In last week’s article, I spent some time discussing the disadvantages of penetration testing. The main limiting factor for every red team is the client’s engagement policy. Usually, it is not comparable to a real-life attack. However, at the same time, some of the latest developments in the field are pretty disturbing and could be used by hackers for malicious activities.
One such gadget manufactured by Hak5 looks like an ordinary USB charging/data cable, but it comes equipped with the latest keylogging capabilities. Additionally, the cable supports the following features – Keystroke Injection with DuckyScript™, Keylogging (650,000 key storage), USB-C Smartphone & Tablet Keystroke Injection, Remote Access by WiFi, Customizable Self-Destruct, Multiple storage slots for large payloads, On-Boot payloads, Remote Trigger by WiFi (Geofencing), Long Range WiFi Trigger (2 KM+), Control from any Web Browser and Scriptable WebSocket. In short, that cable is a fully working micro-computer with remote access capabilities for loading payloads and executing them without the victim’s knowledge. As a bonus, it looks exactly like the standard USB to USB-C cable. They either offer versions for Macs.
A creative attacker can think of many uses of these cables. For example, they could ask you to lend them your cable and switch it with the malicious one. They can break into your home/office and swap the cables. They can load the whole supply of a computer shop with these cables and sell you one. The options are almost limitless. With that gadget, you virtually can not trust any cable or flash drive you buy from your hardware equipment supplier, neither your friends nor your family’s equipment.
On the diagram, you can see a sample diagram of how the cable works. It simply cheats the computer using it that it is an ordinary cable. Meanwhile, the hacker sends the payload using Wi-Fi and activates it
We could imagine that the next step for companies such as Hak5 is to embed a fully blown ADB build into the cable and enable remote penetration attacks versus smartphone devices. Such cable will be quite an exciting gadget and could encourage even more attack scenarios.
I have wondered why such equipment is not treated the same way as weapons for a long time. The relative easiness of manufacture and use of such gadgets make them more and more dangerous. Without regulations or even government-based permissions, more and more people will have access to them. What is the guarantee that they will not end in the hands of black hat hackers or criminals? Not to mention that every white or gray hat hacker could potentially go rogue and become a black one. What is the guarantee that such gadgets will not be used for malicious purposes even by licensed professionals?
In conclusion, penetration testing’s land space has become more and more concerning. Without a good set of regulations, we could soon see many people using military-grade hacking gadgets, turning the defensive part of cybersecurity into a terrible nightmare. In any case, many defenders will not be fascinated by the idea of wrapping their USB cables and flash drives with aluminum tape[1] every time they buy new hardware. Sure, it is a cheap way of blocking radio waves, but the aesthetics will not be on a high level.
Red team exercises and penetration testing became our new reality. Especially with COVID-19 and the additional boost to digital transformation, we are more and more digitally dependant. Many countries have started legally enforcing business and governmental organizations to ensure better their cyber security defenses. And the best way to do that is to have regular penetration testing drills once or twice per year.
However, we should ask ourselves how effective is this practice and whether it provides a good level of security for our data and assets. To do that, let’s analyze what the usual workflow of doing a penetration test is. Every engagement in cybersecurity starts with a legal contract, which defines the rules of engagement. In this legal contract, the defending side, the client, negotiates the regulations with the attacking side, aka the penetration testing company. In the case of 3rd party requirements such as governmental and corporation integrations, the rules are defined by the 3rd party. They can even give you a list of “trusted” penetration testing companies from which you have to choose. For example, when we had to do a security audit for Google and Microsoft to allow our integrations, they provided the list of auditing partners we had to use.
On the diagram, you can see a standard Red Team drill workflow. The rules are usually not set by the attacking team
And here is one of the main problems with penetration testing – there are rules of engagement. In the Real Word scenario, there is no such thing as a set of rules. The dedicated attacker can do whatever is necessary to penetrate your defenses, and he/she will not abide by the law. Comparison to conventional military drills is not practical but could even be harmful to your team’s attitude. It is much better to compare the attacker modus operandi to what guerilla fighters do, such as asymmetric warfare, without rules, requirements, etc. Attackers will do what is necessary to penetrate you no more or less.
The second problem with penetration tests is that the attacking team usually has limited time to penetrate your organization. The whole economy around red teaming is based on projects between two weeks and two months long. After that, the attacking team must go to the next assignment. In comparison, real-world hacker teams are usually part of criminal syndicates, and these criminal syndicates have other sources of income such as human trafficking, prostitution, drugs, and weapons. They can happily try to hack one organization for a year or more, especially if it is a big enough target.
