Read more
EN
Home Blog Eliminate cyber risks once and for all
Home Blog Eliminate cyber risks once and for all
1 AUGUST 2023
Blog

Eliminate cyber risks once and for all

Our thin client architecture as an example of a Cyber Immune system
Alexander Vinyavsky
Technology Evangelist

Cyber Immunity isn’t just about mitigating specific cyber risks. It’s about making sure that a solution’s architecture doesn’t let cybercriminals violate security goals at all. The idea is that individual vulnerabilities aren’t so important because new exploits appear after every release anyway.

So when designing a system that’s Secure by Design, you need to take a critical look at its architecture and ask yourself a few questions. What are its vulnerabilities? What can go wrong if a component gets hacked? What needs to be changed in the architecture so that hacking one component doesn’t compromise the entire device?

Eliminating cyber risks: a real example

A key aspect of building Cyber Immune systems is that we don’t try to analyze and protect against all existing threats and vulnerabilities. Instead, we’re governed by Murphy’s Law: Anything that can go wrong, will go wrong. We take as a given that we’ll never know all the vulnerabilities and possible attack scenarios. So we try to design the system to eliminate unsafe states altogether.

I’ll tell you about how we developed our Cyber Immune thin client (a mini-computer for interacting with virtual desktop infrastructure, etc.) using this approach. Here’s what we did to ensure that the primary security goal of the thin client was met.

  1. We formulated the main security goal: to ensure the confidentiality and integrity of data transmitted between the thin client and remote server.
  2. We noticed that in typical “functional” architecture, it’s hard to achieve this goal because of a large attack surface in the part of the system responsible for interacting with the remote server. In our case, it was the RDP client, which is usually built on the basis of the fairly large (about 400,000 lines of code) FreeRDP library. With such a huge code base, there’s bound to be errors and vulnerabilities.
  3. This led us to change the architecture of the system by adding a small TLS Terminator component “in front” of the RDP client to check certificates.
  4. Thanks to the TLS Terminator’s compact size, we were able to thoroughly test it and ascertain its reliability.
  5. The result is a reliable “crossing point,” and data security is no longer dependent on vulnerabilities in the RDP client. That’s how we partially accomplished our original task: achieve the №1 security goal.
Code size of our TLS Terminator component compared to the FreeRDP library (thousands of source lines of code)

Security for the future and a cool bonus

In the example above, we weren’t protecting against specific vulnerabilities in the RDP client. Instead, we made it almost impossible to exploit any vulnerability and violate thin client security goals. In short, we made the device secure from known threats and exploits that don’t even exist yet.

Doing this also has another great bonus. When in the future we have a project ready and start full-fledged threat modeling, all the security gaps (or most of them) that affect security goals are already closed. This makes it much less expensive to design responses to threats.

Cyber Immunity isn’t just about mitigating specific cyber risks. It’s about making sure that a solution’s architecture doesn’t let cybercriminals violate security goals at all. The idea is that individual vulnerabilities aren’t so important because new exploits appear after every release anyway.

So when designing a system that’s Secure by Design, you need to take a critical look at its architecture and ask yourself a few questions. What are its vulnerabilities? What can go wrong if a component gets hacked? What needs to be changed in the architecture so that hacking one component doesn’t compromise the entire device?

Eliminating cyber risks: a real example

A key aspect of building Cyber Immune systems is that we don’t try to analyze and protect against all existing threats and vulnerabilities. Instead, we’re governed by Murphy’s Law: Anything that can go wrong, will go wrong. We take as a given that we’ll never know all the vulnerabilities and possible attack scenarios. So we try to design the system to eliminate unsafe states altogether.

I’ll tell you about how we developed our Cyber Immune thin client (a mini-computer for interacting with virtual desktop infrastructure, etc.) using this approach. Here’s what we did to ensure that the primary security goal of the thin client was met.

  1. We formulated the main security goal: to ensure the confidentiality and integrity of data transmitted between the thin client and remote server.
  2. We noticed that in typical “functional” architecture, it’s hard to achieve this goal because of a large attack surface in the part of the system responsible for interacting with the remote server. In our case, it was the RDP client, which is usually built on the basis of the fairly large (about 400,000 lines of code) FreeRDP library. With such a huge code base, there’s bound to be errors and vulnerabilities.
  3. This led us to change the architecture of the system by adding a small TLS Terminator component “in front” of the RDP client to check certificates.
  4. Thanks to the TLS Terminator’s compact size, we were able to thoroughly test it and ascertain its reliability.
  5. The result is a reliable “crossing point,” and data security is no longer dependent on vulnerabilities in the RDP client. That’s how we partially accomplished our original task: achieve the №1 security goal.
Code size of our TLS Terminator component compared to the FreeRDP library (thousands of source lines of code)

Security for the future and a cool bonus

In the example above, we weren’t protecting against specific vulnerabilities in the RDP client. Instead, we made it almost impossible to exploit any vulnerability and violate thin client security goals. In short, we made the device secure from known threats and exploits that don’t even exist yet.

Doing this also has another great bonus. When in the future we have a project ready and start full-fledged threat modeling, all the security gaps (or most of them) that affect security goals are already closed. This makes it much less expensive to design responses to threats.

Other posts

Blog
The starting point for creating Secure by Design systems
8 FEBRUARY 2023 Blog
The starting point for creating Secure by Design systems
Read more
How do you create a system that’s resistant to aggressive environments without any additional protection?
20 FEBRUARY 2023 Blog
How do you create a system that’s resistant to aggressive environments without any additional protection?
Read more
How do you create a Secure by Design system without trying to make every component invulnerable?
10 MARCH 2023 Blog
How do you create a Secure by Design system without trying to make every component invulnerable?
Read more
KasperskyOS: classes, instances and executables
23 AUGUST 2023 Blog
KasperskyOS: classes, instances and executables
Read more
More
© 2020-2024 AO Kaspersky Lab
design by Kaspersky