My job over the last thirteen years as a penetration tester has given me a unique understanding of security from an attacker's point of view. I have conducted hundreds of penetration tests on organizations ranging from Federal government nuclear weapons labs, to banks, city governments, and practically everything in between. I know what makes an attacker's job easy, and what makes it difficult or practically impossible. I am oftentimes surprised that in 2014, I can gain access to one server or workstation, and use it to traverse the entire network, unhindered at the network layer.
I'm shocked that close-circuit television (CCTV) systems, alarm systems, building access control systems, and manufacturing process control systems are just "hanging out" on the corporate network for all to see. I recently conducted an assessment on a very large city. They had a flat and permissive internal network, meaning there were virtually no barriers between their different systems.
I ended up compromising literally everything. I could disable the proximity card reader on any door in the city, including the police narcotics vault, gun vault, holding cell, and many others, all because the workstation that managed the access control system was identifiable and accessible to all internal network users.
What is network segmentation for security?
Simply put, it is classifying and categorizing IT assets, data, and personnel into specific groups, and then restricting access to these groups using ingress and egress filtering. We all understand this at some level. We know that we need to put our Internet-accessible servers into a DMZ, and that those DMZ assets should have little or no access to the internal network. This way, if a DMZ server is compromised, the attacker can't leverage the access and "touch" internal systems. We know that SCADA/EMS/DCS and other process control systems should be isolated from the corporate network. Why is it that we don't do it throughout our entire enterprise?