I’ve often heard folks downplay the importance of securing their internal network, indicating that the real threat is from the outside, from external attackers, so why expend the effort?
When we think of threats we often recall the many stories of internet attackers who gain access through internet-facing systems and wreak havoc by stealing information from an externally-facing account, defacing websites, or causing denial of service. While these are serious threats I think we need to look deeper into the risk aspect of the problem and examine more critical potential for harm to the organization.
Internal systems in a network are by their nature easily accessible to employees to make it easy to conduct daily work and efficiency. Employees are for the most part trusted on the internal side and given free reign within that domain. While some level of trust is required to allow work to be completed, I believe that too much free reign creates unnecessary and unacceptable risk.
An internal attacker given too much free rein on a network can cause serious damage to an organization. Just take a look at the recent case with the city of San Francisco where a rogue system administrator brought the city network to its knees. We all know this threat is real, while somewhat rare, is a possibility and we need to provide some level of protection against it by implementing security measures on the internal side. This is the scenario I believe most people point to for justifying internal network security, but the relative rarity decreases our concern for action.
Despite the threat from a rogue insider, I would like to highlight an even more likely scenario that I believe makes a greater case for internal network security. This scenario involves an external attacker who gains credentials or permissions on the internal network. Many factors have significantly increased this threat in the past several years. The rampant use of remote access from outside the organization (VNC, VPN) and mobile devices opens up a huge array of avenues for these types of attacks. The sophistication of client-side attack tools, weak authentication credentials, social engineering, combined with the dizzying pace of keeping up with vulnerability patches makes our network defenses only a hack away from an internal breach. Once inside the network an attacker may have all the free rein your trusted employees do. If you weren’t attentive to internal security you could be in for serious trouble.
I assert that we should all make the assumption that the attack from the inside WILL happen at some point and you must make preparations for that eventuality. To do that I think you should consider a few broad recommendations: 1. Identify the sensitive information on your network and where it resides. 2. Determine who needs have access to that information to do their job. 3. Compartment the information and restrict access to only those who need to know that information. 4. Consider strategic implementations like anonymizing so that sensitive data is not presented where not necessary. 5. Implement strong and redundant access controls particularly for credentials that have wide-ranging access such as sysadmin accounts. 6. Don’t relax your high standards for access control and auditing on the internal network, don’t assume they are there only to guard against your trusted employees. 7. Independently test your system regularly to keep yourself honest in assessing your risk.
In summary, I suggest folks think differently about their internal networks, not as a completely secured safe zone where we can relax our defenses. Consider establishing point defenses around each sensitive system, not only protecting from the outside, but from within as well. Your inside attacker will likely be an outsider. Assume it WILL happen and you need to be prepared to minimize the damage when it does.