I’m always a little frightened when I hear an administrator say “I don’t need to worry about security on that server. It does not host any critical data”. To the hard core security analyst, this translates into “I didn’t bother locking down the server because I don’t understand the risks I’m exposing my company to”. In this post I’ll identify the top seven reasons why you need to be concerned about server security, even if the server is not hosting any critical or sensitive data.
1) Botnet drone or control server
The fact that your server has Internet connectivity makes it valuable to an attacker, even if it does not host any important data. The server can be leveraged to directly attack other servers, or control members of a bot army. If the server is performing attacks, the higher network utilization can have a direct financial impact.
If the server is located in public space, all the CPU time and network bandwidth used by the attacker translates into real monthly dollars, as you are billed based on usage. In a private environment, the cost is equipment wear and tear as well as reduced availability of network bandwidth if attackers decide to start hosting illicit software on your server.
3) Easier access to other servers
Think of a compromised server as being a spy on your network. Since most internal servers are granted a higher level of access than hosts on the Internet, owning one of your internal servers may make it easier for an attacker to go after servers that do host critical data. This could be via a direct attack or through some intermediately system that is not normally Internet accessible.
4) Sniff passing traffic
Tools such as Ettercap can be installed by an attacker to analyze traffic passing between other systems on the network. Ettercap supports attacks such as ARP cache poisoning and ICMP redirect attacks which permits the tool to circumvent most switches configured to prevent sniffing.
5) Crack common system accounts
When I was contracted to perform my first penetration test 17 years ago, I gained access to my client’s most critical server by first gaining access to a test system that no one cared about. I then cracked the administrative account and used the credentials to come in on the VPN and gain access to their most critical data store. Unfortunately, this trick still works today. If you let an attacker gain a foothold, they will leverage it to go after your other systems.
Once a server becomes compromised, it is not uncommon for it to start spewing all sorts of nastiness all over the Internet. If your outbound traffic is passing through a NAT device, you may find all of your systems banned on various blacklists that track this type of activity. In other words, your Internet reputation can suffer from a single rogue system.
Of course your reputation can also suffer with your clients. Being known as a site that launches attacks or distributes malware, spam, etc. is not a great model for bringing in additional business.
If your organization brings a server online that performs some form of illegal activity, your organization could potentially be perceived as liable in the eyes of the law. Liability has become an absolute minefield as the laws of one country quite frequently reach into another. The best way to avoid these legal issues is to ensure that an attacker does not cause the system to go rogue in the first place.
So there you have it, seven good reasons to secure your server even if it does not host any critical data. The bottom line is that any server with Internet access can be considered interesting to a potential attacker.