In the oft-repeated words of Bill Cheswick of Bell Labs, perimeter defenses like firewalls can serve as “a sort of crunchy shell around a soft, chewy center.” Your datacenter may be secured like Fort Knox with multiple layers of RFID and biometric access controls, security guards and anti-tailgating measures but your security posture is only as strong as its weakest component. This is the Defender’s Dilemma: The attacker only needs to find a single way into the network; the defender must defend all points from attack.
Open network ports in common areas such as training, break and conference rooms can provide an end run around the best laid security plans. The tension between the security of corporate data and convenience for users and administrators is most evident at these points. Given the choice between manually provisioning guests throughout the day and more permissive controls, the balance usually tilts towards greater ease of use.
In a recent pen test conducted by Black Hills Information Security for a company with otherwise strong security culture and controls, a Pwn Plug R2 was plugged into an open Ethernet port in a headquarters conference room that was accessible from the lobby without passing through a guard station. The Pwn Plug was also able to access Wi-Fi networks. The device remained undiscovered and operational for two weeks hidden under a conference room table. This device provided a platform to penetrate the headquarters network and the hardened data center beyond.
What can you do to prevent such an opening that bypasses your controls? The following measures can lessen the risk of a breach:
- Disable unused cable drops
- Apply network access control (NAC) where possible
- Regularly inspect common areas for unfamiliar devices
- Segment the corporate network to limit exposure if a compromise occurs in a single area
- Treat networks in common areas as public and require VPN to access corporate resources
- Restrict and monitor outbound protocols, especially from networks with public access