Enterprise Security

Security incidents are a fact of life in this day and age. U.S. CEOs recognize this fact, and they consider cybersecurity their number one overall external concern¹. It is no longer a matter of whether or not a cybersecurity incident will happen to their organization but a matter of when. The faster an organization accepts the inevitability of a cyberattack, the better they are prepared to prevent, detect, and remediate the effects of an attack.

Introduction

Network security hardware and software solutions are the first layers of protection between your organization and the outside world. They are an essential part of any defense and countermeasure strategy that organizations must have.

Everyone knows that firewalls and anti-malware solutions are vital parts of network security. However, network security is much more than installing and configuring firewalls and anti-malware software. A highly effective network security architecture requires a well-thought-out design based on the risk analysis and security posture you want to achieve.

Network Security Principles

Security is crucial in every organization. If no proper security principles are followed, it will lead to a lot of risks and unwanted public relations. When designing network security architecture, designers should follow the five network security principles discussed below. Following these security principles in small and medium-sized business (SMB), and enterprise environments will help improve your security posture.

1. Zero Trust

Zero Trust is a security model introduced by John Kindervag in 2010 that moves away from the old mentality of perimeter security. Fundamentally, organizations should not automatically trust anything inside their perimeter and instead must always verify everything trying to connect to their systems before granting access.

A lot of organizations use the perimeter security concept. With the perimeter security concept, the organization is heavily invested in protecting the network from outside attacks but trusts everyone inside the network. With this approach, when attackers compromise a machine inside the organization’s network, they can move laterally without much difficulty.

A recent example of perimeter security’s weakness is the Arizona Beverage Company’s ransomware attack². The ransomware attack has some similarities with WannaCry briefly mentioned in our how to improve your cybersecurity post earlier this year. Both cyberattacks highlighted the organizations’ security weaknesses.

2. Segmentation

Network segmentation has been around for many decades, and a lot of organizations employ this network defense strategy. While many organizations use this strategy, it’s often not as restrictive as most security professionals would like it to be.

Additionally, there are some misconceptions that if you implement different virtual LANs (VLANs) and subnets, you’ve achieved network segmentation. While there’s some level of segmentation, it is still considered a flat network. Flat in the sense that hosts are still able to communicate with each other freely. Real network segmentation requires additional steps that ensure the traffic flows are restricted as much as possible.

With the Internet of Things (IoT) explosion, organizations with a lack of an effective network segmentation will suffer from cyberattacks, such as what happened with the Arizona Beverage Company and an unnamed casino³.

While network segmentation reduces the attack surface, it doesn’t always reduce it enough. Fortunately, technology companies introduced an emerging technology called micro-segmentation that enhances the existing network segmentation techniques. Micro-segmentation allows for a more granular approach in preventing lateral movement between hosts.

3. Defense in Depth

The concept of defense in depth originated from the military since the Roman days. It is intended to slow down the attackers rather than stopping them in a single and strong layer of defense. It also relies on the tendency of an attack to lose momentum over time.

In computing, defense in depth refers to having multiple layers of protection in physical, technical, and administrative controls of your network. It is designed in a way that defenses are not dependent on any single layer of protection. Since the strategy originated from the military, it similarly seeks to delay an attacker to allow time for detection and response.

A lot of people mistakenly believe that layered security (or defense) is the same as the defense in depth. While they have a lot of concepts that overlap, they are two different concepts. To put this in perspective, let’s revisit the Arizona Beverage Company’s security incident. From a layered security perspective, minimum reasonable technical controls will be firewalls, endpoint security software, and operating systems with security patches. From a defense in depth perspective, it encompasses layered security and additional controls. Additional controls include data backup, ensures backup integrity and accessibility, monitoring, etc.

4. Principle of Least Privilege

The principle of least privilege is an essential concept in security. The idea of least privilege is that any user, application, etc. should have only the minimum rights and privileges necessary to perform its function. For example, finance users should not have the same level of access as users in the engineering department.

The least privilege helps reduce the attack surface by eliminating unnecessary rights and privileges that can result in security incidents, such as a major data breach. For example, the National Security Agency (NSA) had to reduce the number of people who had access to secret information after Edward Snowden had leaked classified data⁴.

Organizations should also implement periodic checks, possibly yearly, for any privilege creep. The idea is to prevent a gradual accumulation of rights and privileges beyond what the subject needs to perform its function. For example, when an IP address gets reused and serves a different function in the enterprise, they will gain a new set of firewall rules directly serving its new purpose. However, they continue to have the same network access privileges as the previous owner unless it is removed.

5. Monitoring

With the ever-evolving threat landscape, you should not make network security monitoring an afterthought. It should be one of the first defense strategies on your list. Why? Because it provides an ability for you to monitor your network for security threats, vulnerabilities, suspicious behavior, etc., and respond appropriately.

68% of breaches took months or longer to be discovered. In many cases, a third party, like law enforcement or partner, discovers the breach. The worst-case scenario is when your customers spot the breach⁵.

Fortunately, organizations are getting better at reducing dwell time compared to previous years. Dwell time is the number of days an attacker is present on a victim’s network. It is measured from the first evidence of a compromise to detection. Currently, the median dwell time is 78 days⁶.

Conclusion

In this day and age, managing network security is getting to be a lot more complicated and requires thoughtful planning. The threat landscape will continue to evolve, and organizations must continuously adapt in order to protect their infrastructure and data. Implementing these five network security principles into your organization will immensely improve your security posture.

Achieving these principles will require cooperation from all employees and not just the IT teams. More importantly, IT teams should have supportive executives who are fully committed to improving your organization’s network security.

Remember the saying “prevention is better than the cure”? This saying is very much applicable to cybersecurity. Applying a prevention mindset will harden the organization’s security posture. It doesn’t guarantee that it will prevent an attack from happening since cybercriminals are sophisticated and determined. However, implementing these network security principles will help make it less attractive or an easy target for cybercriminals.

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

How to improve your cybersecurity
What is multi-factor authentication (MFA)?

______________________________________________________________________________________________________________________________
¹ C-Suite Challenge 2019
² Arizona Beverages knocked offline by ransomware attack
³ Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer
⁴ NSA to cut system administrators by 90 percent to limit data access
⁵ 2018 Verizon Data Breach Investigations Report
⁶ M-Trends 2019

A lot of businesses are still not focusing on their cybersecurity posture. Unfortunately, today’s threat landscape is continuously evolving, and companies shouldn’t make it an afterthought. Long gone are the days that installing and configuring a firewall is enough to protect the company’s data and network. Today, the Information Technology (IT) and Information Security (IS) departments need to worry about application security, vulnerability management, human error, etc.

Who are the victims

out of the 53,000 incidents and 2,216 confirmed data breaches, 58% of victims are categorized as small businesses

One possible reason why businesses, especially small businesses, are not focusing on cybersecurity is that they believe they’re not the target of cybercriminals. This assumption is far from the truth. Cybercriminals are casting a wide net for whom they target. Small and medium-sized businesses (SMB) are not immune to cyberattacks. In fact, out of the 53,000 incidents and 2,216 confirmed data breaches, 58% of the victims are categorized as small businesses¹.

Cost of an attack

small businesses estimated average cost for security incidents in the last 12 months to be $34,604

Another possible reason why small businesses aren’t focusing on improving their cybersecurity is the lack of budget. Allocating a limited resource to cybersecurity is a challenge, but it’s vital to keep in mind the cost to the business as a result of a cyberattack. According to Hiscox, an insurance provider, small businesses estimated average cost for security incidents in the last 12 months to be $34,604. For companies, with more than 1,000 employees, the average was $1.05 million annually². Keep in mind that these numbers are just for direct costs. There are indirect costs as well, such as losing customers, brand reputation, etc.

Improving your cybersecurity

While the data presented is frightening, luckily, there are ways for businesses to improve their cybersecurity. Here are some of the things that companies should do to strengthen their cybersecurity.

Identify and classify your data

Identifying the types of data that your company process, store, and transmit is the key to knowing what to protect. These types of data could be one or more of the following: Personally Identifiable Information (PII), Protected Health Information (PHI), intellectual property (IP), etc.

