Security Assessment > Dial In Access    

can you be certain that you don't have dial-in access to business-critical systems?

At any level, dial in access is of concern, because it presents yet another route into your systems which can be exploited.

You may be confident that dial in access is not a problem on your network (perhaps all of your business-critical systems are inaccessible from the network), but can you be certain that there isn't dial in access directly on some of your business-critical systems?

Before you answer with an emphatic "Yes!", you should consider one or two likely scenarios.

Organisations that require high availability in their business-critical systems often stipulate 24 by 7 cover. If this cover is provided internally, there will be occasions when staff are required to support key systems during the night. Human nature being what it is, there is the temptation to configure a modem onto the system so that the system can be supported remotely through a dial in connection. If the cover is provided externally, it may well be a contractual condition that support can be conducted remotely.

The second scenario is that of "hidden" modems. You may not be aware that some of the equipment that you have contains a modem, or how wide-spread this practice is. Again, the reason for the presence of the modem is to allow the vendor to support the equipment remotely. Aside from mainstream computer systems, there are some less obvious examples, such as fault-tolerant disk arrays, key elements of network infrastructure, power management & monitoring systems... even the latest VoIP telephone system (which are typically built on mainstream computer technology).

Having dial in access may be unavoidable. What is of key importance is that a proper risk analysis has been performed (balancing the risks against the benefits), that the system has been adequately configured to reduce the vulnerabilities as far as is practical, and that an appropriate level of monitoring is taking place. The danger is that if you are unaware of the existence of a dial in access point, that you cannot take the proper steps to secure the system to which it is attached. It won't even appear in your risk assessment.

Dial in support to business-critical systems presents something of a conundrum. Because these systems are business-critical, or critical to maintaining availability, dial in support is often needed to ensure that problems can be resolved quickly, with minimum disruption. Yet an inadequately installed or configured modem can make those self-same systems more vulnerable to a security breach. And there's the paradox: adding a modem to a business-critical system to reduce the risk of an operational disruption can increase the risk of disruption from a malicious act.

continue...

Copyright © 2017 Xiscan® Limited. All Rights Reserved.