Looking Out and Looking In

As a Security Consultant on the Fortify On Demand Dynamic Test team, I spend a large amount of my time testing Internet facing applications for our customers. A few of our customers also have our team test applications that are in their internal network, as well. I applaud these customers, as it gives the customer the greatest level of application security for their assets.

 

You might ask, “Why test the internal applications?”  Recently a customer of ours was asked this same question by executives in their organization, and this customer asked me to explain why.  Here is how I responded:

 

The reason to assess your internal sites are two-fold:

  1. To protect your organization from internal, employee-based threats
  2. To protect your organization from the inevitable external threat that gets into your internal organization

Unfortunately, it is a security-industry standard that over half of all security breaches in an organization occur due to some type of internal employee action. Internal employee actions also cover actions by contractors acting as employees. The internal, employee-based threat has two parts to consider. These internal, employee-based threats can be deliberate actions by employees and/or unknowing actions by employees.

 

Deliberate actions by employees
An employee could ‘explore’ the network with a publicly available tool, or with the help of a reference book easily obtained from any book seller. The actions of ‘exploring’ may be from simple curiosity, or from malicious intent due to any variety of reasons. Corporate espionage and general employee dissatisfaction are two examples. Do you feel secure in the knowledge that your employees are happy corporate employees?

 

Attackers utilize unknowing actions by employees to gain access or information 
Your employees may be subject to social engineering, installing malware from the Internet, or other actions that leave exposure to an outside source (a computer in a public area that wasn’t locked while the employee took a break, for example). These unknown or passive actions by your employees can lead to exposure to an external threat.

 

It should also be considered that external access to your organization’s internal applications and sites are inevitable.insider threats.jpg We hear of examples of this often in the news. These access breaches can occur from deliberate actions by aggressive threats to penetrate the organization’s internal network or from the external exposure produced from the unknowing actions of your internal employees or agents.

 

Given that the exposure likely exists to your organization’s internal sites and applications, the question then becomes, “How secure are your internal applications and sites?”  Whether via internal deliberate threat, external threat via deliberate attack, or accidental exposure, the organization’s internal sites and applications are at risk. The question then evolves to, “What consideration is your company giving to lowering the risk of your internal organization’s sites and applications?”

 

We can see, with the recent breach of AT&T Mobile’s customer database, trusted agents of AT&T with access to internal assets, did in fact, take deliberate action, and compromised customer personal data. This is the most recent example of such a data breach. In an era of ever-increasing data exposure, internal network and application security review by a third-party should be the norm, not the exception.

 

Robert Hambrick, CISSP
Security Consultant
HP Fortify on Demand

 

About HP Fortify on Demand

HP Fortify on Demand is a cloud-based application security solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.