User Desktops: Leaping the Great Wall

20 09 2011

Security measures in an enterprise environment are often focused on securing the borders of a network. This is sound logic given that border security of valuable entities has worked so effectively dating to ancient civilizations; remember the Great Wall of China? While ensuring that the borders of a network are securely protected is sound network security practice, it is ineffective on its own. Attackers are not looking for the hardest target, when a soft target will get the job done. Would a bank robber spend the time to drill through the vault, if the door is already open? In networked environments, attackers will look for the path that provides them the easiest access into their target network. The softest target, as is evident in the recent RSA security breach, often is a user desktop system inside the perimeter. As computer usage increases in all aspects of a corporate network and networks continue to expand, a greater focus should be placed on end-user security.

As many of you know, the security company RSA was compromised earlier this year. Through the compromise, attackers were able to gain access to seed data associated with RSA SecurID® tokens. This was a well-publicized network compromise given that RSA is a large company focused on information security, and many of RSA’s biggest customers, such as Lockheed-Martin and Northrup Grumman, handle highly sensitive information. Security company F-Secure recently identified the initial point of compromise for the RSA breach as a phishing email containing a malicious Microsoft Excel document.[1] While the ultimate exploit identified was a zero-day vulnerability in Adobe Flash, the initial vector of attack, the phishing email based on social engineering, is quite unsophisticated. Through exploiting a vulnerability in end-user security, the attackers were able to infiltrate the network.[2]

The RSA breach is important for two reasons. One, it shows the importance of security in depth to protect network infrastructure. And two, it shows that even at a company dedicated to information security, there are still weak links. The user, who eventually opened the email attachment that led to the attackers’ access to the system, may not have been the CEO or network administrator. The user could have been in human resources, the shipping department or other business segments we would typically not consider prime attack targets.[3] These business segments may not be handling the sensitive SecurID® data, but they reside on the same network as those that do. While the point of this post is not to discuss network segregation, it is for reasons like this that end-user security should get greater focus than it does in many network environments.

A recent Secunia security report found that there was a substantial increase in vulnerabilities on end-user systems in their customers’ networks.[4] End-users are not typically information security professionals, even at RSA. The end-user may be an administrative assistant or accountant, whose understanding of secure computing and information security may be quite limited. It is these individuals who may provide an attack vector for intruders into the company network. In fact, they will often raise fewer red flags to network administrators as their internal traffic is often less scrutinized. There will always be a balance of usability and security in regards to networked systems, however it is likely that many of the vulnerabilities in the end-user environment can be remedied through user education and enforcing secure desktop-configuration management.

Shooting cannonballs at the walls of a fort seems like a lot of work when you can just ask someone inside to open the gate for you. Attackers are looking for the soft target when attacking systems. Sometimes the most effective attack vector is from the inside out. Networks administrators are often spending a great deal of time, effort and money to protect their network exterior through Firewalls, Intrusion Detection and Intrusion Prevention Systems (IDS and IPS), while end-user security remains an afterthought.[5] Less focus is often placed on monitoring what legitimate users are doing inside the network and educating the users on how to properly use the network. Firewalls, IDS and IPS cannot prevent every attack on a company’s network because with enough time and effort, an attacker will find a way in. It is for this reason that network administrators, corporations and governments should put a greater focus on educating the end-users about recognizing the indicators of “badness”, as all layers of an enterprise are responsible for its security. Education about sound information and network security practices can help to patch one of the most vulnerable network segments, the users of the network themselves.

[1] “How We Found the File That Was Used to Hack RSA.” News from the lab. 26 Aug 2011. Web. 18 Sept 2011. <;

[2] Higgins, Kelly J. “RSA SecureID® Attack Began with Excel File Rigged With Flash Zero-Day”. Tech Center: Advanced Threats. Security Dark Reading. 1 Apr 2011. Web. 18 Sept 2011 <;

[3] Rivner, Uri. “Anatomy of an Attack”. Speaking of Security: The Official RSA Blog and Podcast. RSA. 1 Apr 2011. Web. 18 Sept 2011 <;

[4] Secunia. Secunia Half Year Report 2010. Copenhagen: Secunia, 2010.

[5] “At RSA: Napera Will Demonstrate New Approach to Solve Today’s Network Security Crisis for Small and Medium Enterprises”. Napera. 31 Mar 2008. Web. 19 Sept 2011 <;




One response

2 11 2012
Detecting Browser Vulnerabilities Prior to Client Exploitation « cmu95752

[…] [1] Michael Cooney. “IBM cyber security watchdogs see increase in browser exploits and encryption abuse”. 21 Sept 2012. 7 Oct 2012. <; […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: