How to Safely Take In Bad Data

What do you do when you need to add compromised data to your network? “Airlock” is our solution.

There are many parallels to be drawn between computer viruses like ransomware and biological viruses like COVID-19. For instance, a medical center in Oakland, California, was recently in the news for their failure to separate COVID-19 patients from their general population. A Kaiser Health News investigation summarized the situation this way:

Dozens of nursing homes and hospitals ignored official guidelines to separate COVID-19 patients from those not infected with the coronavirus, in some places fueling its spread and leaving staff unprepared and infected or, in some cases, dead.

Although those of us that live in the world of servers and data centers aren’t facing life and death situations like those in hospitals, we do face conceptually similar problems regularly. Recently, for example, Oasis received a hard drive containing about 8 TB of data from a client that was involved in time-sensitive litigation; the data was to be processed for attorney review ASAP even though the data was known to contain malware. Malware which had bypassed our client’s security system and wreaked havoc on their network. This type of project has a higher level of associated risk for obvious reasons.

Just as health care providers must check incoming patients at the door to stop the spread of a virus throughout a hospital, IT managers are expected to stop threats at the firewall before they infect the entire network. So, what should you do if you have data that you’re afraid of? What is the best way to disinfect it?

Our solution: create an airlock. We’ll run you through what an Airlock is and how to create one in order to successfully quarantine and disinfect compromised data; a process we went through with the aforementioned 8 TB to cleanse it and put it back in the hands of our client.

Airlock, A Data Quarantine System

Creating an Airlock is the key to effectively quarantine your data. To understand ‘airlock,’ you must first understand “air gapped.” 

The term “air gapped” means there is a physical separation between hardware, and therefore, networks. This type of configuration exists to erase access points (entry points vulnerable to being hacked). To put this into our hospital analogy, think of an airlock like an ICU: an entirely separate wing to keep highly contagious and severely ill patients in one contained area with no through traffic. 

The airlock is a special triage area built on air-gapped hardware, used to examine data before it’s added to the main network. With infected data in an airlock’s isolation, you have the advantage of being able to further examine it and disinfect it with zero risk to other data or networks.   

How To Build An Airlock:

Setup

  • Create an isolated subnet on the firewall. 
  • Configure your subnet to disallow all outbound connections.
  • Connect an isolated physical server to the isolated subnet.
  • The isolated server accommodates physical connections.
  • Create a virtual file server on the isolated subnet.
  • The virtual file server is on the internal subnet to receive the sanitized data.
  • Configure the servers in the isolated subnet with special administrative accounts
    • Internal administrators are denied access so that personnel never use internally valid accounts in the airlock.
    • The airlock groups should be locked down to Senior Administrators only.

Scanning for Malware

  • Configure all related servers with next-generation antivirus applications like Carbon Black Response, Carbon Black Defense, and CrowdStrike Falcon.
    • These will use AI and machine learning to identify known and unknown threats.
  • Engage a third-party SOC (Security Operations Center) to monitor your system 24/7.
    • This can significantly reduce the time it takes to identify and contain a threat (we’re talking seconds vs. months)

Workflow

  • Connect data to the physical server.
  • Copy data from the physical server to the isolated file server and begin thorough scanning.
  • When scanning is complete, copy data from the isolated file server to the internal file server.
  • Continually monitor the data from that point forward using your suite of security tools and SOC team (as you would for all client data)

Summary

Setting up an airlock is the safest and most secure way to deal with infected data. And, once it’s set up, your airlock system is ready to be reused time and time again whenever potential malware comes your way. Malware crisis averted.