Posted by Jim Hartnett on April 28, 2016
Large enterprises in the past relied on perimeter security to ensure their services were protected from the outside world. This idea of a trusted firewall has eroded over the years, and is considered an outdated approach to security. However, it is incorrect to assume that a firewall is useless despite the fact that the definition of the “perimeter” has changed.
Looking back on older networks, there were fewer systems in fewer places. Currently, the average office has a mixture of networked devices ranging from laptops to printers, and even refrigerators. Each of these devices has connectivity, and each is a point of entry. When a user logs into a corporation’s network from their home, that is a clear perimeter action. But what if that user goes to the office and plugs in? Do you consider that a perimeter action?
What would they be able to access?
When it comes to SMB networks, likely everything, and still a large amount more than they should on most enterprise networks. Even some of the largest network players in the world still have this very 90s approach to security. There’s too much reliance on firewalls and perimeter boundaries. With the recent Juniper, Fortinet, and Cisco vulnerabilities we have seen this notion shatter.
Now, we have to adapt as architects.
The new game is defense in depth. Trust no one on your internal network and always challenge them. Use separate internal networks for Internet of Things (IoT) devices, as not only can they talk, but they can listen. Exploits have been developed for many smart devices, and the manufacturers can always push new code with unknown intentions. The digital age brought many unexpected occurrences. The “Lp0 on fire” error has become more than just a joke. It turns out that it’s an actual threat and something that can be willfully triggered. Factories have shut down and enterprise security has crumbled by relying on perimeter defense.
Adding internal security is very beneficial, and the cost has dropped dramatically in recent years. Even basic small-office routers can support VLANs, and when the tools are available it is reckless to ignore they exist. Small businesses without a dedicated IT team may be unaware of this. However, when a large enterprise chooses to leave critical services unencrypted, or lacking authentication because it is “internal,” they have ignored the reality that attacks no longer only try to go through the firewall directly.
Ransomware has become a big issue recently, in part since many organizations have a flat network. Once it is loose, the organization cannot stop it from encrypting shares unless they add extra access controls. Currently, many organizations do not place those controls since they believe that by the virtue of being “internal” they are safe. This assumption is broken, and it is up to organizations to change it. The longer an organization is allowed to expand while relying on their perimeter, the further ingrained it becomes into their architecture and culture.
Organizations such as Synopsys enable businesses to test not only the services the world interacts with daily, but the back end systems that lie beyond the firewall. Internal network testing provides a valuable understanding of threats organizations face from the inside, and how well they are mitigated once the perimeter fails.
The holistic approach of a red team goes even further to show a tangible goal achieved using approaches that exist in real-world attack scenarios. More knowledge for the organization enables better business decisions; better business decisions leads to successful growth and development of a mature secure development life cycle.