Part 3:5 Lack of Network Segregation
Among the range of services we provide at Perspective Risk, penetration testing is a popular choice with our clients, from blue chips to SMEs. Regardless of their security posture, our testers regularly record the same issues.
In this 5 part blog series, we share what those issues are alongside straightforward guidance to avoid them.
In this 3rd part we highlight the importance of network segregation on the internal domain. Suggestions for further reading are at the foot of this post.
Want to know more? Get in touch with one of our experts today
Flat networks – what can go wrong?
On many engagements, we observe clients who have invested thousands of pounds in external firewalls and intrusion software, but have left their internal network quite flat. In one instance, it was possible for computers in the demilitarized zone DMZ (i) to access all other systems on the network, and vice-versa, completely defeating the purpose of the isolated segment.
Another example was a poorly protected guest Wi-Fi network. Owing to a missing firewall rule, it allowed entry to an internal range. While not immediately obvious, an attacker would have the ability to scan the internal range and identify/fingerprint running services.
Your security is only as strong as your weakest link
Depending on how hardened exposed servers are, it’s not improbable for a service to be exploited, creating a foothold for an attacker.
When it comes to security, the overall stance is as good as the weakest link. Top of the range firewalls are no use if someone can sit in a cafe across from your office, connect to your guest Wi-Fi and enumerate your internal assets.
The tale of a stolen password
Even if external attacks are mitigated, there’s always the possibility of an internal threat actor attempting to access information they’re not authorised to.
Consider the following scenario: an employee wants to access bid information for an upcoming project. They can browse to the bid management portal, but don’t have valid credentials. However, they know that one of the account managers keeps passwords in a notebook and usually takes a walk during lunch.
Armed with the password, the internal attacker logs on to the bid portal and copies sensitive information to a USB stick. Although detailed audit logs are available, it will take some time to piece everything together.
The situation may have been prevented if financial servers were not directly accessible from the main office network. In addition, security awareness training would stop employees writing down their passwords. This topic will be explored in future blog posts.
Conclusions and network segregation advice
It’s recommended to have specific network segments for different purposes, and keep inter-connectivity on a ‘need-to-access’ basis. If servers used for financial reporting are accessible from your reception’s guest Wi-Fi, or even from the general office network, it will be difficult to contain a data extraction situation. The consequences to your business could be significant.