A false sense of (cyber)security: Geo-blocking

I am continually bombarded on LinkedIn and email by cybersecurity companies touting geo-blocking as a magic bullet. You should be using it, but if it is a key part of your cybersecurity, your defenses may be minimal. Geo-blocking is the ability to block connections from certain locations or only allow connections from certain locations. “Stop Russian hackers with geo-blocking!”. This sounds like a great solution on the surface, but many times we see it being one of the only solutions in place. Geo-blocking is a very small part of a comprehensive cybersecurity program. Let me give you an example of why geo-blocking is a very minimal defense.

In the past few months, we’ve been engaged by a mid-size law firm and a billion dollar manufacturer to assist with security incidents. In both cases, the hackers attacked them from a compromised server which resided in the United States. This is commonly referred to as a jump box. The attackers use this to cover their tracks and bypass simplistic defenses such as geo blocking. There are tens of thousands of compromised servers available in the US alone, making it a trivial task for a hacker to acquire a usable jump box. You may have seen commercials for personal VPN services. These are often used to access content in other countries. For the low price of $20/month, a hacker could get a VPN that gives them a US based network address.

In conclusion, you should be using geo-blocking still. However a sign of an immature cybersecurity program is when geo-blocking is a cornerstone of protection.