Another question to consider: Do you allow anything in your network to talk directly to the Internet?
The Driver Behind This
Systems that can communicate directly to the Internet in 2020 are just asking for problems. This means that those systems can bypass all the safeguards and countermeasures (you know, the controls management has invested in to prevent attacks?) that would otherwise provide and enforce proper monitoring in addition to the ability to effectively identify and respond should a system be compromised. This also opens the organization with additional liability if they fail to screen out harassing content. So, in addition to the added liability, what else? Well, as it turns out adversaries LOVE this type of setup. It’s like finding that $100 bill in your winter coat that you forgot about or finding that scratch off ticket you thought was for a $100 really was really for $10K. Why do they like it you ask? Well remember when we said, “this means that those systems can bypass all the safeguards and countermeasures”? We’ll wait for you to finish processing that thought, because while you’re thinking about all those systems that may be able to connect directly to the Internet, just keep in mind the adversary isn’t having to deal with all those pesky defenses.
Processes, Practices, and Activities That Address This Question
Proxy those systems, boys and girls. Don’t let a user or system talk directly with the Internet! Using proxies creates a choke point that ensures a few things. First, it provides a monitor – you now can see what’s going on within your network – call it transparency or visibility, you now have the capability to analyze traffic and identify those elements which you don’t want on your network, be they rogue applications or threat actors. Second, it affords you a way to enforce your policies – you know the “No surfing anything related to Dolphins while at work” policy? This means you can speak to governing the systems in line with management’s intent.
Common pitfalls:
- “Trusting security to the end user.”
- “Falling victim to believing that proxies are too expensive (or complex) to install.”
- “Believing that specific systems or applications need direct access.” (To be fair, this may in fact apply to networks which were architected in a sub-par manner and applications which were poorly written)
Continued Reading