I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to two other servers. Is there any reason to scan a server like that?
In my sysadmin days, I asked a similar question. Nobody could give me an answer that was any better than “because reasons.” So I’ll answer the question and give the reasons.
The firewall gives good protection against direct attacks. If the system never talks directly to the Internet, a hostile Internet-based attack will never reach it. That’s good.
The thing is, that’s not how modern corporate breaches happen. Modern breaches start at the workstation. They get a hapless user to open an e-mail attachment or visit a malicious web page that plants malware on their workstation, or, in a particularly (ahem) sophisticated attack, they coax the user into giving up some credentials.
At that point, the person is on the network, marooned on what’s probably a very uninteresting workstation. So they go look for a server. Better yet, several servers. The dusty old Windows NT or Windows 2000 server that can’t go away because the vendor is out of business and someone lost the installation media for the software running on it–no, I’m not making that scenario up, and yes, I’ve heard it several times in real life–is a great place to hide. It has plenty of unpatched vulnerabilities and they’ll never find you there because those old versions of Windows don’t share logs nicely with modern SIEM gear. The attacker will also want a Unix server of some kind because Unix has lots of nifty tools for parsing and manipulating data that Windows doesn’t.
Once the attacker has a couple of useful machines staked out, it’s time to go get some juicy data, probably lurking in a database somewhere, then get it out of the network.
All of this jumping around is likely to require throwing around some exploits. If your systems are reasonably up to date, some of those exploits will fail, causing the attacker to try more things, and increase the chances of getting caught. Or the attacker might give up and move on to a company that doesn’t take security quite as seriously.
That’s why we conduct vulnerability scans inside the network, with full administrative (or root or sudo) privileges. That allows us to accurately assess the health of the systems on our network, quickly make corrections to any security issues we find, and stave off attacks.
A network that’s hardened and well-patched isn’t impervious to attack either, but it’s far more difficult to attack, and since these are two things many companies struggle to do in a timely fashion, the better you are at it, the more likely an attacker will move on to something else. If everyone in the neighborhood has $10 locks on their doors and you have a $30 lock, chances are the cat burglar is going to rob one of the houses with the cheap lock instead.