Management consoles can be a security nightmare, but they still lack good protection
One of the biggest threats to enterprise networks is the ability of hackers to manipulate management consoles, the web applications for managing a variety of networked-based systems, such as virtual private networks, routers, firewalls, switches and other devices.
For many years, bad actors have targeted consoles that are accessible via a public internet connection. They look for systems that weren’t properly configured or using outdated software and firmware or default passwords to leverage their entry into a corporate network.
It doesn’t take much to discover these misconfigured public-facing consoles, as the recent attacks on MOVEIt demonstrated. Victims in these attacks included many state and federal government sites. There are a number of tools, including Shodan, GreyNoise Inc. and Censys Inc., all of which can quickly provide a variety of information on all sorts of devices with just a few mouse clicks. Like many security tools, they’re useful both to find vulnerabilities and to launch attacks based on that information.
Two recent efforts are trying to close these doors by adding extra security to console interfaces, one by Amazon Web Services Inc. and one from the U.S. government’s Cybersecurity and Infrastructure Security Agency or CISA. AWS’ announcement, issued during its re:Inforce conference this week, is for a service called Management Console Private Access. It allows customers to limit access to a specified set of known AWS accounts when the traffic originates from within a customer’s network.
It became generally available in five of AWS’ regional data centers this week. It’s built on two AWS services called VPC Endpoints and PrivateLink to establish a secure connection.
Out of the hundreds of AWS component service offerings, most have a web-based management console to configure and control them. That makes it easier for network administrators to set things up, but it also makes it easier for bad actors to obtain illegal access and infect and inject malware into infrastructure too.
This initial access service is not universally available but is focused on the major AWS products, such as EC2, CloudFront, Lambda, S3 and several dozen others. Network infrastructure in the US East needs to be provisioned and Domain Name Servers must be set up according to AWS specifications.
Complementing the news from AWS, CISA this week issued a ruling on how to mitigate risks from internet-connected management interfaces, called a Binding Operational Directive. The directive forces all federal civilian executive branch agencies to adjust their computer systems to eliminate these interfaces from public access and enforce limited access controls on these interfaces.
CISA announced it will be scanning networks for public-facing interfaces and will notify agencies when it finds devices that aren’t compliant with both reports and remediation plans. Agencies then have two weeks to make changes and secure them.
“Requiring appropriate controls and mitigations outlined in this directive is an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly was quoted in a blog post on the cybersecurity news site The Record. Hackers “are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise.”
The directive has three important points. First, it is one of the more obvious efforts to satisfy President Biden’s Executive Order on Improving the Nation’s Cybersecurity that was crafted two years ago to encourage zero-trust security initiatives. The directive begs the question why executive agencies — or anyone for that matter — isn’t already being proactive in finding these open network sores and shutting them down.
Second, the directive still leaves a lot to be desired, because these management interfaces can still remain wide open on internal networks. CISA does recommend that any management device be segregated to an isolated and hopefully protected subnetwork. Again, this is part of best network security practice since the turn of the century, if not before.
Finally, the directive doesn’t apply to securing web applications and interfaces used for managing clouds. This is a major omission, and one of the reasons why the AWS news is so timely: It’s concerned about this issue and has begun to offer ways to close those backdoors.
Clearly, there are still plenty of ways that networks can be compromised. And although the proliferation of web-based management consoles has made it easier for remote configuration of millions of devices since the web first became popular in the mid-1990s, it has also made it easier for hackers to subvert them and take them under control for malicious purposes too.
Image: geralt/Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU