With all of today’s focus on securing for PCI or SOX we often find ourselves leaving our security risk management priorities behind. As we all know there are many ways to breach the security of a corporation and many safeguards we have to select from.
Which brings me to the fact that there are many internal web applications used inside companies that
we sometimes forget that can cause the rest of our security to fail. Good examples of such sites are intranets, bug tracking apps, internal document websites, employee benefit portals, time tracking portals etc.
It only takes one of these sites using a non-encrypted session (i.e. no ssl) to render an entire corporate PCI or SOX security paradigm useless. One single use of Cain & Abel sniffer tool along with ARP spoofing can suck down the passwords your privileged users use and give rise to an attacker gaining access to your sensitive data.
Although most corporations ask employees to use different or more complex passwords on disperate applications, the move to centralized LDAP or AD authenticated environments means now passwords are no longer different on these systems.
The moral of this story is, please don’t ignore your weakest link. Security is end to end.