During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are typically not found on the public internet. These vulnerabilities range from a small information disclosure (yawn) to full remote code execution (OH YES!) and of course everything in between. As a good security professional, my recommendations are to fix every single vulnerability found. This would exclude vulns that exist due to a specific business need, such as legacy systems or applications, or other legitimate reasons. When I suggest that we fix all of them, I often receive pushback from IT staff and sometimes even the stakeholders.
Defense in Depth
One thing that every CISSP has tattooed on their soul is an idea called "defense in depth." This theory states that even if you make it past one security countermeasure, there are other layers beyond that to ensure that you are not allowed to carry out malicious acts. So, if you have a wall around your facility, even if a truck crashed through the wall (or more likely someone stole or cloned a badge) they would still have to make it into the building structure. Those are layers. Then, once inside the building, they have to find and break into the vault. Each layer introduces complexity for the attacker, takes time to circumvent, and hopefully will exhaust their time, motivation and resources to actually attack the target. The principle is the same for physical and information security.
Now, what does this have to do with the annoying LAN vulnerabilities that no one will ever get to? Well, you have probably guessed by now that it is a layer. Most penetration testers (and attackers) can get into your LAN given enough time, motivation and resources. Most of the time, it is not even very difficult or complex. Social engineering is effective roughly 100% of the time in the hands of a savvy individual. Sometimes there are publicly accessible services that can be utilized or exploited to gain LAN access. Once LAN access is achieved, the walls usually end. Most companies do not take the care necessary to secure their network from either the attacker that social engineered their way into the LAN (through spear phishing or other method) or from an internal threat actor (rouge employee).
What to do?
In the vein of the title of this article, eliminating any vulnerabilities on systems and workstations on your internal LAN is a great place to start. Security industry best practices dictate at least a quarterly internal vulnerability scan (also a PCI requirement). This scan will tell you most of the known vulnerabilities, which are the ones most often utilized by attackers and usually have point-and-click tools for exploiting them. This may sound expensive and time consuming, so make a plan. Use a prioritized approach to remediation based on the results of the vulnerability scan. This is fairly intuitive as the vulns are ranked critical, high, medium, etc. The one item I would suggest is to dig into each vuln and check if there are exploits available (listed on the vulnerability detail page). Those should go above the rest, even if they are medium in rating. These are the vulns that have point-and-click tools written to exploit them. Vulnerability scanners can be expensive, but there are a few that are reasonable, like Tenable's Nessus (screenshot is from Nessus). With Nessus you can even schedule scanning to occur whenever you would like, enter your network details and away it goes. There are other options as well that have asset tracking if that is an option you think would provide value for your environment. There are free options as well, such as OpenVAS. While not quite as user-friendly as Nessus, this tool will provide you with a decent baseline on your LAN.
There are many other ways you can secure your LAN. Such as:
- Internal network segmentation
- Traffic limitation based on expected and allowed traffic
- Traffic egress filtering (network traffic leaving your environment)
- Proper documentation and network diagram (including a list of services needed for business)
- System and application updates (EMET for windows software is a must)
This is by no means an exhaustive list. I will also be exp-ounding on some of the above items in subsequent blog posts.
The Bottom Line
You need to care what is on your internal LAN. I know you have a firewall that protects you from the evil internet, however, it does not protect against social engineering or internal threat actors, both of which are very effective. Security is a process, not an event. Bake it into your culture and your IT procedures and you'll more than likely stay off the frontpage (let's reserve that for articles about how incredible your company is, not the fact that it leaked 10 million passwords).