Do internal servers really need to be monitored, maintained and updated like a public facing Internet server?
There are two aspects to this question, the first being maintenance and monitoring, and the second being internal server security (which is closely related to maintenance in that updates fix security issues).
Internal Server Maintenance
An internal (or Intranet) server performs it’s tasks just like a publicly facing server, except that only people connected to the LAN or VPN can access it.
This does not diminish the critical role it likely plays for your organization, be it a file server or serving up Internet web content such as a wiki, knowledge base, collaboration and so forth. Losing these services and access to this information for a day (or more) while a server is rebuilt will be disruptive to any organization.
For this reason we recommend our monitoring and maintenance plans for internal servers like Internet web servers. Making sure everything is updated and running smoothly is key to heading off emergency downtime and lost work.
Internal Server Security
Keeping a server updated is, today, largely a function of security due to the rapid nature of exploits and attacks. These attacks, while common and easily launched over the Internet to other Internet servers, can still happen on private networks.
It is a pervasive myth that Internet servers don’t need to be secured very well (though it may not be stated as such, it is the general sentiment) and people know this. This makes these internal servers more of a target simply because, by and large, they are going to be more vulnerable. Not only that, they likely contain highly sensitive or proprietary data.
This creates an extremely attractive combination: The perceived low-effort of compromising a server and a high chance of a significant “reward” in terms of disruption or stolen data.
An Inside Job
Organizations cannot function without trusting their people. However best security practices center on the idea that nobody gets anymore access than they need.
If accounting has a file share that has a password on it, it’s locked from the rest of the company for many reasons. To use a metaphor: If it’s worth putting a lock on it, it’s worth making sure the lock works.
As a continuation of the above, employees are also much more likely to know where sensitive data is located or what systems would most impact the business if they were taken offline.
Before I started A-Team Systems I was routinely called on at previous employers to assist with securing outgoing employees’ access when they were let go unexpectedly. On several occasions I prevented former employees from deleting massive amounts of data which would have taken days to recover or recreate.
In another particularly poignant incident I witnessed an employee use their workstation to launch a brute force attack on the central servers of the company and successfully cracked administration (root) and other high level access passwords. This was possible via a combination of poor password practices and lack of network security and encryption, which I personally had pointed out on a number of occasions.
The good news was that this employee did nothing with this information except brought the issues to the attention of the administration team (which I was not part of). This was not well received and they were fired for the attack.
A few months later I ended up hiring this person at my new job, partly because of their behavior during that incident.
But this story could have gone very differently if that person decided to capitalize on the information they discovered instead of reporting it. It easily could have gone completely undetected if they chose to only steal information and not destroy it.
Sometimes a private network can become not so private. From compromised wireless access points to visitors or even children visiting at work. Absolute physical security is extremely difficult to ensure especially for workstations and network connections. Would you notice if someone hid a small device behind your workstation? Or if a visitor left a laptop that was infected with a virus plugged into a network port in a conference room?
It doesn’t even have to be malicious (or known in the case of a virus), though those attacks tend to be worse. But sensitive information is sensitive information.
Better, Unmonitored Access
Unlike an attack over the Internet any attack on a LAN is going to be run at 10s or 100s of times the speed simply due to the fact that the attacker (or infected device) is connected via Ethernet and not a DSL line.
Ethernet ports are also not subject to the kind of close continuous monitoring and scrutiny that Internet connections generally receive because they don’t involve a monthly fee and they’re much bigger.
This means that an attacker can, for example, run through many exploits or login attempts in an extremely short amount of time. This drastically increases the chance of success and lowers the chance of detection.
Servers need to be maintained, updated and monitored regardless of where they are located on the Internet or a private network. This ensures your infrastructure is available to your team, and your data is protected.