And last, but not least – different motivation. In the red team case, the motivation is to abide by a requirement or by law. It means that the penetration team will ensure that the system passes the requirements and rarely will do more. When we speak about real hacker groups, usually we have a pretty limited set of motivation types – money and personal vendetta. Both of these are much higher on the motivation scale than a simple requirement fulfillment.
In conclusion, penetration testing is a helpful activity; however, it is not a panacea. The results coming from it gives a piece of information for your organization’s current cybersecurity state. Unfortunately, the limited scope of every penetration test will not give you a 100% guarantee that attackers can not destroy your defenses. It is much better to treat the red teaming as part of our cybersecurity strategy and valuable security tools.
So, let me go back to cybersecurity. Sorry for the long, boring mathematical-based explanation in the last part, but if one wants to use a given tool, he/she must understand how it works and, more essentially, its limits. And I shall give you my list of concerns why believing in the current cybersecurity hype can be dangerous for you and your organization:
We must not compare a Machine Learning model to the human brain: We have no idea how the human brain works, and more especially how ideas creation and generalization work. Additionally, the pure power consumption of a machine learning model is times bigger than a human brain. Sure it is faster but much more expensive. The average power consumption of a typical adult is 100 Watts, and the brain consumes 20% of this, making the brain’s power consumption around 20 W. For comparison, Google’s DeepMind project uses a whole data center to achieve the same result, which a two-year-old kid does with 20 W.
On the diagram, you can see what kind of problems Machine Learning algorithms can solve in the cybersecurity field. All of the activities listed in the last row are some form of categorization used for detection. No prevention is mentioned.
Machine learning is weak in generalization: The primary purpose of polynomial generation is to solve the so-named categorization problem. We have a set of objects with characteristics, and we want to put them in different categories. Machine learning is good at that. However, if we add a new category or dramatically change the set of objects, it fails miserably. In comparison, the human brain is excellent in generalization or, in social words – improvisation. If we transfer this to cybersecurity – ML is good in detection, but weak in prevention.
Machine Learning offers nothing new in Cybersecurity: For a long time, antivirus and anti-spam software have used rule engines to categorize whether the incoming file or email is malicious or not. Essentially, this method is just a simple categorization, where we mark the incoming data as harmful or not. All of the currently advertised AI-based cybersecurity platforms do that – instead of making the rule engine manually, they use Machine Learning to train their detection abilities.
In conclusion, cybersecurity Machine Learning models are good in detection but not in prevention. Marketing them as the panacea for all your cybersecurity problems could be harmful for organizations. A much better presentation of these methods is to call them another tool in the cybersecurity suite and use them appropriately. A good cybersecurity awareness course will undoubtedly increase your chances of prevention rather than the current level of Artificial Intelligence systems.
Lately, we see a trend in cybersecurity solutions advertising themselves as Artificial Intelligence systems, and they claim to detect and prevent your organization from cyber threats. Many people do not understand what stands behind modern Machine Learning methods and problems they can solve. And more importantly, that these methods do not provide a full range of tools to achieve the wet dream of every Machine Learning specialist – aka general Artificial Intelligence or, in other words – a perfect copy of the human brain.
But how Machine Learning works? Essentially, almost every algorithm in Machine Learning uses the following paradigms. First, we have a set of data, which we call training data. We divide this data into input and output data. The input data is the data our Machine Learning model will use to generate an output. We compare this generated output with the output of the training data and decide whether this result is good. During my learnings in Machine Learning, I was amazed how many training materials could not explain how we create these models. Many authors just started giving the readers mathematical formulas and even highly complex explanations comparing the models to the human brain. In this article, I am trying to provide a simple high-level description of how they work.
On the diagram you can see a standard Deep Learning Machine Learning model. The Conv/Relu and SoftMax parts are actually polynomials sending data from one algebraic space to another
So how do these Machine Learning algorithms do their job? A powerful mathematics branch is learning the properties of algebraic structures (in my university, it was called Abstract Algebra). The whole idea behind this branch is to define algebraic vector spaces, study their properties, and define operations over the created algebraic space. But let’s go back to Machine Learning, essentially our training data represents an algebraic space, and our input and output data is a set of vectors in that space. Luckily, some algebraic spaces can perform the standard polynomial operations, and we even can generate a polynomial rendering the input and output data. And voila, a Machine Learning model is, in many cases, a generated polynomial, which by given input data produces an output data similar to what we expect.
