Most organizations lock down Wi-Fi access but rely on physical security and static segmentation as the primary defensive technique for the wired network. This blog is the first in a three-part series that attempts to uncover why this practice is commonplace today and what alternatives exist.
Let me start by telling you about a scenario that I often present when talking with customers:
“I want to get inside your building. Towards the end of lunchtime, I find a group of employees returning to the office and walk with them. I’m wearing a badge that looks just like your company badge. I’m carrying a package in one hand and talking on a cellphone with my other hand. Will the employees hold the door open for me?”
Most of the time, the answer is yes. Some of the time, I hear a story of turnstiles or other single-person access control methods along with assurances that this scheme would never work. I’ll leave it at this: Sit in the Social Engineering Village at DEFCON sometime, or attend a red team or pen tester conference, and listen to the various ways people have worked their way into even some of the most secure spaces. It’s fascinating.
Why do I bring this up? Because while they’ve spent 15+ years locking down Wi-Fi access, most organizations continue to rely on physical security and static per port segmentation as the primary defensive techniques for the wired network. If you can find a port, you can connect. And if you can find an unused port, it takes a matter of seconds to install a remote-access device connected to that port, letting you get in and get out in minutes. My brother works in physical security for a well-known tech company, and I once asked him, “If you were walking around in a building and came across a small white box plugged into a network port, what would you do about it?” His answer did not surprise me: “I would probably assume that it was supposed to be there, and keep moving.”
With today’s advanced threats spread by phishing emails and malware, the problem is expanded to your own employees or contractors coming into the environment and plugging in for valid reasons. Physical access is granted to these individuals, and they are allowed – in fact encouraged in some cases – to connect to the wired network for their business purposes. Malware can be lingering, undetected on their device waiting for network access to find ways to infiltrate.
Port-based Security is No Longer Enough
In the majority of environments, the current state is that once someone connects to the wired network, access control (if it exists at all) seems to be primarily port-based. The port you plug into dictates your VLAN, which ultimately dictates the upstream firewall policy or ACL through which your traffic passes. Many organizations employ various different tools other than firewalls to help detect and prevent threats that may be on the network, from endpoint detection and response (EDR) to intrusion prevention systems (IPS) to next generation AI/ML-based tools. The problem is that all of this detection/response kicks in after a device or user has already connected and has been granted some level of access for some period of time. Most, if not all, of the security apparatus is multiple hops away from where the users and devices are connected, creating blind spots in visibility and control that are rather significant. Add to this the tremendous operational burden of all the manual moves, adds, and changes of ACLs and VLANs when a user or device gets moved to a different port. Isn’t there a better way?
With today’s advanced threats and adversaries masking their activity as normal user/device behavior, and with the constant threats of social engineering, we have to wonder how much that bad actor can get done before the security apparatus detects and blocks the threat. Keeping in mind that average dwell times of threats are in the 100+ day range (depending on which study you read), that's a LOT of rope to give that adversary and part of the blame falls on the visibility and control gaps that exist on the interior of the network. Security teams need to be provided some level of visibility and control to help combat these threats by detecting and removing them more quickly and in some cases even preventing them before they spread.
Why Do Wired Networks Remain Open?
I am sure many of you already understand this concern. So why is it that wired networks remain this open? Through discussions with many customers it seems the concern is the operational and user related complexities and cost with implementing an access control solution on the wired network. The concern is centered around putting added complexity on the users to navigate a security policy which then leads to added operational burden to troubleshoot those issues. Also, on the operational side are the questions around the unknown: If technologies like RADIUS authentication are not already leveraged or enabled on the wired network, and the wired network is operating just fine, what operational impact would it have by turning on more functionality?
These are all valid concerns, but concerns that have solutions.
In my next blog, I’ll present why organizations must implement stronger pre-connect controls and segmentation on the wired network to mitigate the risk of insider threat, while at the same time doing so in such a way that it is user friendly, and actually reduces the operational burden.
