19

While I do not claim to be an expert in all things security based, I'd think that I have a good grounded knowledge of what is acceptable and what is not in regards to digital security.

After giving some general advice on internal network security, I was advised by a company that physical access based attacks (i.e. attacker has access to internal network) are unrealistic and are considered out of scope.

I was informed that due to the company having a guest wifi system which is in a DMZ, it's not a problem for them. The main oversight that they don't seem to understand or accept is that from outside the office, you can see in plain sight the private wifi password stuck to the walls around the office, as so many people constantly forget them.

Without lighting fires, I am really struggling to get them to accept that this is horrible practice and they are really opening themselves up if an attacked or compromised system was connected to their private wifi.

For example, customer brings device into office for a meeting, sees a publicly advertised wifi password in the meeting room and continues to connect to the wifi. Customers machine is compromised and now has full access to the private internal network containing business critical data, and a ton of personal data due to bad domain policies.

Any suggestions on the best way to approach this situation?

nhahtdh
  • 131
  • 1
  • 8
Aaron Dobbing
  • 473
  • 3
  • 13
  • 4
    It's not limited to geographical local access. Can they guarantee that 100% percent of staff will avoid getting phished 100% of the time, never plug in a usb stick that has been plugged into a non-corporate machine or never get malware on their pc from browsing a popular website that was compromised, ie the recent forbes breach? Perhaps if you frame the problem in a different light you can come back to the wifi issues when they are more on board. – wireghoul Apr 01 '15 at 07:14
  • 1
    To clarify: I'm assuming you're asking this to construct a business case for implementing a more secure (i.e. account based) access scheme for the internal WiFi? – Lilienthal Apr 01 '15 at 09:43
  • 5
    @MichaelKjörling He's not saying that the **guest** network has full access. He's saying that the password for the **private** network is posted in plain site. The customer sees this and thinks that it's the password for the guest network... –  Apr 01 '15 at 12:40
  • 1
    @ChrisF Good point, although if the password to the internal network is posted in plain sight *especially* in an area where customers have relatively ready access, then the internal network effectively and for all intents and purposes *becomes* a guest network and needs to be treated that way. There is always the possibility of VPNs to access anything sensitive, with pre-shared secrets stored on the computers that need such access, for example. (But yes, that is a little more effort.) – user Apr 01 '15 at 12:42
  • 4
    Why do your employees even need to know the password of the internal Wifi, why not pre-configure their devices with it (via some sort of policy), or have it be their own personal password (such that each individual has a unique password) – user2813274 Apr 01 '15 at 17:55

3 Answers3

22

Take a passive approach and do a risk assessment. Security management is a form of risk management. You have assets which might have threats and vulnerabilities. A threat exploiting a vulnerability is a risk, which is calculated by calculating (quantitative) or estimating (qualitative) the likelihood and impact (most of the time it's high,medium,low but some organizations have their own).

First you expose the risk. You derive an impact of an attacker having access to the internal network. Then you assess the likelihood and technical complexity. In your case the hard part is getting buy in from your management. So the first thing to do is taking references. Have a look if you find specific requirements for the type of business you are in, the size of your business and what industry best practice guides say you should do (NIST). It's important to structure your risks like this ensuring you have both the technical reasons, but also a clear business impact (what is this going to cost the business?) (in the end the business is what it's all about, IT is just an enabler).

As you are from the UK and you clearly think there is a risk for private data, have a look at the Data Protection Act. It's always interesting to show what can happen by refering to cases which bear a similarity to your current environment. Make sure that they understand that the upper management can be held personally accountable if it's deemed they made wrong decisions (e.g. not fixing this), but do not threaten them as this may have an adverse effect.

There's also the EU General Data Protection Regulation, which will be finalized end of this year. It allows the EU to fine companies up to 5% of their global turnover in case severe missmanagement of personal data is found.

After you have made the report, you need to present it to your management, which is someone responsible for the business and someone responsible for IT as well as your internal audit department. That's the easy part. Now comes the hard part: sell security.

You will need to get buy-in from your upper management to fix this, which will most likely cost money as they will need to spend resources. Unfortunately it's quite hard to do so, you need to involve your stake holders in the security process and explain the benefits to them. It's important to involve all employees in your security process. The security executive cannot sell the necessity and importance of the security function to others if people do not understand it.

Now the best way to get buy-in is to make them first understand. Make sure you think of a solution for each problem you face, you're already half way if you can come up with a good alternative. In your case it could be password managers or using domain credentials (PEAP authentication). I'm not a fan of allowing just any device into the internal network, preferably the only devices allowed should be those issued by the company.