The modern Deep Learning approach is using a heavily modified version of this idea. In addition, it tries to train its models using mathematical analysis over the generated polynomial and, more essentially, its first derivative. And this method is not new. The only reason it has raised its usage lately is that NVidia managed to expose its GPU API to the host system via CUDA and make matrices calculation way faster than on the standard CPUs. And yeah, the definition of a matrix is a set of vectors. Surprisingly, the list of operations supported by a modern GPU is the same set used in Abstract Algebra.
In the next part, we shall discuss how these methods are used in Cybersecurity.
Now, as we can see, attackers can penetrate all of the hardware network devices we reviewed. How easily it depends on how do you set up your cybersecurity and patch policy.
It is clear that despite your best effort, you must not blindly trust your routers and switches. Lack of trust is precisely the paradigm behind the zero trust model. At the same time, to make attackers’ life harder, it is important to mention three types of defensive cybersecurity tools, which can help you increase your defenses and trust in your local network.
Until the end of this article, I shall describe them. As a final, I shall give a sample budget for both router and switch devices. Both of them will use open-source software. Usually, they receive software updates quite often and can offer your a good level of security.
Firewalls
A firewall is a network security service that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls have been the first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that you can trust and untrusted outside networks, such as the Internet.
Usually, in the case of home networks, this service is deployed in your hardware router. The last sentence means that the attacker will expose your entire local network to the Internet in case of router penetration.
Intrusion Detection/Prevention
An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks.
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or breach is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
At home routers, intrusion prevention systems can be deployed on the router device and inspect all the incoming network packets from the Internet. On the other hand, an intrusion detection system is deployed on all the hardware devices connected to your local network. In simpler words, prevention systems monitor your incoming traffic, and detection systems monitor your local network for anomalies.
On the diagram, you can see a standard SIEM system. The idea of the system is to aggregate all of your logs and data and offer analytics to your security engineers
Group Policy
Group Policies, in part, control what users can and cannot do on a computer system. For example, a Group Policy can enforce a password complexity policy that prevents users from choosing an overly simple password. Other examples include allowing or preventing unidentified users from remote computers to connect to a network share or block/restrict specific folders. A set of such configurations is called a Group Policy Object (GPO).
Now, group policies can be a powerful instrument for system administrators to define how the organization computers act to different security threats. Unfortunately, Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function of accessing it. Alternatively, a malicious user can modify or interfere with the application to not successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.
For home-based local networks, the usage of group policies is usually limited. Still, I would advise system administrators of small teams to think carefully, how to add group policies to their remote office deployments. In combination with VPN, Group Policies can add much value to your cybersecurity workflow.
Budget
As I promised at the beginning of this series, I shall give a sample security budget for every topic we discuss. Again I will tailor the budget to small teams with an underfunded budget for cybersecurity defenses.
Router (180$): I would go for Pfsense or IPFire based hardware appliances. Both provide reasonable protections, even though the first is based on FreeBSD and the second is a Linux distribution. Both have state-of-the-art firewalls, and both support Snort and Suricata, which are the best intrusion prevention systems. Additionally, they have Syslog support so that the router can become a part of an intrusion detection system.
Switch (150$): SwitchBlox Rugged is a good option here. It is a little bit more expensive than the standard network switches. However, it comes with an open-source networking operating system and can work in harsh environments. Two switches can be stacked together.
SIEM System (0$): MozDef is a SIEM system developed by Mozilla. It is open-source and supports all the necessary features for SIEM systems.
Group Policy Server (150$): We can order PC Engine’s apu4d4 unit and install on top of it Univention Corporate Server. With it, we can create policies for Ubuntu and Windows-based computers.
With a total budget of around 480$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. The switch is optional, but it will help if you want improved security and choose to have a WiFi network for guests only.
In conclusion, setting up a network perimeter can be done effectively on a budget. Still, it is essential to note that the budget does not include the human hours needed to set up the equipment and your local network.
One of the biggest cybersecurity threats for companies is internal attacks. To function correctly, companies need trust. You could have the best access control level system in the World, but this will not help you if your system administrator is compromised. Yes, multi-factor authentication and secret key split algorithms can help you mitigate part of these threats. However, they are not widely used. Most SMEs do not have the resources and knowledge to implement a proper access control system and thus are pretty vulnerable to inside attacks.
