Dispelling the Myth of the Internal Network

Legacy Security Model (circa 1997)

Expanding the Attack Surface Area with Modern Security Threats

A Hard Exterior, with Soft Core

This legacy model assumes that attacks will be front facing and will originate on the Internet toward the most public facing servers. The primary protection is provided by Firewalls restrictions and User Authentication to external services.

Security incidents throughout the industry have demonstrated the effectiveness of attacks aimed at the users.

As a company grows, so does the attack surface for internal threats. Risk = Number of External Facing Services + (Number of Users * Workstation Vulnerabilities + Internet usage) - Internal Mitigation

Organizations who continue to rely on the security models of the past face serious business risks from modern threats:

The myth of the Internal Network; In short, what is considered internal trusted space / data can quickly become external Internet accessible assets if controls are not in place to protect internal facing business critical systems.

Defense in Depth: Defensible Network Architecture

-by Richard Bejtlich - Chief Security Officer: Mandiant

Security Breach Examples

HBGary - Technology Security Company

Sells: Security Consulting, Security Software, Purchasable Malware

    * Secondary Site + SQL Injection = Password Database
    * CEO Aaron Barr and COO Ted Vera used weak passwords for
      multiple services: SSH, Email, Twitter, Linked-in
    * Account usage provided access to systems vulnerable to
      local side attacks and privilege escalation
    * Aaron Barr's email account contained clear text root
      passwords to rootkit.com
    * Using Aaron's account, email was use to trick an
      Administrator into confirming the root password, opening 
      firewall rules, and changing the account password used to
      ssh in remotely.
    * Most if not ALL internal / sensitive data is then
      leaked onto the internet. Including Intellectual Property
      and Employee Emails.

    * Financial losses from the list above
    * Loss of reputation as a competent security company
    * All personal emails aired publicly, including emails
      between Arron and his Wife threatening Divorce.
    * Aaron Barr resigns from the company

RSA - Technology Security Company

Sells: Cryptographic Authentication Technology and Cryptographic libraries

    * Spear Phishing emails were sent to select groups of
    * A curious employee opened the attached Excel document
      which exploited a vulnerability in Adobe Flash
    * A trojan (Poison Ivy) providing remote control was
      installed and created a network connection originating
      from the internal network out to an internet based system.
    * The trojan was used to steal employee credentials and
      gain further trusted access to internal systems exploiting
      privilege escalation where needed.
    * Once access had been gained to Stage servers, Source
      code / Intellectual Property was collected, compressed,
      encrypted, and sent over FTP to an external internet system.

    * Loss of reputation as a major security vendor
    * Unknown financial loss from stolen intellectual property
    * Unknown impact to customers of the stolen code

Gawker Media - Large Blogging / Technology and Entertainment News Hub

Sells: Advertisement based revenue - News/Blog site

    * Undisclosed vulnerability in Dynamic Web code permits
      attackers access to the internal systems
    * Weak password practices allowed for additional
      unauthorized access using the CEO and other employees
      (The same password was also used for: Gmail, Twitter, Campfire)
    * Access to the internally used chat/discussion system
      provided conversations / logs which included additional
      usernames and passwords to external companies ftp servers.
    * Hacking group release a torrent on Pirate Bay:
      The file contains Source Code, Internal Company
      conversations, and over 1.3 million users email addresses and
      accounts with weakly hashed passwords.

    * Financial loss from list above
    * Lost trust from its User Base for not providing adequate
      protection of user information
    * Loss of source code / Intellectual Property