0

If an application is intended to work only on a machine which is NOT connected to the internet BUT stores extremely confidential information, should we implement same security policy as if it was intended to be exposed to the internet? I'm about to conduct a pentest / audit and thinking what recommendations should be written for such application and how strict should they be. What can (if this is relevant) be ignored in terms of security for an intranet application?

user228062
  • 79
  • 3
  • Does this answer your question? [Does an application purely for intranet use by employees need secure software design or to follow OWASP guidelines?](https://security.stackexchange.com/questions/225001/does-an-application-purely-for-intranet-use-by-employees-need-secure-software-de) – TripeHound Feb 28 '20 at 14:42

1 Answers1

1

A computer "NOT connected to the internet" is somewhat of an oxymoron nowadays. It may not be exposed directly on the Internet, but it is very likely part of a LAN and in that same LAN there are other computers with access to the Internet...

So, if a computer in that same LAN is compromised, it can be used as a stepping-stone to that machine holding sensitive data. Put it differently, it is indirectly reachable from the Internet.

Even if you can isolate it from the network completely (which is rarely practical) you still have to factor access controls, physical security, internal actors etc.

Kate
  • 6,967
  • 20
  • 23