On the diagram, you can see the different use cases companies can use cryptography. Modern access control frameworks use cryptography heavily to ensure access to data is more restricted than ever.
Following are some of the internal security attack vectors through which attackers can gain access to information;
Information leakage: One of the most common and frequently used methods by cyber attackers is a simple leakage of information. Or, in other words, industrial espionage. Many employees could use this approach to avenge themselves.
Illegal activities: A company must be aware of any illegal activities going in their system. Some organization members could use this approach to frame the company or use it as a proxy when hacking.
Downloading malicious internet content: Most of the time, employees do not intentionally download malicious content; however, this happens. In both cases, a proper access control mechanism will mitigate or at least reduce the damage.
Social engineering: One of the most common ways for attackers to gain access to a network is by exploiting the trusting nature of the company’s employees. An information awareness course could quickly mitigate this attack.
Malicious cyberattacks: Technically proficient employees can use their system access to open back doors into computer systems or leave programs on the network to steal information and wreak havoc. The best protection against this sort of attack is monitoring employees closely and being alert for disgruntled employees who might abuse their positions. In addition, experts advise immediately canceling network access and passwords when employees leave the company to avoid remote access to the network in the future.
In conclusion, unfortunately, because of the enormous rift in the trust between employees and employers, internal attacks can become the new trend. Companies must be aware of that and do their best to implement proper access control systems. Access to resources must be given appropriately and audited for every organization member, no matter whether CEO or a utility person.
Tracking hackers is not a fast and straightforward activity these days. Yes, most governments’ monitoring and data analytics capabilities are indeed becoming better and better. However, the privacy tools are becoming better and better, as well. There is a constant debate whether people must give more of their online privacy for safety. On the other side giving more power to centralized authorities can lead to dystopian states and not functional societies.
One scientific branch helping the governments to catch cybercriminals is cyber criminology. As a discipline, cyber criminology encompasses a multidisciplinary field of inquiry – criminology, sociology, psychology, victimology, information technology, and computer/internet sciences. But in short, its primary goal is to standardize the way we catch cybercriminals. As we can see, most of these disciplines are coming from the social criminology world, and they are primarily used to make a psychological profile of the attacker. On the other side, the technical aspects are crucial if we want to catch the hacker and how he/she managed to hack the system. Without cyber forensics and, most notably, computer science, we don’t have a proper way to understand what happened and how to catch hackers.
One of the main ways to hit criminal organizations properly is to target and track their infrastructure. Without a decent infrastructure, one can not do much in cyberspace. Sure, a hacker attack can steal a lot of data and create havoc, but they need computers, servers, and other equipment for all of this. The stolen data must be stored somewhere, analyzed, and eventually used for blackmail or released to the public. Like cloud providers, hackers need backup and retention plans for the stolen data, and nothing is for free.
One interesting case for such infrastructure is a former NATO bunker used to host Dark Net websites. The German police stormed the place allegedly used to host websites offering drugs, child pornography, and devices to breach computers. Over 600 police personnel were involved in the raid on what they termed a “cyber bunker data center” in the western German city of Traben-Trarbach. Seven people were arrested, with 13 more sought, although none were taken into custody at the site. The arrests occurred at a local restaurant and in the town of Schwalbach, near Frankfurt. Other raids co-occurred in Poland, the Netherlands, and Luxembourg.
This case is quite interesting because cybercriminals usually do not have so many resources to create a whole data center. Hacking has an asymmetric nature, and most of the time, attackers have fewer resources than the defenders. And these smaller criminal cells are targeting SMEs. In that case, a significant criminal group, most probably part of the mafia, owned a whole data center.
You can see how a standard privacy-oriented user would store their data in the cloud on the diagram. Criminals use the same techniques to ensure everything stored in the cloud is adequately encrypted and hard to track
In conclusion, we should track and hit cybercriminals by finding their data infrastructure and destroy it. Acquiring infrastructure is one of the most expensive parts of a hacker operation. It can take months to years to accumulate it. And here comes the cyber criminology value. We can use this interdisciplinary field to find where the infrastructure is located and destroy it.
