Security incidents are a fact of life in this day and age. U.S. CEOs recognize this fact, and they consider cybersecurity their number one overall external concern1. It is no longer a matter of whether or not a cybersecurity incident will happen to their organization, but a matter of when. The faster an organization accepts the inevitability of a cyberattack, the better they are prepared to prevent, detect, and remediate the effects of an attack.
Network security hardware and software solutions are the first layers of protection between your organization and the outside world. They are an essential part of any defense and countermeasure strategy that organizations must-have.
Everyone knows that firewalls and anti-malware solutions are an important part of network security. However, network security is much more than installing and configuring firewalls and anti-malware software. A highly effective network security architecture requires a well thought out design based on the risk analysis and security posture you want to achieve.
Network Security Principles
Security is crucial in every organization. If no proper security principles are followed, it will lead to a lot of risks and unwanted public relations. When designing network security architecture, designers should follow the five network security principles discussed below. Following these security principles in small and medium-sized business (SMB), and enterprise environments will help improve your security posture.
Zero Trust is a security model introduced by John Kindervag in 2010 that moves away from the old mentality of perimeter security. Fundamentally, organizations should not automatically trust anything inside their perimeter and instead must always verify everything trying to connect to their systems before granting access.
The traditional network security approach of a lot of organizations is based on the castle-and-moat concept, which is called perimeter security. In this approach, organizations are concentrated on protecting their network from outside, but everyone inside is trusted. The flaw in this approach is that once cybercriminals gain access to the network, they are free to wreak havoc.
A recent example of perimeter security’s weakness is the Arizona Beverage Company’s ransomware attack2. The ransomware attack has some similarities with WannaCry briefly mentioned in our how to improve your cybersecurity post earlier this year. Both cyberattacks highlighted the organizations’ security weaknesses.
Network segmentation has been around for many decades, and a lot of organizations employ this network defense strategy. While many organizations use this strategy, it’s often not as restrictive as most security professionals would like it to be.
Additionally, there are some misconceptions that if you implement different virtual LANs (VLANs) and subnets, you’ve achieved network segmentation. While there’s some level of segmentation, it is still considered a flat network. Flat in the sense that hosts are still able to communicate with each other freely. Real network segmentation requires additional steps that ensure the traffic flows are restricted as much as possible.
With the Internet of Things (IoT) explosion, organizations with a lack of an effective network segmentation will suffer from cyberattacks, such as what happened with the Arizona Beverage Company and an unnamed casino3.
While network segmentation reduces the attack surface, it doesn’t always reduce it enough. Fortunately, technology companies introduced an emerging technology called micro-segmentation that enhances the existing network segmentation techniques. Micro-segmentation allows for a more granular approach in preventing lateral movement between hosts.
Defense in Depth
The concept of defense in depth originated from the military since the Roman days. It is intended to slow down the attackers rather than stopping them in a single and strong layer of defense. It also relies on the tendency of an attack to lose momentum over time.
In computing, defense in depth refers to having multiple layers of protection in physical, technical, and administrative controls of your network. It is designed in a way that defenses are not dependent on any single layer of protection. Since the strategy originated from the military, it similarly seeks to delay an attacker to allow time for detection and response.
A lot of people mistakenly believe that layered security (or defense) is the same as the defense in depth. While they have a lot of concepts that overlap, they are two different concepts. To put this in perspective, let’s revisit the Arizona Beverage Company’s security incident. From a layered security perspective, minimum reasonable technical controls will be firewalls, endpoint security software, and operating systems with security patches. From a defense in depth perspective, it encompasses layered security and additional controls. Additional controls include data backup, ensures backup integrity and accessibility, monitoring, etc.
Principle of Least Privilege
The principle of least privilege is an essential concept in security. The idea of least privilege is that any user, application, etc. should have only the minimum rights and privileges necessary to perform its function. For example, finance users should not have the same level of access as users in the engineering department.
The least privilege helps reduce the attack surface by eliminating unnecessary rights and privileges that can result in security incidents, such as a major data breach. For example, the National Security Agency (NSA) had to reduce the number of people who had access to secret information after Edward Snowden had leaked classified data4.
Organizations should also implement periodic checks, possibly yearly, for any privilege creep. The idea is to prevent a gradual accumulation of rights and privileges beyond what the subject needs to perform its function. For example, when an IP address gets reused and serves a different function in the enterprise, they will gain a new set of firewall rules directly serving its new purpose. However, they continue to have the same network access privileges as the previous owner unless it is removed.
With the ever-evolving threat landscape, you should not make network security monitoring an afterthought. It should be one of the first defense strategies on your list. Why? Because it provides an ability for you to monitor your network for security threats, vulnerabilities, suspicious behavior, etc., and respond appropriately.
68% of breaches took months or longer to be discovered. In many cases, a third party, like law enforcement or partner, discovers the breach. The worst-case scenario is when your customers spot the breach5.
Fortunately, organizations are getting better at reducing dwell time compared to previous years. Dwell time is the number of days an attacker is present on a victim’s network. It is measured from the first evidence of a compromise to detection. Currently, the median dwell time is 78 days6.
In this day and age, managing network security is getting to be a lot more complicated and requires thoughtful planning. The threat landscape will continue to evolve, and organizations must continuously adapt in order to protect their infrastructure and data. Implementing these five network security principles into your organization will immensely improve your security posture.
Achieving these principles will require cooperation from all employees and not just the IT teams. More importantly, IT teams should have supportive executives who are fully committed to improving your organization’s network security.
Remember the saying “prevention is better than the cure”? This saying is very much applicable to cybersecurity. Applying a prevention mindset will harden the organization’s security posture. It doesn’t guarantee that it will prevent an attack from happening since cybercriminals are sophisticated and determined. However, implementing these network security principles will help make it less attractive or an easy target for cybercriminals.
Are you in need of network security consulting in the San Francisco Bay Area?
We specialize in helping enterprises improve their network security.
Get in touch with us today!
NetworkJutsu provides network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.
You might also like to read
1 C-Suite Challenge 2019
2 Arizona Beverages knocked offline by ransomware attack
3 Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer
4 NSA to cut system administrators by 90 percent to limit data access
5 2018 Verizon Data Breach Investigations Report
6 M-Trends 2019