We are increasingly aware that every day new hazards appear on the internet as the software and systems we use continue to develop vulnerabilities at alarming rates. At the same time, businesses crave the new functionality and features found in the latest bleeding edge technology.
It has been stated that most attacks originate from within a network, and it's true that a lot of successful and serious attacks come from within, but the vast majority of general attacks will now come from outside the organisation. One area that is often overlooked is the potential for attacks to come via trusted partners and third parties which, along with inside attacks, are certainly the most destructive. In today's era of the virtual private network (VPN), where a few e-mails and 30 minutes of configuration is all it takes to get two businesses successfully sending information to each other, things are inherently less secure.
Security in the VPN
Traditionally, businesses used to connect to one another via expensive leased lines. This took time and effort to implement, but was usually done securely, sometimes with additional firewalls being used to control access. Usually the dedicated physical connection being very near to the end system was thought to be sufficient because, of course, we trusted the other business. VPN encryption is obviously required to prevent eavesdropping and manipulation of the data as it travels over the public internet. However these VPNs usually terminate on firewalls that are either performing multiple roles or are physically located in the wrong parts of the network.
More effort is required to recognise the roles of such VPNs (and leased lines) and ensure they are firewalled appropriately - away from the important parts of your network. It is also important to ensure that third parties are kept separate from one another to avoid adding to the existing general VPN threat. Allowing employees from another company to freely wander around your offices without being challenged for months would seem ludicrous, but if VPNs are established without such restrictions we have exactly the same situation.
It is also essential to look at the end hosts that the third party user has access to. They may, for example, be restricted to a single one of your servers, but if from there they can access the entire network then we have achieved nothing. Accountability is crucial, if the users are all using the same user id and password, there is no way to determine who is doing what and of course any malicious users will instantly use this to their advantage.
Finally, monitoring traffic and checking for security threats should be undertaken just as prudently (if not more so) on these VPN systems. Do not simply rely on the fact that the third party may have its own logs. Make sure that when checking logs and configuring automated alerts, you rank these attacks sufficiently. Everyone will notice malicious software hitting the perimeter firewalls from the internet, but the higher risks come from the unnoticed attacks, often from third parties or within the business, as they often and easily remain undetected until it is too late.
Most readers will not have dealt with many attempted or successful security breaches, but studies like the annual Verizon Data Breach Report clearly prove how possible and likely such attacks can be.
Chris Samuel CISSP is an IT security expert with 15 years experience of protecting businesses. Recently, he has worked as a architect for a large bank and brokerage.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².