The Internet has allowed businesses to communicate in new and strategic ways with various types of people and organizations. Thus, system administrators do not have to argue for an Internet connection anymore. Instead, we have to fight for the resources to secure it. Auditing your Internet security is a responsibility that should be frequently revisited and improved, and you should not hesitate in dedicating resources to security when you find shortcomings.
The Internet octopus
Over the years, we have added feature upon feature to our Internet connections. As the needs have changed, we have found ourselves needing more robust services, faster connections, and more flexibility in what can be done. In the beginning, services like simple POP3-style e-mail and Web access were the extent of an Internet connection. Today, we have site-to-site VPNs, client-side and home-user VPNs, streaming media, Web-based training, company Web sites, Internet applications, e-commerce, and business-to-business extranets. During all of these changes in the last few years, we have all probably changed IT personnel, Internet platforms, and connections at least once in our organizations. This scenario makes it easy to have some unforeseen, yet preventable, exposures.
Any connection to the Internet is vulnerable to exploitation. The most basic vulnerability that all connections face is that they could be made unavailable and bring down mission-critical services with them. Today, we are finding more intelligent defenses against attacks, such as denial of service attacks, as routers and other devices can be set to verify source addresses and ignore packets if they are bogus or carry a suspicious pattern. However, beyond the DoS category of vulnerabilities, there are always the standard concerns of open ports, easy passwords, unsecured routers, and unknown “features” that any Internet device may have.
Many organizations have grown their Internet set of features across multiple devices or possibly multiple connections—a firewall for Web and mail traffic, a VPN appliance for remote connections, a different firewall for a business-to-business relationship that may exist, or other possible combinations of lines and devices that can push Internet vulnerabilities beyond control. These services can even be distributed across multiple Internet connections or across multiple Internet service providers. Regardless of the number of devices that are on the Internet, each has different services that can be potentially exploited. You can see how an enterprise environment such as this could quickly become difficult to manage from a security standpoint.
What you can do
There are a number of things you can do to keep your connections secure and to keep business running as usual. One of the easiest measures you can take is to clean things up:
- Verify that there are no accounts for terminated employees.
- Check for any manufacturer or service provider default passwords that may be easily known or guessed.
- Verify that any “temporary” services or open ports are disabled.
- Beware of potential internal threats.
- Have the mindset of “deny all except that which is explicitly stated in the rule set.”
After this basic housekeeping is completed, it’s important to perform a “Vulnerability Chain Assessment” on your own. This will allow you to gauge the entire scope of an Internet security policy. A Vulnerability Chain Assessment tells administrators what is affected by what and who potential perpetrators could be. Examine the simple Internet connection shown inFigure A.
All the items listed have vulnerabilities—some of which are beyond your control. For each item, consider the potential vulnerabilities that could cause an interruption of service:
- Internet (outside of your router): Internet being unavailable from your carrier or region, phone line cut, denial of service.
- Internet line: physical disconnection—via a perpetrator or the carrier.
- Internet router: ISP configuration may have well-known default passwords; this could reroute all incoming mail, shut down an interface, or adversely affect performance by some other means.
- Internet/external network: If this segment is a managed device (hub, switch, or other), it could be falsely managed to disable ports or could be affected by the failure of device.
- VPN appliance and firewall: security compromise, stale VPN accounts or vendor default account, unwanted services, failure of device.
- Internal network: failure of any internal device, internal security threats on interior devices to the Internet.
Obtain peace of mind
One thing you can do to bring some validity to your efforts is to get an external opinion of your Internet security. You can obtain this opinion via:
- A formal Internet security audit from a person or organization with CISA certification.
- A third-party piece of software or OEM-provided tool to examine security issues.
- A professional hacker trying to compromise an Internet presence.
I personally like the professional hacker approach, but you have to be careful. These types of companies need to be true DEF CON followers and really know their stuff. You want a professional hacker to do more than call vendors asking for passwords and back-door methods.
Many general IT vendors offer intrusion detection or an Internet exposure analysis. These third-party examinations can yield beneficial information to solidify a security strategy. I particularly like it when they attempt to exploit vulnerabilities (although they will not actually destroy data or compromise systems) and demonstrate how much damage they could do by how far they’re able to get in. It’s a wonderful feeling to present management with a report saying that this external group is impressed with the security of your Internet presence.
Continued monitoring and risk distribution
You can solidify your security strategy by constantly monitoring it and by keeping up with the latest hacking tools and methodologies. You can also find Web sites that host information on how to exploit specific products. These are usually based on out-of-the-box configurations, so keep current with vendors on new features, versions, or newly exposed risks.
I also enjoy trying to get through my Internet connection by downloading hacker tools. There are countless free or time-trial pieces of software you can use to peek at your connection. But be careful. These tools may be dangerous to your operating environment, so a test computer is ideal for such investigations.
One of the things I have learned over the years is to distribute risk. That’s rather easy, actually. However, the better you distribute risk, the more expensive things become. Here are some risk distribution tips:
- If you need firewall and VPN services, consider having those on two different devices—from different vendors.
- Have an alternate Internet connection. If another ISDN or T1 line is not possible, consider testing the alternate serial out interface of a router that may be configurable to dial a modem.
- Put up a honeypot to attract or distract would-be hackers. Give it a registered DNS name like lotusnotes.company.com but don’t host anything on it.
- Proactively renew or cancel your Internet service provider agreement before it expires or before the carrier contacts you. Do not assume that they will continue to bill you at the current rate or that someone will call you to discuss options.
With a bit of diligence, you can keep your Internet security at peak, which will protect the business goals of the organization. Hopefully, this article has provided some fresh ideas on keeping security first.
What procedures do you have in place for auditing your security?
We look forward to getting your input and hearing your experiences regarding this important topic. Join the discussion below or send the editor an e-mail.