Isolated subnets seem secure

Does isolating a network segment really guarantee its invulnerability?

Some infosec specialists believe isolated networks do not need additional protection; if threats have no way to get in, why bother? But isolation is not a guarantee of invulnerability. Our experts share several scenarios based on real cases to demonstrate.

Our hypothetical enterprise has a subnet isolated with an air gap, meaning not only that there is no access to it from the Internet, but that even other segments of the same enterprise’s network can’t reach it. Moreover, in line with the company’s information security policy, the following rules apply:

  • All machines in the segment must use antivirus protection and undergo manual updates once a week (that’s frequent enough for an isolated segment);
  • Every machine’s device control system must prohibit the connection of flash drives except those in the list of trusted devices;
  • Cell phone use on site is prohibited.

Nothing out of the ordinary there. What could go wrong?

Scenario one: DIY-style Internet connection

When a facility loses Internet access, bored employees adopt workarounds. Some get themselves an extra phone, hand in one at the front desk, and connect the second as a modem to get a work computer online.

The threat model for this segment does not anticipate network attacks, Internet malware, or other, similar security issues. In reality, not every administrator updates antivirus protection every week, and as a result, cybercriminals can infect one computer with a spyware Trojan, gain network access, and spread the malware over the entire subnet, leaking information until the next antivirus update shuts them out.

Scenario two: An exception to every rule

Even  isolated networks allow for exceptions — trusted flash drives, for example. But with no restrictions on those flash drives’ use, who’s to say a drive won’t be used to copy files to and from the system or for other admin needs in nonisolated parts of the network? What’s more, technical-support staff sometimes connect their laptops to an isolated network, for example to configure network equipment within the segment.

If a trusted flash drive or laptop becomes a delivery vector for zero-day malware, the malware’s presence in the target network should be short-lived — once updated, the organization’s nonisolated antivirus will neutralize the threat there. Looking beyond the damage it can do to the main, nonisolated network even in that short time, however, the malware will remain in the isolated segment until that segment’s next update, which in our scenario won’t happen for at least a week.

The outcome depends on the malware variant. For example, it might write data to those trusted flash drives. After a short while, another zero-day threat in the nonisolated segment might start searching connected devices for the hidden data and sending it outside the company. Alternatively, the malware’s goal could be some form of sabotage such as altering software or industrial controller settings.

Scenario three: Insiders

A compromised employee with access to the premises where the isolated network segment is located can deliberately compromise the perimeter. For example, they might connect a miniature Raspberry-Pi-based malicious device to the network, having fitted it with a SIM card and mobile Internet access. The case of DarkVishnya is one such example.

What to do

In all three cases, a vital detail was missing: an up-to-date security solution. Had Kaspersky Private Security Network been installed in the isolated segment, it would have reacted to and closed down all threats in real time. The solution is essentially an on-premise version of our cloud-based Kaspersky Security Network, but capable of working in a data diode mode.

In other words, although local, Kaspersky Privacy Security Network receives information about the latest threats from outside and shares it with endpoint solutions inside. At the same time, it keeps every single byte of data from beyond the isolated perimeter from getting into the global network. You can learn more about the solution on its official page.