What do you do when you need to add compromised data to your network? “Airlock” is our solution.
There are many parallels to be drawn between
computer viruses like ransomware and biological viruses like COVID-19. For
instance, a medical center in Oakland, California, was recently in the news for
their failure to separate COVID-19 patients from their general population. A
Kaiser Health News investigation summarized
the situation this way:
Dozens of nursing homes and hospitals ignored official guidelines to separate COVID-19 patients from those not infected with the coronavirus, in some places fueling its spread and leaving staff unprepared and infected or, in some cases, dead.
Although those of us that live in the world of servers and data centers aren’t facing life and death situations like those in hospitals, we do face conceptually similar problems regularly. Recently, for example, Oasis received a hard drive containing about 8 TB of data from a client that was involved in time-sensitive litigation; the data was to be processed for attorney review ASAP even though the data was known to contain malware. Malware which had bypassed our client’s security system and wreaked havoc on their network. This type of project has a higher level of associated risk for obvious reasons.
Just as health care providers must check
incoming patients at the door to stop the spread of a virus throughout a
hospital, IT managers are expected to stop threats at the firewall before they
infect the entire network. So,
what should you do if you have data that you’re afraid of? What is the best way
to disinfect it?
create an airlock. We’ll run you through what an Airlock is and how to create one
in order to successfully quarantine and disinfect compromised data; a process
we went through with the aforementioned 8 TB to cleanse it and put it back in
the hands of our client.
Airlock, A Data Quarantine System
Creating an Airlock is the key to effectively
quarantine your data. To understand ‘airlock,’ you must first understand “air
The term “air gapped” means there
is a physical separation between hardware, and therefore, networks. This type
of configuration exists to erase access points (entry points vulnerable to
being hacked). To put this into our hospital analogy, think of an airlock like
an ICU: an entirely separate wing to keep highly contagious and severely ill
patients in one contained area with no through traffic.
The airlock is a special triage area built on air-gapped hardware, used to examine data before it’s added to the main network. With infected data in an airlock’s isolation, you have the advantage of being able to further examine it and disinfect it with zero risk to other data or networks.
How To Build An Airlock:
- Create an isolated subnet on the
- Configure your subnet to disallow
all outbound connections.
- Connect an isolated physical
server to the isolated subnet.
- The isolated server accommodates
- Create a virtual file server on
the isolated subnet.
- The virtual file server is on the
internal subnet to receive the sanitized data.
- Configure the servers in the
isolated subnet with special administrative accounts
- Internal administrators are denied access so that
personnel never use internally valid accounts in the airlock.
- The airlock groups should be locked down to
Senior Administrators only.
Scanning for Malware
- Configure all related servers with next-generation antivirus applications like Carbon Black Response, Carbon Black Defense, and CrowdStrike Falcon.
- These will use AI and machine learning to identify known and unknown threats.
- Engage a third-party SOC (Security Operations Center) to monitor your system 24/7.
- This can significantly reduce the time it takes to identify and contain a threat (we’re talking seconds vs. months)
- Connect data to the physical server.
- Copy data from the physical server to the isolated file server and begin thorough scanning.
- When scanning is complete, copy data from the isolated file server to the internal file server.
- Continually monitor the data from that point forward using your suite of security tools and SOC team (as you would for all client data)
Setting up an airlock is the
safest and most secure way to deal with infected data. And, once it’s set up,
your airlock system is ready to be reused time and time again whenever
potential malware comes your way. Malware crisis averted.