Note that the business may decide to sign off on the risk. This means that they're aware of the risk, but choose not to do anything with it. In the end there's only so much you can do. To be fair, it's not uncommon that a serious incident occurs before people start seeing the importance of security. It's sad, but the hard truth.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thank you for the informative answer - Have marked as best answer because you have provided plenty of business based risks to propose. Lets hope some change can be actioned! – Aaron Dobbing Apr 02 '15 at 12:41
9

There are different ways to deal with this, ranging from questionably ethical but highly effective, down to completely passive.

If you really want to show them that physical attacks work, break in during your next pentest. I don't mean "grab a crowbar", but rather walk into the lobby, walk past reception, and walk straight into their offices. If they require keycards, tailgate while "on the phone" and holding a cup of coffee. Go up to your contact, and tell him what you just did. I only suggest this if you've got a good relationship with the client, as it's pushing the boundaries of ethical conduct.

On the middle-ground, you could explain to him that attacks aren't limited to people outside the organisation. Malicious insiders are one of the biggest security problems in financial organisations, because they're difficult to identify before they do harm, and they tend to be able to get hold of large amounts of sensitive data. Back your points up with real world examples, such as the Morrison's leak a while back, where a completely non-technical member of staff with no special access was able to steal large amounts of personal information about the company's staff. Make the impact clear: PR nightmare, significant financial outlay (IR costs, credit report cover for staff, direct loss of revenue), and weakened staff morale.

If you want to take the pragmatic approach, tell him to look at it from a fiscal risk perspective: ask him how much it'd directly cost the business if data was leaked (tailor the kind of data to the org's crown jewels - customers, code, whatever) and how much it'd cost to do all of the incident response and PR associated. That total figure is likely to be several orders of magnitude greater than the cost of an internal pentest. Now, express it as the gamble: they are betting that amount of money that they won't get popped in the forseeable future (say, 2-3 years). Then express the alternative: spend several orders of magnitude less for an internal pentest, and your breach likelihood and expected costs go down.

Alternatively, take the passive approach. Note in writing, somewhere, that you've expressed your opinion that they're following bad practices. Let them accept the risk - after all, it's absolutely up to them. If they don't get popped in the future, lucky them. If they do get popped, give them a call. They'll be listening now.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Poly- is video of Freaky Clown's Securi-Tay talk up yet. It could also be useful – Rory Alsop Apr 01 '15 at 09:26
  • @RoryAlsop FC's talks are never recorded, unfortunately. Makes sense, as he wants to minimise the number of people who know what he looks like. – Polynomial Apr 01 '15 at 11:28
  • 1
    I like your questionably moral example , but why not step it up a notch and walk in with a trolley, and a few new desktop machines, socially engineer your way into physically taking a few machines and replace them with new ones, ask staff members for their passwords as you "setup" said machines for them. If you have 3 or 4 people with you and a "authority letter" then this shouldn't be too difficult. Scrape said machines for data ( or if feeling particularly nefarious use said machines to login to the wifi out of hours and scrape data off their servers). You should go big or go home :P – Damian Nikodem Apr 02 '15 at 08:08
2

Several good ideas here. Just want to add a couple more and I don't have 'comment' rights yet:

1.) We in IT look at things from a tech standpoint. The people you need to convince likely look at it from a business standpoint. You need to be able to put it in clear $$$$ numbers for them. This is actually relatively easy.

Risk = Cost of Breach * Probability

Where you get these numbers is up to you, but they should be documented in your PRINTED proposal. There are lots of sources out there. For example the Ponemon Institute does a yearly study. They estimate a cost of $201 per record stolen. You'll need to adjust the numbers based on what type of data you have, industry, etc. The point being, you figure out what the worst case scenario is if penetrated via this method. (e.g. all our customer records get stolen) How much would that cost? (We have 1500 customers. At $201 per customer, the cost would be $301,500.)

Now take that number and multiply by the probability that this will happen this year. Again this is going to take a lot of guess work and supposition. Find some sources that apply to your industry and apply to your company. Mitigate this number based on the suggestions others have given above. (e.g. your pentest shows that it's VERY easy for a random person to walk in, get the password, and walk out.) So if 5% of the industry had a security event last year, but you estimate that you are MORE vulnerable because your security is not on par with other similar companies, maybe double that likelihood. In this case your formula becomes:

Risk = $301,500 * 10%

Risk = $30,150

If you can show that to your boss in a WELL-TYPED, single page paper, you should easily be able to get a budget of up to that much to mitigate the risk. It's just about speaking their language.

The second point I wanted to make ties into the reason I emphasized a PRINTED report. If at all possible, insist on getting a physical signature on the report that acknowledges the boss has seen it. He will understand you are taking it seriously (and is more likely to act on it) and you have a BIG CYA when (not if) you are hacked.

Good luck!

Rick Chatham
  • 234
  • 1
  • 13