Understanding the Threat from Within
First Published: SC Magazine 

Understanding the Threat from Within I regularly work with an assortment of international organisations whose primary business interests are in the Americas or Asia, but have satellite offices based in Europe. Although many of these satellite offices could be considered large by regional standards, they are obviously secondary or even tertiary to the organisations main offices abroad. Unfortunately their information systems security management and solution implementation can all too often be similarly classified as secondary or tertiary in effectiveness.

Satellite office security strategy often relies heavily upon the defences located at their foreign head office and the remote administration of critical security infrastructure components (e.g. firewalls and intra-site routing) by centralised staff. This typically causes a number of significant problems for the satellite office – particularly in security response times and the loss of local security ownership or responsibility.

While multi-national organisations prefer to standardise on business applications and host configuration, there is inevitability a lot of regional variation in the deployment and use of the information systems. This variety may be necessitated by local language, local business and working practices, local vendor agreements or even legal requirements.

As an example of local working practices, UK office workers tend to require (and are often granted) greater access to Internet email and web-based resources compared to other countries in Europe. The down side for many European organisations is that they often find that their UK offices are the most frequent source of internal email virus propagation.

From a technical security assessment point of view, the most visible aspect to poor satellite office security is commonly the patching status of the offices critical hosts. A quick port and vulnerability scan will typically identify dozens of vulnerabilities per host that would have been removed if the patching level was even partially close to current.

It is a simple, if not mundane, task to list every discovered vulnerability and provide individual corrective actions needed to remove the security flaw. But this is not normally required, often it is more useful to provide advice at a higher level. For example, it is more appropriate to inform the client that their patching strategy needs to be updated to ensure that service packs and security updates are applied rapidly and in order of vendor publication (too many organisations still manage to undo their security patches because they apply them in the wrong order), and that they utilise their firewall and intrusion protection system to provide “virtual patching” in the interval between the vendor releasing the notification and the application of the security update. You must of course work with the client to clearly identify the last level of security patching that had actually been completed successfully, so that they have an accurate starting point for applying the subsequent patches and security updates.

However, such a statement can complicate matters for satellite offices. An increasing number of these installations have found that they require an accelerated application of security measures, but processes dictated centrally ensure that their security posture will always lag behind. Often they are only too aware that their own security is lacking, but do not fully understand the significance and are frequently unable to make a business case for altering the global processes and procedures. By making such high level security recommendations to satellite offices, there is a trend for the report to only provide a snapshot of their current poor security practices instead of instigating the necessary local security changes.

These reports on the security of satellite offices do gain impact if the security findings are placed in context to the organisation as a whole. To do so, the security consultant must be aware of the general architecture of the network and how the satellite office connects to other remote offices and the head office. Of primary importance are the intermediary devices used for segregating the WAN (e.g. routers and firewalls) and how Internet or Extranet traffic is routed.

One common “light bulb” moment for these organisations is when they finally comprehend their risk to internal threats. In one recent example, all external connections and perimeter security defences were located at their Asia head office and there were no intermediary security mechanisms between the organisations sites. The patching levels of critical hosts were poor, and several months out of date and a number of the unpatched vulnerabilities were being targeted by popular viruses and worms. While their Internet gateway and perimeter defences in Asia could stop an external attack, by pointing out that their workstation environment was on the same network segment as their critical hosts and the fact that they commonly engage contractors and temporary staff who could add their own laptops to that environment without any protection, it was possible to clearly show how an internal threat could rapidly propagate through their WAN.

While to many people this may sound like scaremonger tactics, understanding how an organisations perimeter defence operate and how to bypass them is vital in explaining the impact of the findings. Any organisation that solely depends upon their perimeter security defences and can’t keep up to date on patching issues is bound to get into a lot of trouble – luckily they almost always respond positively to their “light bulb” moment.
    Copyright 2001-2007 © Gunter Ollmann