Information System security: understanding the issue of exposure
One of the weaknesses of TCP/IP is still not solved today: the exposure of services.
If there is a network and security issue as old as the Internet, it is certainly the issue of service exposure. The internet network allows anyone to make services accessible through two pieces of information: an IP address, usually encoded on 4 bytes, and a port encoded on 2 bytes. Most of the time, knowledge of this information is sufficient to establish a connection with the associated application, regardless of the user's profile, whether legitimate or an attacker.
By delving a little deeper, one realizes that it is the cause of the majority of intrusions within information systems.
Let's take a closer look at a mechanism that is ubiquitous on the Internet and within private networks.
The origin of the problem: TCP/IP
When Arpanet, the ancestor of the Internet, was designed in the 1960s, it was a trusted network intended for universities, research and development laboratories, and businesses. The US military also used it.
In 1974, the TCP and IP protocols were invented to standardize the network and are still used today. These protocols were designed in a very different era and context than what we know today: there were no cyber threats yet, and the network was not very extensive.
This is an understatement when you consider that almost an exhaustive map of the Internet could fit on an A4 sheet of paper at the time.
One of the characteristics of TCP/IP is, on the one hand, to provide the possibility of routing packets through the network to a destination machine (the IP protocol takes care of this via the IP address), and on the other hand, to address the appropriate application carried by the machine (TCP takes care of this via the port number).
The basis is established: a network application is addressable through the [IP address and port] combo. Another important characteristic stems from this operation: the application (also known as a service) made accessible through the network is "listening" and accepts connections from clients. Therefore, the server application is in a "passive" state, while the client is "active": it initiates connections to the server, and the server accepts the connection.
Possible authentication methods are essentially carried out by the application and called once the connection is established. In the 1980s, the first firewalls appeared to add segmentation principles within networks based on this model.
Why is this a problem?
While TCP/IP brings indispensable properties for intensive network usage (notably in terms of reliability through the transmission control system or performance with congestion control), some of its characteristics facilitate compromises. One of them is, in fact, widely exploited by attackers and is central in the discovery phase that precedes the majority of attacks.
The network is easy to map
Anyone who has done a bit of pentesting knows how easy the discovery phase is. Whether it's external or internal, the attacker will systematically try to list the services with which they can establish a connection.
When the attack is launched from outside the information system and is targeted, the attacker identifies the IP addresses (or address ranges) of interest and then scans open ports to obtain a list of exposed services. This first step makes it possible to identify part of the attack surface to focus on.
When the attack is external and not targeted, the hacker usually has information about a vulnerability in a given application version and will look for a target that exposes such a service on the internet. In this second case, a scan of the internet network will allow them to find a vulnerable system. Either they perform the scan themselves, or they use online services that map and publish a database of exposed applications. This is the case with the famous Shodan.io.
A clumsy handshake
This ability to scan the attack surface takes advantage of two things:
- Firstly, the number of IP addresses and ports is relatively small. There are 4.3 billion possible IPv4 addresses worldwide, each of which can offer up to 65,535 services. This is a small number because an exhaustive network scan is actually possible, with relatively limited means. The lack of available IPv4 addresses is one of the reasons for the development of IPv6. This characteristic makes it easy for attackers to generate a large number of IP addresses and ports that they can then use as input into their scanning process.
- Secondly, it is easy to determine if a service is listening on a given (IP address, port) pair. The TCP/IP handshake is designed to immediately indicate to the client, which is trying to connect, that the service is available. This is the principle of service passivity.
When the attacker is already inside the company's network, this same ease of mapping applies, but this time to private IP addresses.
Once the attack surface is obtained, the attacker will continue their activities and may:
- Exploit vulnerabilities within the listed services to take control, and possibly bounce within the information system;
- Use credentials that they have collected through phishing or a previous data leak to bypass authentication checks and access sensitive data;
- Attack exposed applications to cause denial of service;
- Obtain technical information that will help them facilitate other compromises.
How to protect yourself?
There are three usual ways to address this problem of exposure, and all of them require prior mapping of one's own network to consider all points. Shadow IT is indeed the main enemy to be tackled when dealing with the problem.
Assuming that the list of exposed services is exhaustive, the following strategies can be employed:
- Protect the points of exposure by adding additional layers and solutions that address external threats;
- Reduce exposure by moving services to private addresses, and exposing only a few entry points to access them;
- Transfer exposure to a third-party actor (and thus transfer the responsibility of securing this exposure).
These strategies will be described in more depth in a future article.