecurity preparedness and resilience, organizations can navigate the complex landscape of cyberthreats with greater confidence and effectiveness.
Scott Walsh is a principal security researcher at cyber insurance firm Coalition.