U.S. and U.K. government officials have issued a rare joint alert stating that Russian hackers are targeting routers...
to infiltrate enterprise networks, highlighting the inherent security risks posed by the critical devices.
The U.S. Department of Homeland Security, the FBI and the U.K.'s National Cyber Security Centre issued the warning this week, saying the primary targets of the Russian state-sponsored cyberattackers were government and private sector organizations, network infrastructure providers and internet service providers. The organizations based the alert on malicious activity discovered in compromised networks.
"[The] FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations," the alert said.
Router security options
The government agencies recommended the use of best practices to defend against attackers. The steps included reviewing network device logs for abnormal activity, disabling unencrypted legacy protocols and preventing internet access to the management interface of a network device.
But while all those steps are necessary, security experts said, enterprises also have to take into account the security weaknesses in today's routers and develop a counterstrategy.
"We don't have any host-based security built into these devices like the way we have security built into laptops, servers and desktops today," said Ang Cui, CEO and chief scientist of startup Red Balloon Security. "We can lock down the routers, close down ports and we can change passwords all we want, but the real takeaway here is we should also be thinking about how to improve the security posture of this networking equipment."
Cui advocated that vendors inject security code into the firmware of every router, switch and firewall. The code should be able to detect rootkits, unauthorized code executions or modifications of data packets flowing through the systems. A defensive technology called Symbiote embodies that concept by automatically injecting intrusion detection capabilities within the firmware of any network device.
The Defense Advanced Research Projects Agency, part of the U.S. Defense Department, sponsored the development of Symbiote at Columbia University. Cui's company Red Balloon uses Symbiote in its commercial product.
Security consultancy Bishop Fox advised enterprises to review and monitor router configurations to avoid creating openings for hackers. "Routers used by enterprises likely have a base level of security testing applied during the design process, but the large feature set means it’s easier to misconfigure in a way that is exploitable by attackers," the company said in an email response to questions.
Prepare to pay more for router security options
Enterprises that want better router security options have to be prepared to pay more for the products, Bishop Fox said. Vendors' standard routers typically represent a balance between security and price. A supplier can't have so much of the former that the price tag of the device is too high to compete with similar products.
"The real problem lies in figuring out how to apply security in a manner that is cost-effective to the designer, and the sad truth is that security is often seen as coming with a considerable price tag," Bishop Fox said.
Vendors can reduce costs by making security a priority at the beginning of the design process. "Security in the design phase is much cheaper and more effective than security applied as an add-on after the fact," the company said.
Vendors are more likely to add router security options if customers demand them, Cui said. "Call the vendor and let them know that they need to improve the technology behind security. That needs to happen very quickly now."