More and more companies are equipped with perimetric protections that provide the main line of defense against attackers.
The defense mechanisms are both related to the deployment of hardware (firewalls, web application firewall, IPS probes …), the implementation of good architecture practices, such as network segregation (dedicated VLANs, use of DMZ, air-gap…), but also intelligent monitoring via the use of SIEM and SOC.
Internal threats and the interest of multi-perimeter assessment
More and more companies are equipped with perimetric protections that provide the main line of defense against attackers.
The defense mechanisms are both related to the deployment of hardware (firewalls, web application firewall, IPS probes …), the implementation of good architecture practices, such as network segregation (dedicated VLANs, use of DMZ, air-gap…), but also intelligent monitoring via the use of SIEM and SOC.
These protections are deployed primarily to detect and block attackers from outside the company. We are talking about “external” attackers because this is the scenario that we generally consider the most common.
This first layer, usually effective, can block a large number of opportunistic attacks. By making external exploitations more difficult, attackers limit their effort onto the outer perimeter and turn to other channels to infiltrate the company. Thus, we see an emergence of attacks that rely on Social Engineering and physical access to internal resources.
Unoptimized use of security resources for the internal perimeter
Despite a significant investment in perimetric protections, we often find that, for access to external applications, internal users are not subject to the same security rules as external users. For example, from the internal network, the access to these applications is done without going through the Web Application Firewall or the web gateway.
However, the interests of having a common architecture are multiple:
- Improvement of the efficiency of the development cycle (e.g. internal users can identify upstream problems related to the use of a WAF, before that the external users report the issues)
- Protection against malicious internal users
- Protection of internal users against attacks from the outside.
This last point is critical because an attacker will primarily try to trigger a vulnerability with the context of a privileged user. Thus, a vulnerability that cannot be triggered from the outside because of the WAF, can wait to be triggered in a more favorable context, causing a damage probably higher.
In addition, a limited segregation of the internal network increases the risk of the exploitation of a vulnerability.
Failure to protect IT resources
The absence of protections on the workstation (antivirus, local firewall …), or on a laptop (disk encryption, restriction of the use of USB ports …) is sometimes an identified and accepted risk. However, it turns out that, even when they are in place, the protections can be ineffective (poorly configured or limited product). The risk assessment is then skewed by a feeling of false security. Here again, only an internal audit can highlight the real effectiveness of the protections deployed.
Employees seek to circumvent their protections
Protections in place, saw as constraints for the users, are circumvented (use of VPN or SSH tunnels for example), and occasionally difficult to detect. The users can attempt to access restricted sites or exfiltrate information. These users expose the company to risks that can only be identified by internal penetration tests. These tests highlight all the actions that a malicious person can try to do to circumvent the protections in place.
Deficient physical protection of new types of devices
The audit of physical security is often omitted, or delegated to companies that do not cover aspects related to new technologies. Access by badge can be based on poorly configured systems (default keys) or using a deprecated implementation, allowing their cloning or modification of the stored data. The arrival of the Internet of Things (IoT) in the companies, comes with the need to connect many new devices on the network (presence sensors, interactive kiosks, tablets in front of meeting rooms, vending machines…).
These devices do not always implement network-level security features (for example, 802.1x). Coupled with the fact that access to Ethernet ports is not protected, an attacker has the possibility to have an entry point on the network, sometimes even from outside the building (e.g. Ethernet ports for VoIP camera).
Offenders are better prepared and attack where the protections are the weakest
Attackers no longer hide behind a VPN. Attacks are better prepared and not limited to logical channels (phone call, Wi-Fi networks, physical access to buildings …). Risk analysis and auditing should be carried out on all perimeters simultaneously, and not be limited to isolated perimeters. This exercise, carried by the name “Red Team”, provides a realistic view of the company’s exposure to IT risks.
In conclusion, while the external perimeter is covered and its security has been tested, as auditors, we often see that the attention given to the internal perimeter remains too low. The risk is all the more important in this context and does not necessarily come from external attackers, but also from employees and external staff, within the company promises.
We recommend to audit the internal perimeter at least one time per year, with the point of view of an anonymous user on the network and the one of an internal employee. Finally, to validate a comprehensive risk posture of the company with protections in place, a « Red Team » exercise, combining multiple perimeters together is advised.