Your Network Is Less Secure Than the Internet!
I frequently have conversations with clients who struggle to understand the need for security controls on internal infrastructure, or why the mandates of certain regulations are important. I get blank looks often phrases like “but it’s behind our firewall” or “that’s not reachable from the Internet”.
There is a pervasive, and fallacious, belief that the Internet is some sort of wild middle-ages like kingdom full of marauding Huns and Visigoths but that once we are behind the fortress walls (firewall) all is peace and safety. Nothing could be further from the truth. In fact as I often tell clients, your corporate network is less secure than the Internet.
To understand what I’m talking about it’s important to stop thinking in terms of the castle walls and the barbarians outside (although perhaps it’s not such a bad analogy in that as many castles fell from treachery and internal attacks as from direct assault). It’s important to stop assuming that anyone connected to our internal network, e.g. our employees and possibly vendors, are trustworthy. Recent studies have shown that a high percentage of IT workers (effectively the holders of the crown jewels in many companies) regularly access data inappropriately and that all types of staff members regularly steal data when they move on to another job and the news is full of stories of DMV, bank, or hospital workers selling personal information.
Frankly, there isn’t a company in existence that doesn’t have at least one disgruntled employee. A rogue in the user community is bad enough, but when that employee is a system or database administrator it can be fatal. Even if you are that one company where everybody is happy, studies have shown humans are incredibly creative in circumventing security controls they feel are onerous, and that might open the door to real attacks. Then there are browser based attacks, some of which can provide an external attacker full command and control access to workstations on your internal network. I will leave the issues of VPN and partner/vendor connections to another discussion, but these things can significantly blur the distinction between what is inside your castle walls and what is not. The upshot is, even the devices plugged into your own network must be considered potentially suspect.
Due to the way the Internet is constructed, how traffic is routed, and the vast amount of data flowing, it is practically impossible to just “jack in” midstream somewhere in Internet-land and capture a specific communication or even communication to or from a particular host or network. Even if the malicious Visigoth is an employee of an ISP or backbone carrier this task would be momentous. Not so on your typical corporate network. Hubbed networks, which send all traffic to all ports, are obviously bad, although most of these have been replaced. However, most corporate networks have at most two security levels (DMZ and Internal) and a few VLANs on a shared switched fabric. There are plenty of attacks against switches ranging from the crude, simply turning switches into hubs, to more sophisticated attacks that can pin point specific hosts and even connections and use moderately sophisticated (but still point and click) tools to intercept, monitor, or even insert commands and data into the communication. These tools and techniques make every RJ45 in the office a potential place to sniff or modify data. Even SSL may not be safe.
Now consider detection of malicious activity and response to it. Most ISPs, and certainly all the major ones, have monitoring in place for large scale malicious traffic. Anomalous traffic is watched carefully, and information is regularly exchanged with other carriers to enable threat updating and management of the bad guys. Wide scale malicious traffic can be blocked, slowed, rerouted or otherwise dealt with based on pre-established protocol and leveraging pre-established relationships with law enforcement, other ISPs, and the security community. These organizations have well developed and tested incident response plans, team members have been trained, and tools are provided.
Many businesses however do very little effective monitoring of anomalous traffic on the network. At best there is a poorly placed and implemented umbrella IDS sensor. Following the “barbarian at the gate” mentality this is typically located at the Internet or DMZ boundary, where it wouldn’t catch any internal issues anyway, and configured so that it becomes ineffective, a noise generator, and is eventually ignored. While many excellent sources of monitoring data exist in the infrastructure, including logs from switches, routers, servers, and applications, they generally aren’t collected centrally or analyzed except possibly for performance and troubleshooting purposes. In many cases they don’t ever leave the device that generated them, placing them directly at risk of modification by any attacker. Without detection, incident response becomes almost moot. But many businesses have no Incident Response Plan, or what they have is boilerplate, untested, and out of date. Teams have not been established, or are poorly trained and have no dedicated tools. What I find fascinating is that many of these organizations have solid, well tested and documented disaster recovery plans. When I ask my clients to pull out their DR plan and lay it alongside their Incident Response plan the differences are clear. When was the last time a DR test went perfectly after a major system or network change? So why would you expect an untested Incident Response plan to be effective without testing and training.
So next time you hear about the big bad Internet and the swarming masses of attackers, start considering how many are on your corporate network.