Broadband local access provides branch offices with more affordable bandwidth today than many organizations' main offices had when they first became Internet-enabled. Bandwidth is not the only resource that's become abundantly available to branch offices. The cost of server hardware has tumbled over the past five years. Remarkably, a platform suitable for Windows 2003 or Linux server costs less than an extreme gaming computer. Many organizations see these as economic windfalls that allow them to host business-critical applications in branch offices. But while advances in telecom and technology create opportunities to enhance business productivity, they expose organizations to new threats.
Here's a short list of reasons why branch offices have become green fields of opportunity for attackers:
- Poor server maintenance: Experienced security personnel typically have their hands full maintaining security best practices at corporate data centers. Branch offices typically do not have the expertise to implement and maintain security measures needed to reduce the threat of network and system compromises. Although some organizations take time to securely install servers at branch offices, the maintenance of those servers often deteriorates over time, so vulnerabilities that are identified and mitigated at the main office remain exploitable in branch offices.
- Lackluster IDS attention: Network monitoring and intrusion detection may be nonstop
- activities in main offices. Branch offices may limp along with occasional security scans, and critical problems may be remedied on the spot. Some branch offices may actively monitor and run IDS, but local staff may lack the expertise to analyze events. Expert staff at main offices may not see the alarms or event records in time to respond to an attack, if they see them at all. Thus, attackers not only have exploitable systems but ample time to do with them what they please.
- Physical security or business continuity weaknesses: An organization may equip its corporate data center facility with biometric access and Inergen fire suppression systems, and it may have redundant power to sustain operations for 24-72 hours, but many branch office servers that host sensitive corporate data occupy available space in telephone wiring closets, "protected" against intrusion using an interior door lock. A small business UPS may keep the server running for an hour, and someone may have thought to place a fire extinguisher nearby. The likelihood of a service outage from any of these three vulnerabilities is therefore much higher in branch offices than at headquarters.
- Data retention weaknesses: Archive and retention are disciplined activities in headquarters but are often afterthoughts following the unintentional destruction of data or a breach in a branch office, so considerable data are placed in jeopardy in branch offices.
Reduce or mitigate these and related threats by implementing measures such as these:
- Enumerate the applications that branch offices may operate on local servers.
- Document or create a security policy template that branch office staff can use to "harden" local servers running these -- and only these -- services. The Center for Internet Security has sample templates that can be customized by expert staff to meet your organization's needs. These templates can usually be installed by local staff who are familiar with Windows 2003 server and popular Linux builds.
- Harden Windows servers by adding server antivirus and anti-spyware software.
- Make certain that browsers running on servers can visit only trusted sites.
- Especially if you are in a Windows monoculture, establish a patch management and monitoring process to ensure that critical hot fixes and security updates for both server and client hosts are not overlooked by local staff at branch offices. Investigate whether a remote patch management server can work for you.
- Devise a method for routinely performing remote network scans. Create a formal process for prioritizing and mitigating critical vulnerabilities quickly -- and for attending to non-critical vulnerabilities before they are overlooked and forgotten.
- Consider placing at least one network IDS probe at each branch office. Incorporate branch offices in real-time response strategies.
- Assess how logging and auditing are performed at your branch offices. Devise a strategy to monitor security events at branch offices more aggressively. Arrange to securely transmit log records to a central repository where they can be analyzed in the aggregate by the expert staff you are more likely to have at your main office NOC and data centers than at branch offices.
- Hire a locksmith to assess the physical security at your branch offices. We tend to overlook the fact that it's easier to steal equipment than it is to "get root."
- Include branch offices in the archival and retention process you use at your main office. Arrange secure transmission of archived data, or transport archived media to the same secure location you use for your main office.
You can't make branch offices impervious to attack, but by implementing some or all of these measures, you can turn an attacker's green field into a much rockier field to plow.
About the author: David M. Piscitello is president of Core Competence Inc. He has been involved in internetworking technology for 30 years and is an internationally recognized leader in internetworking, security and fast packet technology. Dave is currently serving as a Security and Stability Advisory Committee fellow for ICANN (Internet Corporation for Assigned Names and Numbers).
This was first published in May 2007