Seeing the Forest from the Trees: Don’t Neglect the Fundamentals
When it comes to securing our environments, the controls we have in place work in harmony to keep our kingdoms safe. A layered approach means that there are many different controls that serve the purpose of securing your environment, so that if one fails, another takes over. With layers comes complexity, and it’s important to not lose sight of fundamental controls that are almost “a given” in favour of the more detailed controls on our hosted environments.
We spend a large portion of our time working with companies that are “cloud-first”, in that they first-and-foremost have cloud services that they use. In some cases, this is a result of the pandemic, and in others, this is just the way their business works. In all cases though, there is still a component of the internal office network.
In a cloud-first environment, it’s easy to lose focus on the internal network and instead focus all your time on the cloud environment; making sure AWS has all the checks and balances we need, or that Azure is configured correctly, or that our SSO is working across all platforms. The internal network, however, is still a cause for concern and a critical component that needs to be secured.
Your company will likely have high degrees of security on external connections to the cloud, but when it comes to your internal office network, it is likely seen as trusted. In this case, there may be established tunnels, firewall rules, and possibly fewer hoops to jump through to access your cloud. Therefore, your internal network is both a juicy target for attacks on your cloud, but also a vital component in your security program.
We see it all too often that the internal network is neglected in terms of security controls, offering a wide-open gap that bypasses many of the layers of security that are put in place. It is vitally important to review your internal network and treat it with the same sense of urgency and importance as the rest of your environment, as you could be giving away the keys to the kingdom without realising it. Some of the components where we see the most internal risk are:
Wireless Networks
Wi-Fi encrypts all communications and relies on the wireless key to do so. This is why you should not be using coffee-shop Wi-Fi without a VPN connection. Everyone in the store has access to the key (password), and so anyone in the coffee shop could effectively decrypt the communications on that wireless network and listen in, much like a wiretap in the movies. Having a strong, long key, means that the network is harder to brute force attack, and ensures that your communications stay encrypted. Brute forcing is where someone can push thousands (or hundreds of thousands) of known passwords at your network, hoping to join. If you have a weak password, chances are it’s on these lists, and the network will be hacked.
In addition to the decryption of the network, if you have a weak key and someone is able to join your network, it’s akin to someone setting up a laptop inside your office and being able to access your environment as a trusted computer. The same applies to your guest networks, which should be completely segregated from your corporate networks. Having direct access is a very, VERY dangerous situation to be in. Which brings me to my next topic.
Physical Access Points in Public Areas
If there is a network jack available in a public area, it’s very easy for an attacker to simply plug in and join your network. You need to have access controls in place to ensure that computers are authenticated just as you would a user of the network. We see this frequently in businesses with retail fronts or other similar public traffic areas such as schools and colleges. If you have open points that aren’t in use, rather physically disconnect them from your switches to eliminate them from the network.
Social Engineering and Bypassing Policy
Lastly, it’s not unheard of for determined attackers to use social engineering to enter an office. You need to ensure that your policies on visitors are robust and include monitoring visitors and restricting them to designated areas, and that the policies are maintained, communicated, and enforced. Security against social engineering starts at reception and your phone lines, and it’s important that the entire journey that a visitor takes in your environment is considered when it comes to your risks.
Gaining Visibility
This is certainly not an exhaustive list but highlights some of the risks we see in terms of fundamental controls that should still be in place. These kinds of controls are what we cover in our basic checkups of environments, and should you want to get some visibility on your forests, reach out to us!
