Why internal security really matters
I have been a part of numerous conversations that have led me to believe that there is a common misperception regarding network security. This false notion is that perimeter security alone is enough to protect a network. Organizations are quick to configure a firewall at the edge of their network, a Demilitarized Zone (DMZ) for certain public servers, and even an Intrusion Prevention System (IPS) ? all of which they religiously patch and update ? thinking these measures alone will protect their organization's information and resources from outsiders. Apparently the metaphor of a network as a house with doors, locks, and an alarm system, though antiquated in security circles, has been slow to leave the public mindset.
The reality is that this mindset puts your organization in a dangerous position where your adversaries only need one hole, weakness, or oversight ? one vulnerability - before they have access to everything. One step is all they have to take before they have access to the information and resources you are so heavily invested in protecting, and this step doesn't even have to involve writing or running malicious code (remember our previous discussion of social engineering?).
I have scoured the news and put together a little collection - a little song and dance - that I have entitled the "One Step," to help illustrate the danger of focusing on external security while neglecting internal security. Before I teach you this dance, however, I should let you know that it gets a little technical. That's just the nature of vulnerabilities and exploits. I will do my best to minimize the painful reading while still making my point. Let's begin, shall we?
Step one - Earlier this year hackers broke into the web site of motherboard maker ASUS and added a hidden iframe (a structural element used in some sites) that used another site the user never really visited to attempt to infect their machine. This method of using hacked (though not obviously so) web sites of reputable organizations to infect users is becoming much more common.
So this is how this step looks - a user on your network visits a legitimate web site to accomplish her job, a trojan is placed on her machine, and an outsider steps into your internal network.
Step one, again - An exploit released earlier this summer demonstrated how vulnerabilities in installed programs are serious no matter what, even if they are never used and even if there are newer non-vulnerable versions of the program installed. The root of the problem is how programs install handlers in the Windows registry, which allows other programs to call them. This means one of your users surfing the Internet using Internet Explorer could get hacked because of a Firefox vulnerability.
So, once more, let's see how this step looks. Step one, right into your internal network... I guess it's the same.
Step one... do I really need to go on? These are just two of the many examples I could have used to show you what you may already know. People can get into your network. Hackers, criminals - whatever you want to call them - they're motivated by money and they're good at what they do.
Force them to learn a dance more difficult than the "One Step." Layer your defenses and give your internal network the attention it deserves.
Good luck and go to work!