Sure. Just to clarify, don't quote Cardinal's name. I said the quote while I worked there but it wasn't because Cardinal Health had insecure networks. In fact, they have a robust security program. I think this is true of any firm. Wherever you have users clicking on links in email & browsers, you have an attack surface. Most organizations have flat networks, and you have an (N)^2 problem with that attack profile.
Your typical Starbucks public WiFi network has maybe 30 nodes, with hugely variant security, but most are likely not terrible, and auto-patch is quite common now on consumer desktops. It's a low-utility network that really only does a few things - legal opt-in to T&Cs, metering, DHCP, DNS resolution, IP gateway services, content filtering, and some traffic isolation. That's about it. It's not uber high-security, but it's low-utility and low-volume, so small attack surface. (N)^2 where nodes are 30 = 900.
Compare this small, relatively secure network with 50,000 or 100,000 endpoints on a typical large corporate network grown organically over 20+ years. (N)^2 where nodes are 50,000 = 2,500,000,000
Worse, you'll typically find one or more of these to be true:
- 500 consultants using Goodness-only-knows-what as their compute platform
- 10 vendors a day connecting in
- rogue switches & access points
- VPN accounts that got handed out from time-to-time to non-employees
- test/dev/QA parked in production network (yes, the _CODE_ is Dev, but the server & network are prod)
- Shadow IT
- IoT that walks in the door
- Modems for fax support
- a huge stack of firewall "open" requests, with an empty box of "close" requests
- likely no tracking of ownership of firewall rules, or governance
- rules that folks are afraid to turn off/ turn on
- that one firewall where the last command is PERMIT ANY ANY
- (I've found 2 in my career. Yup, they tried to blacklist the Internet)
- BYOC - Bring Your Own Computer
- (likely unsecured) printers
- those guys that installed a hypervisor and are running a few rogue operating systems on their desktop
- the secret wink-wink-nudge-nudge proxy server that bypasses content controls
- remote satellite offices where Jimmy has installed an extra connection on the network to (local ISP / hotel where they like to have meetings / shared conference room down the hall)
- other remote satellite offices where the wiring closet is also used to store mops, lightbulbs, holiday decorations and cleaning supplies, and 18 people access it a month
- pockets of desktop admin use
- pockets of resistance to upgrade, using old crap
- that one mission critical app that runs on Windows 2000/ RedHat 6.2/ Oracle 8i-Rel 3/ Microsoft Bob
- patching exclusion lists
- endpoint compliance reporting exclusion lists/errors in reporting
- that special laptop/server/switch/router/tablet for the CFO or COO that isn't really locked down
- PCs that 40 executives have installed in their homes that remote VPN from their home network
- likely huge holes in firewalls internally
- facilities & physical security devices
- you know, the ones where they periodically install DHCP services and start handing out addresses?
- SCADA milling machines, robots, conveyors, pumps, actuators, valves, etc.
- ATMs & POS vending machines
- cafeteria point-of-sale
- third party devices hosted on your network
- hundreds of third parties that connect into your infrastructure to perform support & maintenance
- DevOps teams likely able to download & install as needed
- broad use of collaboration sharing technologies where the user clicks "Share my Desktop"
- likely pockets of internet-facing test
That creates quite a mosh pit. While much of it is armored, in the aggregate, it's like a flotilla of mixed battleships, destroyers, tankers, cruise ships, bass boats and leaky sailboats. LOTS of surface area, lots of targets.
-ddh
-ddh__________
Dan Houser, CISSP-ISSAP-ISSMP CSSLP CCSP
#20889
Thank you for the Google's BeyondCorp link! The portal is a treasure trove of great research information. Have a great weekend!
