Securing the Network Edge Requires an Edge Perspective

When it comes to exploiting vulnerabilities at the network edge, cybercriminals clearly have a competitive advantage against vendors, MSPs and MSSPs alike. When all is said and done, 2024 will be remembered as another year that’s been marred by successful edge-related exploits. For example, just 10 days into the year, Ivanti fell victim to a nation-state attack that exploited two vulnerabilities in its Connect Secure solutions. In February, the U.S. Government shut down the KV-botnet that targeted SOHO edge devices. Then in April, hackers exploited vulnerabilities in both Palo Alto Networks' and Cisco’s firewall solutions. And the list goes on and on.

At a macro level, research has found that large-scale attacks exploiting vulnerabilities in network edge devices represented 36% of all cyberattacks from mid-2023 to 2024. This finding is supported by data from the Common Vulnerabilities and Exposures list of publicly disclosed cybersecurity vulnerabilities, which shows that CVEs discovered in edge devices more than doubled year-over-year, swelling to an average of 4.75 network edge exploits per month. This year, we’re on pace for that figure to increase by upwards of 20%.

But things get worse. That same report also notes that among the 36% of successful attacks, 60% exploited vulnerabilities that were categorized as a “zero-day.” And CVSS ratings for edge-related CVEs are also becoming increasingly higher with the median score for edge CVEs reaching 9.8 on the 10-point scale, while vulnerabilities outside the network edge average a full point lower at 8.8.

Related:Sophos CEO Joe Levy on Lessons Learned from CrowdStrike-Microsoft Outage

The proliferation − and exploitation − of edge devices has raised a red flag for organizations and MSPs/MSSPs to bolster security at the network edge. Edge infrastructure including IoT, OT and other unmanaged devices are now considered the go-to target for attackers because they typically function as the ‘weakest link’ in the last 100 meters of the network, meaning their activity is not easily examined or monitored.

These devices are also infamous for lacking native security controls that organizations often leverage to secure traditional endpoints, like laptops. Not only does this inhibit administrators and MSPs/MSSPs from accurately assessing the security posture of the edge, it also provides cover for attackers once they have compromised a device, allowing them to move laterally throughout the network undetected. Additionally, many older edge devices are supported by operating systems and software components that are beyond end-of-life and are no longer supported by the vendor.

Related:Cynomi vCISO Platform: 'Proof Is in the Pudding'

How can MSPs/MSSPs address the increasing risk to edge devices for customers?

Despite all the resources being deployed to build a security stack, there are still critical gaps in network visibility at the edge. Modern edge networks, alongside the explosion of new endpoints and increasingly complex wireless use cases, are often beyond the sight of centralized monitoring platforms or agent-based solutions.

While there is no single silver bullet for safeguarding the entire edge, MSPs/MSSPs have a unique opportunity to supplement organizations’ wider network security tactics by conducting regular on-site network assessments utilizing modern handheld security vulnerability scanners that connect directly at the network perimeter. These tools give comprehensive visibility of edge assets, scanning for vulnerabilities in the last 100 meters of the network — where most users connect.

3 Edge Network Vulnerability Assessments

There are three primary areas where MSPs/MSSPs can help customers identify issues by conducting edge network vulnerability assessments.

1.. Edge Network Inventory. Securing the edge starts with knowing what there is to protect. Conducting a network inventory reveals the network infrastructure and topology in detail, exposing all endpoints and devices − whether connected via wired, Wi-Fi or Bluetooth − and maps how they are connected. This is where teams typically discover rogue devices (one that is not authorized to be connected to the network).

Related:Fortinet Engage Partner Program Evolves to Services Model

Exploiting rogue devices to gain entry and move laterally within a network is at the core of a hacker’s playbook. However, rogue devices can be difficult for traditional, agent-based security solutions to detect. Most IoT devices and endpoints can only be scanned via agentless tools, like handheld vulnerability scanners. In this scenario, a handheld vulnerability scanner can be used to augment platform-based discovery tools and enable extensive custom probing on a per-service or device basis. Additionally, these scanners feature configurable and extended discovery ranges that allow teams to discover non-local subnets covering the entire organization.  

As an added value, service providers can leverage these devices to help customers’ track the ownership and life-cycle management of all endpoints and devices, so those that reach end-of-life can be replaced before they get exploited.

2. Ensuring Access Segmentation Validation. Proper network segmentation and provisioning are essential for network edge security because it isolates different network functions, making it more difficult for malicious actors to move laterally and gain access to sensitive data. Validating that centralized infrastructure configurations and segmentations are correctly deployed is quite difficult to achieve without the ability to emulate the actual endpoints at the point of access. This helps to validate not only reachability, but more importantly non-reachability of critical IT assets for those not authorized to access these resources. 

Being portable and testing from the point of presence, these handheld vulnerability scanners make it easy to conduct thorough physical site assessments to ensure proper segmentation. They also give visibility into every connected device on the network (in ways centralized monitoring solutions cannot).  

Armed with these insights, MSPs/MSSPs can also make more strategic recommendations to customers. For example, if a site assessment reveals substantial risk exposure due to improper network segmentation, service providers can advise them to consider which type of edge devices need to be connected to the main network and how to segment devices that do not need a direct connection.

3. Wireless and Radio Frequency Mapping. Wireless represents a unique and often critical threat because it transcends wires and bricks — meaning it can extend the network outside a facility. With numerous possible Wi-Fi exploits, it is critical to understand the nature, location and reach of every Wi-Fi device —access points, clients and BT/BLE devices.

There are multiple ways to pinpoint RF devices with handheld vulnerability scanners that can utilize either an internal omni or an external directional antenna. If connected to the network, a leading handheld vulnerability scanner can perform a path analysis detailing the infrastructure and the exact connection path between you and the device.

Apart from the tactical methods above, service providers should look for handheld vulnerability scanners that can also generate a map of device locations via floorplan heatmaps or topology diagrams.

In today’s volatile and dynamic digital threat landscape, it’s not a matter of if, but when an edge network vulnerability is going to create a breach.

This gap in security is often because organizations and the MSPs/MSSPs serving them don’t have the tools to properly and quickly assess vulnerabilities at the edge. But with handheld edge network vulnerability scanners now on the market, it is easy to add this service to their portfolio and conduct regular site-level assessments for customers.