In this series of articles, we shall discuss one of my old projects. During that time, I had a consulting company working in IT, and this project was part of my initial steps in cybersecurity. The project started around the middle of 2015 and ceased to exist at the end of 2016. It is in body cameras, and actually, it was a competition to systems such as Axon Body 3 camera. During the lifecycle of this project, Axon cameras did not support LTE-based streaming.
The team around the project and I managed to produce a working prototype of the system, and in this series, I shall present to you how we implemented the prototype. At the end of the articles, I shall show you the actual budget for doing this prototype and analyze why it was unsuccessful.
The topic of this part will be an analysis of the advantages and disadvantages of the current video streaming network protocols. We shall start with the standard video streaming protocols, and at the end of the article, we shall discuss our modified, more secure protocol.
There are multiple different protocols for video streaming. Part of them do not support encryption, and we shall focus ourselves on those which support it.
RTMPe
Real-Time Messaging Protocol or RTMP is used to stream multimedia data – audio and video – between Flash Media Server and Flash Player. The chief utility of the RTMP stream is in the optimization of the audio and video data transfer between the server and player.
Encrypted RTMP (RTMPE) wraps the RTMP stream session in a lightweight encryption layer. Through Encrypted RTMPE, the streaming protocol provides low-level stream encryptions for high-traffic sites. RTMPE uses the Anonymous Diffie-Hellman key exchange method. In this algorithm, two parties – the media server and the flash player – establish a shared secret key over an insecure channel.
The standard RMTP protocol uses TCP, and RTPMe uses an encryption model based on a shared secret.
HTTP Live Streaming Encryption Methods
While the HLS supports AES-128 encryption, there are two different ways to implement the standard in practice.
Broadcasters can use one key to encrypt the entire video stream, but that also means the whole stream is unprotected if an unauthorized third party intercepts the secret key.
Alternatively, each segment of a stream can be encrypted with a different key. That way, users can access only a few seconds of video with each specific key. Broadcasters might choose this method if the video content their sharing is highly sensitive.
As it comes from its name, HTTP Streaming uses HTTP to resemble MPEG-DASH. It works by breaking the overall stream into a sequence of small HTTP-based file downloads, each downloading one short chunk of a broad, potentially unbounded transport stream. A list of available streams, encoded at different bit rates, is sent to the client using an extended M3U playlist. HTTP is a TCP-based protocol, as well.
MPEG DASH Encryption
Dynamic Adaptive Streaming over HTTP (DASH), also known as MPEG-DASH, is an adaptive bitrate streaming technique that enables high-quality streaming of media content over the Internet delivered from conventional HTTP web servers. Similar to Apple’s HTTP Live Streaming (HLS) solution, MPEG-DASH works by breaking the content into a sequence of small segments, which are served over HTTP. Each piece contains a short interval of playback time of content that is potentially many hours in duration, such as a movie or the live broadcast of a sports event.
MPEG DASH supports a Common Encryption mode (CENC), which Bento4 implements. Encrypted MPEG DASH presentations should also include the proper signaling in the MPD to inform the player of what DRM(s) can be used to obtain the decryption keys for the streams. An MPD can contain DRM signaling for several DRMs (either just one or multiple entries if the same stream can reach players with different DRM technologies).
Again MPEG Dash is based on HTTP, aka TCP. In that case, DRM encryption is usually based on a public, private key encryption scheme.
On the diagram, you can see a standard AVI container. The video data objects are x264/h264 frames, which most of the streaming protocols encrypt, encode, and stream.
Our Modified Streaming Protocol
As you can see from the upper paragraphs, every standard encryption protocol was designed to stream data from a centralized server to a list of devices. Most of them use the traditional HTTP delivery networks to speed up their streaming. In our case, we had an entirely different problem. We had to stream encrypted content from multiple body cameras to a centralized server and, after that, restream the video from the server to a web browser-based dashboard. LTE networks can be quite fast when you have proper coverage, but when your signal drops, your network speed drops significantly, as well. So we decided to design our video streaming protocol, and I shall list our requirements:
Based on UDP: Sending TCP data through LTE can hurt your performance a lot. That’s the reason we decided to establish our protocol on UDP and to implement packet control.
Based on X264: X264 is an open-source implementation of the H.264 protocol. It is already implemented in most Android devices and is supported natively. The encoding rate is reasonable.
Codec agnostic: In the future, we wanted to support H.265 and its open-source implementation. Thus the protocol had to be code agnostic.
To use hybrid encryption: Most of the listed protocols do not use a hybrid encryption approach. We wanted our protocol to have better authentication and encryption mechanism, and that’s why we decided to use hybrid-based encryption on top of RSA and AES-GCM. We changed the keyphrase and IV for AES on every packet frame sent to implement the encryption correctly.
Binary-based: Keeping in mind that LTE is usually sold using monthly plans. These plans are generally only a couple of gigabytes. So we ended up making a binary-based protocol. Any other protocols, and especially the semantic-based ones, would result in more significant data consumption.
Adaptive Bitrate: The LTE network bandwidth depends on how strong a radio signal your device has. The weaker the signal, the lower the bandwidth. We had to implement an adaptive bitrate strategy, which lowered the resolution in a weaker signal. This way, you could receive frames no matter how strong is your LTE cell signal.
Our proof of concept implementation managed to fulfill these requirements. The finished network protocol was fast enough and binary compatible. It supported adaptive bitrate and was code agnostic.
On the diagram, you can see a sample datagram of this protocol. The MTU was 1500 bytes to support all kinds of equipment, but not only with jumbo frames.
We used an UUIDv4 and RSA signature for authentication purposes. After that, you have multiple fields as a counter in the index, date, packet size, and an array of bytes. The implementation stripped down an h.264 frame to multiple UDP packets and sent them together. The server combined them back to the h.264 packet and appended them to corresponding files.
We saw that it is better to have adaptive logic on the codec level during our tests for the protocol. For example, a simple JPEG stream was much better when the signal was weaker.
In the next part, we shall discuss how we created our body camera device and its software. We shall discuss our streaming server implementation in the final third part, give you a budget, and explain why the whole business model did not work as expected.
After we finished our two pieces for physical cybersecurity in this and the next one, we shall discuss how to defend your computer network. For a long time, I wondered whether to start with computer and mobile phone devices security first or start with the network security perimeter. In the end, I decided to follow the standard technical approach a computer hacker will use to penetrate your defenses – intelligence recon, network penetration, and finally, device exploits. In social engineering, the hacker will skip network penetration and directly exploit your devices.
So network security, here we go.
Computer network protocol design is not with security and privacy in mind. After decades of cybercrimes and research on how to stop them, we finally have a solution for these problems. The zero-trust security model is almost 12 years old, with Google using it since 2009. However, despite the good news, the model has its use mainly in big corporates so far. I firmly believe that small organizations and teams can use this model or parts of it.
But what is the idea of this approach? It is not something new – you have to understand that you can not trust any data in transit, including your own smartphone or laptop apps. Zero trust dictates that the whole network or application path between your application and the server could be malicious, including all the hardware devices along this path – network routers, switches, servers, laptops, and smartphones.
Still, despite the zero-trust paradigm, I think that people must make sure that the hardware devices under their control are as secure and patched as possible. I market this work approach because the more layers of security you have, the harder it will be for an attacker to penetrate you. Or in short, zero trust does not invalidate other security practices. It just adds new tools to your defensive cybersecurity toolset.
So let’s start with the different network devices and their attack vectors:
Routers
So what is a router? A router’s standard definition is a hardware device, which connects different computer networks and forward packets between them. In the case of your home or office router, this is your home/office network and the Internet. Every network packet going to or from the Internet comes and goes through this router.
In terms of network security, routers are your first line of protection versus network penetration attempts. Or, in simple words, they are your cyber gateway to cyberspace. Additionally, they offer a different range of services regarding your protection. Such services are Firewalls, Intrusion detection systems, NAT service, Syslog server, and many more.
It is essential to treat your router as a highly specialized computer system. As a computer system, it inherits some of the security problems your personal computer has. Let me list the different attack vectors, which an attacker can use to penetrate your router.
On the diagram, you can see a standard small office deployment. Both of the firewalls are connected in CARP mode, and they become a virtual router. Usually, every firewall is deployed on a standalone hardware device.
Misconfiguration: Sometimes, routers not come with the best configuration in terms of cybersecurity. For example, enabled remote access functionality can be pretty helpful for system administrators, but at the same time, it exposes your router to attackers.
Outdated software: Usually, home routers run on quite obsolete software. It is rare, a home user to upgrade the software version of their router. Unfortunately, this leads to systems without proper security patches and gives the attackers an excellent opportunity for hacking the router.
Exposed services: Most of the modern routers support additional services such as VPN and IPSec servers. It is essential to understand that every exposed service can be an attack vector for our attacker. In the case of VPN, this is usually not true, but there are exceptions.
