The Security Interviews: Why You Need to Protect Abandoned Digital Assets – ComputerWeekly.com | Region & Cash

After Russia invaded Ukraine, governments around the world imposed economic sanctions on Russia. As a result, it became clear that private organizations had to act, leading to many companies boycotting Russia by closing their local premises, evacuating employees and refusing to do business in the country. Although this article focuses on sanctions against Russia, it is equally applicable to related sanctions against Russia’s close ally Belarus.

The need to boycott Russia was driven by both pragmatism and ethics. Organizations need to do more than just send “thoughts and prayers.” There was potential for significant reputational damage assuming trade in and/or with Russia would continue. However, in the rush to and boycott Russia, there is a significant risk that organizations have left themselves vulnerable to attack by improperly shutting down their regional assets.

“Multinational organizations have faced numerous challenges moving out of Russia, from evacuating their staff to evacuating their buildings,” said Ran Nahmias, co-founder and chief business officer of attack surface management specialist Cyberpion.

“They also had to shut down their local IT operations, shut down digital assets and sever digital supply chain connections. This requires attention and a detailed plan of action.”

To understand the scale of the problem, Cyberpion conducted research earlier this year that showed that the size of the external attack surface is often exponentially larger than that of the internal enterprise environment.

The report revealed the risk involved: 60% of Fortune 500 companies had a known vulnerability that attackers could infiltrate to access sensitive employee or customer data. A significant number of the vulnerabilities have already been exploited by them. With the rapid withdrawal from Russia, this only exacerbated the problem.

“We checked the Fortune Global 1,000 and 60% still had active connections to Russian infrastructure,” says Nahmias.

One of the main problems facing both private companies and government organizations is that they have become massively distributed entities. Some of the larger multinational organizations often have multiple cloud platforms and multiple online domains, as well as regionalized assets for the different theaters in which they operate.

The distributed nature of online infrastructure means that organizations have essentially abandoned digital assets within Russia’s borders, which can pose significant risk to organizations if those assets are not properly shut down.

“Domain Name System [DNS] forms the basis of Internet interactions and is often overlooked by security teams,” says Nahmias. “Like plumbers, security teams take DNS for granted, at least until something breaks or is hijacked — then it becomes a major security concern.”

Abandoned Property

Rather than decommissioning or deleting these regional assets, they were often simply put into hibernation. It is assumed that at some point the situation will calm down and trade with Russia will become profitable again. Therefore, it makes economic sense to plan for the reactivation of existing regional assets rather than the creation of new ones.

However, in the disruption caused by their quick departure from the country, the question arises as to whether companies were able to adequately shut down and secure all of their localized digital assets.

The dangers posed by these abandoned assets are manifold. Local digital assets can be hijacked and used for malicious purposes such as identity theft and credit card fraud. Not only does this result in companies being heavily fined for violating data protection laws, but there is also the associated reputational damage caused by these incidents.

“The risk depends on what the connection is pointing at and what authentication or security measures were in place,” says Nahmias. “Security teams tend to be more forgiving of connections to internal resources than connections to external ones.”

The distributed nature of modern enterprise means that networks are no longer cobwebs but complex webs. While this is a far more robust form of network connectivity, it also has far more connections to manage. Therefore, there is a potential risk that network connections from abandoned assets are still active and essentially allow access to the rest of the corporate network. In many ways, this poses a far greater risk to the organization, as malicious actors could potentially obtain sensitive information through these unsecured connections.

“Companies run many domains—millions in some cases—so manual monitoring just isn’t an option,” says Nahmias. “It’s very complex – it’s DNA spaghetti. Although we believe that most companies have tried to clean up their Russian IT connections, in most cases they have not succeeded.”

There is also a risk that abandoned regional assets could be accessed and hacked in anticipation of when they will eventually be reactivated. This would essentially act as a backdoor, allowing malicious actors to bypass network security to deploy malicious software within a corporate network. These tactics could be exploited by local criminals as well as nation-state sponsored hackers.

“If a US-based global consumer brand leaves Russia and shuts down its Russian website, but didn’t do it right, a malicious actor could revive it and potentially abuse innocent customers, damaging the global brand’s reputation,” says Nahmias.

What needs to be done?

Organizations must ensure that all of their discontinued local assets have been rendered fully inactive and that they continue to retain ownership of their digital domains.

Likewise, organizations need to review the connections between these abandoned on-premises resources and the broader corporate network to ensure they have been properly tied off, either by removing those connections entirely or sending the connections to a destination that leads nowhere. However, the number of connections that now exist is so large that it can no longer be managed using conventional means.

“When you have a million domains or IDs or 100,000 PCs, that’s no longer a human task. AI [artificial intelligence] gotta come in,” says Nahmias. “Somebody has to find a way to understand when something breaks. Taking the time to recognize and react will be the key to success.”

From a broader perspective, especially for multinational organizations that have a massively distributed network, this situation has highlighted the need for a single oversight role. Rather than having a set of network managers and their teams focused on their areas of expertise with limited coordination between them, the events of the last few months have highlighted the need for a single oversight role that can coordinate and control the entire digital infrastructure.

“PKI, cloud, DNS and web are typically managed by different teams, sometimes only connected at the CIO level. This means that four people in one organization examine relations with Russia and then work on the results together,” says Nahmias.

Some may wonder if organizations that are abandoning regional assets and reducing the number of regions in which they operate will centralized network models become prevalent again. While this would minimize the threat surface, it would not completely negate the risk and businesses would not be able to take advantage of a resilient distributed hybrid network. Therefore, instead of minimizing the attack surface, organizations need to focus on securing connections.

“I don’t think the closure is the right way to address the problem,” says Nahmias. “They may have a smaller attack surface, but it’s still there. They might as well try to stop the bad actors from abusing the attack surface, big or small.”

Conclusion

Instead of destroying their assets by boycotting Russia and Belarus, organizations have taken the long-term view and shut them down instead. When the situation has de-escalated and companies are ready to resume trading, they will want to reactivate their previously abandoned assets to allow for a quick return to the market.

“The relationship between DNS and security is something that’s evolving in many areas of business today,” says Nahmias. “I would like to think that most companies have made their best efforts, but I don’t think they all will necessarily be able to pay full attention to the potential risks. Some of the risk is immediate and present, but there is another big piece that is a Pandora’s box in Russia that will one day open.”

A proper review of an organization’s discontinued domains will reveal any potential vulnerabilities in its network’s security posture. For example, this could be an automated process that flags any discrepancies along with associated network connections for human review. The situation has also highlighted the need for a network oversight role, rather than relying on collaboration between a number of specialized network teams to ensure overarching business goals are met.

“Security needs to identify the anomalies on a much broader spectrum,” concludes Nahmias. “Security must evolve to accept some risk and detect breaches as they happen to minimize impact.”

Leave a Comment