Keeping an Eye on the Weakest Link

4:32 PM -- According to a new report, the U.S. Department of Energy experienced 132 security breaches in fiscal year 2006 that auditors considered serious enough to involve law enforcement. That’s almost two serious security breaches per year for each of the DOE's 69 organizations.

The report is disturbing. Even if most of the DOE organizations aren’t dealing with sensitive research or information that could pose a risk to the national infrastructure, they could provide a jumping point that would allow attackers to delve further into the DOE network, with the potential of causing even more damage.

The article started me thinking about the first stage of a targeted attack: reconnaissance. If you’ve ever read a book about "hacking" or taken a similar class, it probably detailed this phase extensively. One of the things to look for is recent acquisitions or smaller, geographically diverse units that may not fall under the full control of corporate headquarters.

The assumption, which is generally held to be true, is that it takes time for the new acquisition to become fully integrated with the parent organization -- and to be protected by its security umbrella. Until that happens, VPNs (or similar access) will be set up to assist with the integration, and some of these hastily created transitional access infrastructures may not be appropriately secured.

The next assumption is that the acquisition, or smaller unit, will not be nearly as secure, because it doesn't have the money and time to devote to information security. These new acquisitions end up being a perfect jumping point into the headquarters in order to reach the crown jewels.

So, how do you protect yourself from your allies? Obviously, a multi-layered approach is your best bet. You should use an IDS to monitor traffic coming from the remote offices, and do health checks for the VPN to inspect hosts before they are allowed to communicate with the corporate office.

The key: Be paranoid. Don’t trust traffic coming from remote locations, unless you have some means of guaranteeing that the source is not hostile. Take the necessary precautions to limit what resources the remote systems can access, and inspect all the traffic that comes from a remote source.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading