Some infosec specialists believe isolated networks do not need additional protection; if threats have no way to get in, why bother? But isolation is not a guarantee of invulnerability. Our experts share several scenarios based on real cases to demonstrate.<\/p>\n
Our hypothetical enterprise has a subnet isolated with an air gap, meaning not only that there is no access to it from the Internet, but that even other segments of the same enterprise\u2019s network can\u2019t reach it. Moreover, in line with the company\u2019s information security policy, the following rules apply:<\/p>\n
Nothing out of the ordinary there. What could go wrong?<\/p>\n
When a facility loses Internet access, bored employees adopt workarounds. Some get themselves an extra phone, hand in one at the front desk, and connect the second as a modem to get a work computer online.<\/p>\n
The threat model for this segment does not anticipate network attacks, Internet malware, or other, similar security issues. In reality, not every administrator updates antivirus protection every week, and as a result, cybercriminals can infect one computer with a spyware Trojan, gain network access, and spread the malware over the entire subnet, leaking information until the next antivirus update shuts them out.<\/p>\n
Even \u00a0isolated networks allow for exceptions\u00a0\u2014 trusted flash drives, for example. But with no restrictions on those flash drives\u2019 use, who\u2019s to say a drive won\u2019t be used to copy files to and from the system or for other admin needs in nonisolated parts of the network? What\u2019s more, technical-support staff sometimes connect their laptops to an isolated network, for example to configure network equipment within the segment.<\/p>\n
If a trusted flash drive or laptop becomes a delivery vector for zero-day malware, the malware\u2019s presence in the target network should be short-lived \u2014 once updated, the organization\u2019s nonisolated antivirus will neutralize the threat there. Looking beyond the damage it can do to the main, nonisolated network even in that short time, however, the malware will remain in the isolated segment until that segment\u2019s next update, which in our scenario won\u2019t happen for at least a week.<\/p>\n
The outcome depends on the malware variant. For example, it might write data to those trusted flash drives. After a short while, another zero-day threat in the nonisolated segment might start searching connected devices for the hidden data and sending it outside the company. Alternatively, the malware\u2019s goal could be some form of sabotage such as altering software or industrial controller settings.<\/p>\n
A compromised employee with access to the premises where the isolated network segment is located can deliberately compromise the perimeter. For example, they might connect a miniature Raspberry-Pi-based malicious device to the network, having fitted it with a SIM card and mobile Internet access. The case of DarkVishnya<\/a> is one such example.<\/p>\n In all three cases, a vital detail was missing: an up-to-date security solution. Had Kaspersky Private Security Network been installed in the isolated segment, it would have reacted to and closed down all threats in real time. The solution is essentially an on-premise version of our cloud-based Kaspersky Security Network, but capable of working in a data diode mode.<\/p>\nWhat to do<\/h2>\n