Server Security: A Reality Check

Server security is paramount to any organization. All too often, network defenses focus entirely on the perimeter, leaving networks looking like pieces of candy—having a hard outer shell and a soft gooey inside. In today's threat landscape, defenders must operate under the presumption of compromise. Attacks involving spearphishing, social engineering, weak bring your own device (BYOD) security, poor physical security of end user equipment (for example, traveling laptops) and user carelessness contribute to the initial compromise of user endpoints. Once user endpoints are compromised, attackers typically use these as stepping off points to compromise other network assets. The ultimate goal of most attacks on corporate infrastructure is theft of intellectual property (IP) and confidential customer data, such as personally identifiable information (PII), payment card information (PCI) and personal health information (PHI). Throughout this paper, the term IP will be used to represent all classes of sensitive data that organizations are required to keep confidential. However, IP is not normally stored on end user machines (and even when it is, it isn't concentrated there). Attackers know that IP is stored on the organization's servers. These servers are typically well protected from external threats, but once an attacker compromises a single endpoint, perimeter defenses are rendered moot. The attack can now proceed from the vantage point of an insider. Because of the sheer number of user endpoints, with various configurations (and vulnerabilities), a wise network defender must architect server defenses assuming that one or more of the endpoints in the environment has been already been compromised.