Seriously?! Can You Not Do That? Chapter III - External Internet Access

By Sean Martin, CISSP

Chapter III | External Internet Access

There’s so much information flowing through a company—much of it crossing a multitude of channels, systems, and services—that it’s nearly impossible for organizations to hold all their data internally. In addition to the data, it’s equally challenging for organizations to manage all their IT systems and services internally, meaning that many of them may reside outside the firewall as well.

Both of these points couldn't be more true given the uptake of cloud services: large organizations that are constantly looking for dramatic improvements in effectiveness and efficiency with a continuously improving return on investment (ROI), and small- and medium-sized businesses that are often looking to expand their business operations without costly investments in hardware and staff.

What does all this mean? Well…it means that the organization is using cloud-based email services, externally hosted and managed customer relationship management (CRM) solutions, cloud-based employee communication and collaboration products, and a variety of web-based partner portals and omni-channel systems to run their business. It also certainly means that organizations are relying on data synchronization, sharing, and backup services to manage the massive amounts of data pumping through the business.

While one might expect companies to explicitly select a formal set of tools to run the business, this may not always be the case. Sometimes the business grows and technologies get selected haphazardly. Other times, it may be a case of “Shadow IT” where the employees make a conscious decision to use a particular tool or service just so they can get their work done. Sometimes it’s a case of a merger or acquisition.

“Unfortunately, such scenarios are typical—we see it all the time—especially in organizations that have grown over time, either organically or through M&A,” says Greg Hoffer, VP of Engineering at Globalscape. “New tech is added to old and sometimes the old tech is forgotten—lurking in the shadows as a threat to data integrity.”

A Live Panel Discussion During Black Hat USA 2017

Want to learn more about the human element of cybersecurity? Join us live what should prove to be a very engaging conversation.

Regardless of the method, means, and madness behind the introduction of new technologies and services, the use of these inward-out systems is inevitable and can put the company at risk if not managed properly. And sometimes the old, abandoned tech can still have inward-out access and is no longer able to be monitored for malicious—or at least suspicious—activity.

According to Hoffer, last year a security researcher scanned IPv4 addresses across the web and found nearly 800,000 FTP servers without any authentication required for access. This is just one example of an inward-out service, but it’s a staggering number nonetheless. Subsequently, we saw the FBI issue a warning that hackers were targeting unsecured FTP servers such as those found by this researcher in operation at a number of small and mid-sized healthcare organizations.

This means that a vulnerability that was exposed well over a year prior to being exploited was still in use … and was being exploited by hackers to steal sensitive information.

The issue here is that it’s often a case of companies not being aware that they need to change; it’s just the way they’ve always done things.

“A breach of this kind would be a potentially costly violation of the Health Insurance Portability and Accountability Act (HIPAA), putting patient health and financial data at risk of fraud and misuse,” says Hoffer.

The risk here isn’t limited to data leaving the organization in an unmanaged fashion; it’s also an issue of employee machines being used to connect to systems and services operating outside of IT security’s purview, putting the machines at risk as well.

“Users accessing the Internet can expose their machines to malicious code, resulting in compromise,” says Alex Horan, Director of Product Management, Onapsis. “Those machines can then be leveraged by an attacker to launch attacks from that compromised internal machine to hop over to other internal targets.”

Any business process executed by that compromised employee (or machine, rather) is at risk. Plus, any systems that the compromised employee has access to are also at risk.

“The organization could be exposed to information loss, disruption of business processes and potential financial losses, all dependent on the role of the user—think of a finance department user whose system is compromised,” says Horan. “The user doesn’t have to visit a suspicious website for this attack to be possible; a banner advertisement hosted on a legitimate website or an attachment in a webmail (Gmail, etc.) account could be enough to compromise the user.”

It would be easy to disallow access to external resources, but this could dishearten the employees, or worse, actually cripple the business.

“Internet access is seen more as a right than a privilege for most employees and trying to take that away would be incredibly painful,” says Horan. “One option to address this risk is to use proxies to inspect all the code coming from the Internet before it gets to users’ machines.”

It’s not just about blocking and tackling, however. Early warnings that an incident may have occurred can also be a good practice.

“Organizations should also operate on the assumption that something bad will happen with this inside-out connectivity,” says Horan. “Attackers can often write exploits for browsers and browser plug-ins much quicker than enterprises can push out the security patches for the associated vulnerabilities. Detection capabilities around those systems that run critical business processes or that handle critical business data is required in order to alarm at the earliest possible moment when these actions are seen to take place.”

Not only can using inward-out systems put your company’s data at risk, but employees who access the Internet can expose their computers, and thus the organization, to malicious code. Good cyber hygiene includes using proxies to inspect all incoming code, paying attention to early warnings, monitoring your abandoned tech that may still have inward-out access, and securing your FTP servers.

Organizations can keep sensitive data safe with a competent cybersecurity team, but what about individuals accessing personal devices using public Wi-Fi? How do we keep our info private and safe from malicious attacks when surfing the ‘net in a coffeeshop? Stay tuned for the next chapter to find out.

Interested in more topics from this series?