Security's Everyman

Security's Everyman

Tuesday, September 11, 2007

Security boundries

A constant struggle many of us face is getting users to understand that security does not stop at the firewall. That mindset is so ingrained in users that they just can't grasp how something that is not directly exposed to the internet needs to be worried about. Then when we finally convince them that we still need to worry about the security of internal systems they tell us that their systems aren't vulnerable because the users can't get to them w/o going through 2 or 3 different authentications or levels of security. What they fail to realize is that even though we have a defense in depth we still have to protect everything.

This came up this week during a change control meeting. The last few meeting there have been lots of request for new reports that have to be created and put out for the users to access. I asked them if these reports were viewed via a locally installed app or a web browser. That's when they started on about it didn't matter because the database can't be directly accessed. They just couldn't grasp the concept that if the web server being used as the front end was compromised that it was just a matter of time until the back end was compromised. Even though I explained it 6 ways to Sunday they had a mental block that kept them from grasping it.

That got me to thinking about how important internal controls are to an organization. Even if you don't have malicious users who will hack you from the inside you still have users who don't understand the dangers and may get you through ignorance. If we don't have sufficient internal controls in place to prevent "accidents" then we might as well take down our firewalls. Security needs to be implemented at every level and not just at the "high" points. In a perfect world we would all have them money and support to protect everything with the best technology possible. We don't live in a perfect world so we have to be pragmatic about how we decide where to spend our money and energies. We have to focus our resources on what is important and not just what is sexy, cool, or the hot topic of the day.

Sure we need to protect our perimeter. We need to have firewalls, IDS, IPS, DMZ, etc... but we can't let our focus be lost there. We can't limit our internal controls to AV and OS patches. We have to take a good hard look at what we are doing inside our perimeter and how we are ensuring that the good guys don't hurt us unintentionally and that the bad guys have a harder time getting to the company jewels if they get in.

Scanning, monitoring, ACL's, VLAN's, HIDS, HIDS, etc... All of these are key to an overall security program that will help keep your data, systems and users safe. Knowing what is going on in your network will help you to know how top best protect your assets. Ensuring that new systems and technologies (hardware or software) are secure prior to being introduced on the network will go a long way to preventing accidents.

We often focus on scanning the perimeter to ensure that we can't get in but we neglect to scan the interior to ensure that the same vulnerabilities aren't present on the inside. A XSS or SQL Injection vulnerability that can cause problems on the outside are also places for problems to exist on the inside. Just because we have multiple layers of defense doesn't mean that we ignore some areas because we feel that the rest is secure enough. Once someone gets a foothold in the ignored area it's just a matter of time until they are able to move to the next.

Remember, security is a 360 degree process. It doesn't focus on just one area or even just a few. It looks at the whole environment and starts at the key areas and grows out and in from there. It encompasses technology, policy, process, procedures, education and maintenance. Don't forget maintenance. Without that even the most secure environment will eventually fall prey to decay and advancement in hacker skills and newer technologies.

1 comment:

kurt wismer said...

one of the things i like to tell people is that although a firewall provides a boundary, no boundary is impenetrable, and a boundary is not going to do anything about agents already on the inside (ie. insiders)...

the implication of this is that the idea that the internal network can be treated as a 'trusted' network isn't entirely true (at least not in the naive sense)...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.