Check Point Research's new data cites a 38% surge in global cyberattack trends from 2021 to 2022, leaving many organisations struggling to cope with the escalating threats. Specifically, ransomware attacks are rising (71% of organizations were compromised by ransomware in 2022). Of course, it is not possible to describe a defence strategy against these cyberattacks in a very short article, but some general rules of thumb may help a lot.
Suppose you don't know the user who will connect to your systems, e.g., you run a webshop. In that case, there is no way around hardening these systems properly, monitoring them continuously and making sure that patches and updates are always applied.
For example, you could place a dedicated access solution like G/On in front of the applications that need to be accessed. G/On has many advantages:
You reduce the attack surface by reducing the number of entrance points to your network. Instead of hardening each server, there are only the G/On Gateway Servers to monitor.
The G/On Gateways only talk to known clients and automatically disconnects all other sessions. Attackers scanning for connections will be automatically blocked and logged, which effectively means that there will be no service disruption; there is a log of the connection attempt, and, most importantly, no vulnerabilities of the internal systems are exposed. The internal network is not exposed since G/On is a zero trust solution.
Additionally, G/On uses a communication protocol that is slightly offset from the regular TLS communication, making it harder for attackers to understand what is going on. This may not be seen as a security feature per sé (no security through obscurity). Still, it certainly helps against automated attacks by so-called initial access brokers (the people who are scanning the internet to find weak spots in computer networks, like the Log4j vulnerability).
Because of the above, G/On is secure even if the Gateways are listening on the normal TCP-ports that are under permanent attack. But because G/On controls both the Gateway servers and the (mobile) client used on the end-point, it can redirect all traffic over proprietary ports, usually high ports. This way, the G/On Gateway servers will probably never be found by an automated attack, only the activity of targeted attacks will be seen, but blocked and logged. Also (and this may not be seen as a security feature), but it will help reduce automated attacks to almost zero, which is an extremely good thing to protect against cyber attacks.
Being a zero-trust solution, G/On can use different authentication methods to provide access to different applications simultaneously. It is, for instance, possible to use username/password login on a specific application, use a username/password plus the one time passcode of an authenticator app for another user group and/or application and require a smart card for the highest security. Finally, if required, it is possible to ask the user to boot the computer in a known state, using the G/On OS for even more security.
But even with a zero trust remote access solution like G/On, the network remains behind the Gateway server. It is no longer best practice to have multiple clients and servers residing in the same network because attackers will always attempt to find a weak spot to misuse it to access other systems. It is best to apply network segmentation behind the G/On Gateway Servers to reduce risks further.
If some users access networks directly (i.e. not through G/On but by wire, wireless, or VPN), it is probably wise to implement Network Access Control (NAC). In its simplest form, implementing NAC can already be done by placing client systems in network segments based on MAC-address recognition. Still, the power of the solution only becomes visible when certificates are used. Not only to protect the network from unauthorised access but also to make it easier to segment the network into smaller pieces, limiting the consequences of a possible attack.
Like to know more? Take a look at Next-Generation Access Control:
Leveraging ZTNA and Flexible Authentication for Enhanced Security.
Originally published 16th December 2021, updated 3rd February 2023 for relevancy