Large enterprises in the past relied on perimeter security to protect their services from the outside world. This idea of a trusted firewall has eroded over the years and is considered an outdated approach to security. But it's incorrect to assume that a firewall is useless, despite the fact that the definition of the “perimeter” has changed.
In older networks, there were fewer systems in fewer places. Currently, the average office has a mixture of networked devices ranging from laptops to printers, even refrigerators. Each of these devices has connectivity, and each is a point of entry. When a user logs into a corporation's network from their home, that is a clear perimeter action. But what if that user goes to the office and plugs in? Do you consider that a perimeter action?
If an unknown attacker plugged into your network, what would they be able to access?
When it comes to SMB networks, it's likely that an attacker would be able to access everything. Even on most enterprise networks, an attacker would still be able to access a large amount more than they should. Even some of the largest network players in the world still have a very '90s approach to security, with too much reliance on firewalls and perimeter boundaries. But with the recent Juniper, Fortinet, and Cisco vulnerabilities, we have seen the notion of perimeter security shatter.
Now we have to adapt as architects.
The new game is defense-in-depth. That includes internal network security. Trust no one on your internal network. Always challenge them. Use separate internal networks for Internet of Things (IoT) devices, as not only can they talk, but they can listen. Exploits have been developed for many smart devices, and manufacturers can always push new code with unknown intentions. The digital age brought many unexpected consequences. The “Lp0 on fire” error has become more than just a joke. It's an actual threat that can be willfully triggered. Overreliance on perimeter defense has led factories to shut down and enterprise security to crumble.
Adding internal network security is very beneficial, and the cost has dropped dramatically in recent years. Even basic small-office routers can support VLANs, and when the tools are available, it's reckless to ignore them. Small businesses without a dedicated IT team may be unaware of their options. But when a large enterprise chooses to leave critical services unencrypted, or fails to implement authentication measures because the network is “internal,” they're willfully ignoring the reality that attacks are no longer limited to going through the firewall directly.
Ransomware has become a big issue, in part because many organizations have a flat network. Once ransomware is loose in a network, the organization cannot stop it from encrypting shares unless they add extra access controls. Currently, many organizations don't put those controls in place, since they believe that by virtue of the network being “internal,” they are safe. But this is a misguided assumption. It's up to individual organizations to change it.
The longer an organization is allowed to expand while relying on their perimeter, the further ingrained it becomes into their architecture and culture. Security organizations such as Black Duck enable you to test not only the services the world interacts with daily but also the back-end systems that lie beyond the firewall. Internal network testing gives you a valuable understanding of the threats you face from the inside, and how well you could mitigate them if your perimeter fails.
The holistic approach of a red team goes even further to show a tangible goal achieved using approaches that exist in real-world attack scenarios. More knowledge for the organization enables better business decisions. And better business decisions lead to successful growth and development of a mature secure development life cycle.