How security sensitive is information about your network architecture?

December 5, 2014

One of the breathless things that I've seen said recently about the recent Sony Pictures intrusion is that having their network layout and infrastructure setup disclosed publicly is really terrible and will force Sony Pictures to change it. This doesn't entirely make sense to me; I'm hard pressed to see how network layout information and so on is terribly security sensitive in a sensibly run environment. Switch and router and database passwords, certainly; but just the network architecture?

(This information is clearly business sensitive, but that's a different thing.)

There is clearly one case where this is terrible for security, namely if you've left holes and back doors in your infrastructure. But this is badly design infrastructure in the first place that you just tried to protect with security through obscurity (call this the ostrich approach; if people don't see it it's still secure). It's not that disclosure has made your infrastructure insecure, the disclosure has just revealed that it is.

Beyond that, having full information on your network architecture will certainly make an attacker's work easier. Rather than having to fumble around exploring the networks and risking discovery through mistakes, they can just go straight to whatever they're interested in. But making an attacker's job somewhat easier is a far cry from total disaster. If things are secure to start with this doesn't by itself enable the attacker to compromise systems or get credentials (although it'll probably make the job easier).

Or in short: if your network architecture isn't fundamentally insecure to start with, I don't see how disclosing it is a fatal weakness. I suppose there are situations where you're simply forced to run your systems in a way that are fundamentally insecure because the software and protocols you're using don't allow any better and you have to allow enough access to the systems so that people could exploit this if they knew about it and wanted to.

(I may well be missing things here. I'm aware that I work in an unusually open environment, which is that way partly because this is the culture of academia and partly due to pragmatics. As I've put it before, part of our threat model has to be inside the building.)

(Also, probably I should be remembering my old comments on the trade press here.)

Comments on this page:

By liam at unc edu at 2014-12-05 09:23:08:

If you have an application that resides on a number of hosts that need to communicate in an insecure manner (eg - I worked on a distributed application that depended on rsh for root to run the workflow, and that wasn't changable) then you need to encapsulate that environment in its entirety and secure it from the rest of the world. Sometimes that's the best you can do.

By Colin at 2014-12-14 12:29:02:

They don't need to change it. They just need to set up their new network and migrate all their systems there...

Meanwhile you get the worlds largest Honeypot!

Written on 05 December 2014.
« Log retention versus log analysis, or really logs versus log analysis
Browser addons can effectively create a new browser »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Dec 5 02:00:31 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.