Switches
Next in line is the network switch. By definition, a network switch is a network device, which connects different network devices into a local computer network by using packet switching to forward and receive data to the destination device. The network switch learns the identities of connected devices and then only delivers data to the port connected to the device to which it is addressed.
In other words, think about the router device as a controller of the local network and about the switch device as an intelligent extender of a local network segment. Still, every switch is a highly specialized computer system, and it inherits the cybersecurity problems other computer systems have. Let me list them.
Most modern companies use cloud providers for their services and do not waste their time deploying hardware. However, the bigger your become, the more hardware you have to set up because it becomes cheaper for you. However, the same principles for cybersecurity apply both to your home office and a multi-national corporation.
Network Flood: A malicious actor can try flooding the local network with packets and making it not responsible. Usually, this happens with older switches. Most of the modern ones have protection in place.
VLAN sniffing: Most modern switches support network isolation by tagging the packets. This way, different computers in your local networks can not listen to packets living in other virtual networks. Still, if the switch tagging the packets got penetrated, the attacker can listen to all network packets.
Remote Access: Newer and more expensive network switches have an entire operating system built inside. It supports remote access features for system administrators and many more. Still, the more one device is intelligent, the bigger the attack surface it has.
We have a pretty big problem with our technology power consumption. On average, a server uses between 400 Wh and 900 Wh. By official sources, different vendors sold almost 100 million units for the period between 2010 and 2020. And ten years is the average lifecycle for a server. So, at the moment, we can calculate that to have running just the server part of the Internet, we must generate 50 GWh. And most of this power is coming from traditional power sources, which can be a target of a cyber attack, as we saw from the Colonial Pipe case.
According to another official source, the Internet has around 5 billion daily active users. On average, every user will have at least one personal computer and a smartphone. For every four people, we have one network router. For every twenty users, we will have a network switch provided by their service provider.
An average consumption per hour for a personal computer is around 200 Wh, for a smartphone is 1 Wh, for network switch and routers are 10 Wh. Now, this makes an additional 1000 GWh + 5 GWh + 100 GWh. Servers, network equipment, and smartphones work 24 hours, and users usually browse around for 6 hours on average, making a total of 9720 GWd or 405 GWh.
So the average consumption of the Internet is around 405 GWh. Just for comparison – one nuclear power plant can produce 1 GWh. So we need the equivalent of 405 nuclear power plants to keep everyone online.
On the diagram, you can see a standard solar-powered security system. The solar panel is sending data to the charge controller, which decides whether to charge the battery or not. The inverter chooses whether to use solar power or the standard grid and finally, the security system is powered.
There are two leading solar solutions for commercial use at the moment. The first option is the standard solar panel. The average production of such solar panels is 320 Wh. To cover the needs of the Internet using only solar panels, we shall need 1.3 billion of these solar panels placed around the World. The second option is solar power towers. The main idea of solar power towers is to establish many digitally controlled mirrors, reflecting its rays into a tower full of salt depending on the Sun location. When the salt is molted, it is combined with water, evaporating to a turbine. The most significant such installation is Ivanpah Solar Power Facility, with a production capacity of 392 MWh. To cover the needs of the Internet, we shall need around 1,000 such structures.
However, to build a solar-based solution, we must consider the following problem: there are only around 12 hours of daylight in most locations. There are two mitigations of this problem – the first is to double the number of installations and make sure they cover the 24 hours interval for everyone by strategical placement. The second is to double the number of structures and install batteries to preserve the generated energy for night use.
Our first mitigation creates an interesting geopolitical situation with a large number of dependencies. For the second mitigation, let’s calculate how many batteries we need to preserve the energy for night use. 405 GWh multiplied by 12 hours make around 5000 GWn. A standard Tesla Powerwall unit can store 13.5 kWh. We shall need approximately 370 million units to preserve the energy during the night.
In conclusion, solar power can be an exciting alternative to traditional power sources. In terms of cybersecurity, it could make your network and even alarm system not so dependent on power coming from the grid. The standard way of having a backup is to have a petrol-based generator unit. However, you must fill a generator with petrol, which means that the system is not 100% independent. It is essential to know that the solar power alternative can give an extended backup period, but it will come with a higher price, more complex setup, more expensive support, etc. However, it can offer quite a good way of making your security more robust.
