Blackhat recently organised a webinar titled ‘enterprise defence and why you’re most likely doing it all wrong’ where Mariano Nunez (CEO and co-founder of Onapsis) and Tom Parker (Chief Technology Officer and Vice President of Security Services at Fusion) attempted to “critically examine enterprise level issues which remain prevalent in many large corporations and provide unnecessary opportunity to the adversary for gaining initial beach heads and moving laterally to achieve end goal proximity”.
In this webinar Mariano Nunez expressed a need for a power triangle approach as there is a consistent rise in business critical vulnerabilities within SAP, some of which had a patch fix turnaround time of 18 months plus. The main issue Mario mentioned regarding security concerns is that SAP is sometimes unintentionally used in an insecure manner.
On occasions, businesses have been known to add a web portal for access to anyone with a web browser, so that sales and field representatives need not log into VPN to access it via the companies domain. However this can be accessed by people outside of the company creating what is essentially, a publicly exposed hole into the corporate network.
Mariano and Tom defined the importance of assessing public facing content and highlighted that it is important (in these scenarios) to access the companies network via a method called “the Power Triangle”.
The Power Triangle is based around the three points and the unified strength of a triangle. It focuses on the following sectors:
- Ease of Use / usability
The Power Triangle’s strength comes from the fact that each point works and depends on the other and in order to move in any one direction, it would require a noticeable sacrifice from another.
In the case scenario listed above, the company had sacrificed the security in favour of creating easier access. What could have been an ideal scenario (since they did not want to use software VPN clients) is to use a web based SSL VPN client to access the application from within their web browser. Such services are available from Fortinet and other security suppliers, and would not have required a locally installed VPN client. This would have resulted in a secure method for their staff to access this application from any machine whilst reducing the risk of a public facing web application that isn’t required by customers.