Believe me, the easiest way to compromise the integrity of an organization's data assets is through its desktops. This is because most organizations use a homogenous environment and most fail to secure this against attack. Yes, they usually deploy specialist perimeter defense systems, including securely configured internet-facing services, but unfortunately the individual desktops are left insecure.
Bypassing perimeter defenses
My team is regularly able to show up such holes in internal security. For example, when we have completed a security assessment or ethical hacking exercise, the last step is to deliver the final report. This invariably spotlights a set of problems that tend to lie with the perimeter email defenses and the way they are configured on the desktop.
A typical ethical hacking report will contain a tremendous amount of highly confidential material, including samples of exploit code that were used to successfully compromise key hosts. Not only will the corporate gateway anti-virus or content filtering systems react to the text within the document, but the confidential nature of the material means that it must be encrypted in some manner. Consequently it is often rejected, never reaching the intended recipients. It is at this stage that the fun of trying to bypass these perimeter defenses begins. Fortunately there are often enough holes in the system to allow safe passage of the report. The unfortunate part is just how easy it is for anyone else to do the same thing.
In almost all cases, regardless of the policies for email attachments, someone internally knows how to bypass the organization's configuration. Getting emails to the corporate 'techies' containing executable content (e.g. self-decrypting PGP files) is particularly easy, as they tend to know how to bypass their own systems. These bypass mechanisms can include the simple renaming of file attachment extensions or placing the executable content within a password- protected ZIP file. What I am highlighting here is that it is a trivial exercise to get executable content through to the desktop user, thus providing an opportunity for an attacker to get embedded content past the perimeter defense systems and executed internally.
Regardless of whether malicious content gets executed by users intentionally bypassing the perimeter defense systems; or through various HTML-embedded content attacks conducted through the common web browser (e.g. cross-site scripting); or through security flaws in any of the common desktop applications found within most organizations - the inadequate security mechanisms of the corporate workstation are fast becoming the greatest threat to internal corporate security.
But, I hear you say, in a network of 1,000 workstations only a small percentage are likely to have much confidential material on them. The thing is that it is actually quite easy to find these few. Just look for the newest, fastest and most powerful computers, as they are almost certainly going to belong to managers and power users with extra corporate account permissions. Their users also tend to flout most security policies and consequently make their systems softer targets.
While the client's focus is always on the critical servers, having participated in numerous internal security assessments, I've found the easiest way of gaining access to critical corporate resources is almost always the humble desktop computer. In general, the larger the desktop computer environment, the higher the probability of compromise.
The corporate desktop environment, by necessity, requires that the bulk of systems are configured almost identically and utilizes the same suit of applications. This means that they are also administered together as a unit, including the same local administrator password accounts, the same shares and network mappings, the same patching levels and the same defensive configuration. Thus, the compromise of a single desktop computer can lead to the loss of integrity of the whole environment.
Desktop delivery of attacks
While organizations tend to place the burden on protecting their internal resources at their perimeter defenses, their budgets often don't extend to the increasingly powerful and security-prone desktop. Unfortunately, short of rigorous security enforcement, monitoring and user training, the common desktop will increasingly become the easiest method of conducting a malicious attack. How good is your corporate desktop security?
Gunter Ollmann is manager of X-Force Security Assessment Services EMEA for Internet Security Systems (www.iss.net).
Tips to improve desktop security