We deploy network security devices in an attempt to secure our network. We place firewalls at the Internet edge and datacenter edge. We have intrusion detection and intrusion prevention hardware or software components running alongside these firewalls to inspect for malicious traffic patterns. We filter our user’s web content to try and prevent access to malicious web sites or code. We run endpoint security software that does anything from scan for viruses to sandboxing applications. We implement multi-factor authentication. Some of us are finally inspecting application traffic and identifying the malicious traffic running over allowed ports. Fewer still are taking the application whitelisting approach and defining what CAN run on a device and blocking everything else. All of this is done with the best of intentions and that is to create the most secure network environment that we can to protect against attacks and attempts to access the data or systems we hold sacred.
And yet, we’re all failing. We’re failing because we’re addressing areas of perceived strength and ignoring the weakest link. “Our latest vulnerability assessment shows that we’re at risk because we have several unpatched servers and one of our web servers is vulnerable to a cross-site scripting attack.” Because of this vulnerability assessment, we now have approval to spend time and money to resolve these vulnerabilities. Unfortunately, this vulnerability assessment doesn’t show that Pat in our finance department has no idea what a phishing email looks like and has just clicked on the link in the “reset your password” email, logging into the company’s online banking portal for a 5th time to reset the password for the account that we use to process payroll each week… unsuccessfully, I might add. Pat’s phone call to the help desk goes something like this:
“Hey, are we having Internet problems? I can’t seem to get our online banking page to load.”
Help desk guru responds with “I can’t see any issues with our Internet. Seems to be working fine for me, so try it again in a few minutes. Maybe reboot your computer.”
By now, the fraudulent wire transfer of this week’s payroll has already been started using Pat’s credentials that were typed into the fake password reset form from the emailed link. Pat is able to log into the account, post reboot, because Pat uses the favorite that was created in Firefox rather than clicking on the link in the email.
This story illustrates one of the many ways that an attacker can get what they want by exploiting the weakest link. At present, we view our network security systems, our firewalls, our IPS, our WAF, and our AV systems as our strongest links because they are configurable and do what we want them to do. People are the variables and are, inherently, our weakest links. But they don’t have to be.
Some of the most secure networks, and ones that are the biggest targets by attackers, I might add, do not appear to have those perceived weak links. The people are still there, as are the weak links, but they are being educated constantly on the ever-changing threat landscape. Their employers perform routine Security Awareness Training. They perform in-house testing to reinforce that training and then do more training. Rinse and repeat.
They create policies that lock down the network and only allow those things which are necessary to perform core business functions. At the end of the day, your business exists to make widgets or provide a service to consumers. Unless your business IS Facebook or Twitter, what reason could you possibly have for being on those pages during the course of normal business. Obviously, there are exceptions to every rule, but it seems that we, as entitled members of society, have decided that we are all the exception and should have the right to access what we want, when we want, from wherever we want, even if it’s technically not relevant to the task or job function for which we are employed to perform.
If you truly want to protect your network, investing in the technology used to do so is only half of the battle. Education, policy creation and enforcement, and regular testing for new emerging threat types are the weak links that need to be addressed. Let’s face facts - we’re behind the curve when it comes to protecting ourselves from attackers simply because we are always in a reactive mode. If we can effectively educate our users and reinforce the fact that our business network is used to conduct BUSINESS, that’s going to shorten the curve exponentially. As a business owner, network manager, CIO, or whatever your title might happen to be, you may not be able to implement the necessary changes to make this happen in your organization, but I’ll bet you can exert some sort of influence over them. You wouldn’t be reading this if you couldn’t.
*The thoughts and opinions in this blog post are my own and do not reflect the thoughts and opinions of Great Lakes Computer or any of its vendors, clients, or partners.
Chris C has over 15 years of experience designing, implementing, documenting, and supporting networks and infrastructure from SMB through Enterprise level in a multitude of verticals. Currently Sr. Network Engineer at Great Lakes Computer focused on designing and implementing secure network solutions in the datacenter and service provider space.