The next step after data identification is data classification. It is the process of categorizing types of data based on the level of sensitivity, value, and criticality to your company. This step is key to how much resources businesses should invest.

Let’s use the military since their data classification is a great example. They have five levels of data classification: top secret, secret, confidential, sensitive but unclassified, and unclassified. Depending on the data, the disclosure may or may not pose a threat to national security. Applying a similar concept to your company will help in prioritizing what to protect.

Manage hardware and software assets

Doing an inventory of authorized hardware and software assets is another necessary step in improving your company’s cybersecurity. Having a complete list of both assets enables IT or IS to track and prevent unauthorized hardware and software connecting or executing on the network.

Actively managing assets also makes it easier to plan for replacing aging hardware. It also makes it easier to track what software needs an update or upgrade, which is crucial in thwarting cyber attacks.

Security awareness training

There is a saying that a chain is only as strong as its weakest link. In cybersecurity, when security controls are strong, then oftentimes the weakest link in the chain is human.

1,712 security incidents and confirmed data breaches that resulted from phishing and pretexting

There were 1,712 security incidents and confirmed data breaches that resulted from phishing and pretexting¹. While this is a small percentage, it is still a problem that companies must address. Social engineering attacks, such as phishing and pretexting, could be lessened with proper security awareness training.

The training program must also cover other types of social engineering attacks, physical, password, computer security, malware, etc. All employees must take the training and make it part of your onboarding process. A well-designed program must be interactive and should be relevant to their day-to-day functions and personal lives.

Protect your data and IT infrastructure

There are a lot of ways of protecting your data and IT infrastructure. This topic could be a series of blog posts, so we’re only going to touch on a few of them.

Endpoint security

cybercriminals used malware for 30% of the incidents and confirmed breaches

Cybercriminals used malware for 30% of the incidents and confirm breaches¹. That said, companies must invest in endpoint security. Gartner splits endpoint security into two markets: Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). To quickly summarize the difference between the two, EPP is preventive and mostly signature-based, while the EDR is preventive and forensic.

The current buzzwords in endpoint security (technically, in other industries as well) are machine learning (ML) and artificial intelligence (AI). While machine learning in the endpoint security space can help, it is only as good as what it knows. It requires a massive amount of data to be able to distinguish if a specific behavior is malicious or not. That said, don’t just pick a vendor that has machine learning baked into their product. Machine learning alone doesn’t catch malware.

Network security

There are still a lot of networks out there that only protect the perimeter. Unfortunately, the perimeter defense is an old way of doing things. This type of network protection is often called hard outside, soft inside. Think of the Trojan Horse story (from the Trojan War), once the enemies were inside, they were able to wreak havoc because security was focused on protecting the perimeter. Today’s approach is Zero Trust Architecture, where you take the never trust, always verify approach.

The WannaCry ransomware, which affected over 200,000 computers, is a perfect example of a malware that exposed the network security weaknesses of companies. Once the malware was inside, it was able to infect other computers on the network. Sure, the malware also exposed the vulnerability management practices of companies.

Data backup

Businesses need to protect their data. One of the ways they can do this by backing up their valuable data. Without data backup, companies could suffer from data loss because of hardware failure, file deletion, malware, etc.

Some of the businesses that were infected by WannaCry paid ransom money to get their data back. If they had a good data backup strategy, then they wouldn’t have had to pay for the ransom and could’ve recovered quickly.

Multi-factor authentication (MFA)

Out of 55,216 incidents and breaches, there were a total of 823 where cybercriminals used stolen credentials¹. While it is a small percentage, it is still happening and must be addressed.

Cybercriminals use multiple methods on how to acquire credentials. One of which is by a phishing campaign. While security awareness training will help, there will still be people falling for it. To mitigate stolen credentials, enabling multifactor authentication (MFA) to all applications and systems is the key.

Vulnerability management

Every week, if not every day, software vulnerabilities are discovered. Some discoveries are responsibly reported to the vendor, but some are used for zero-day attacks. Periodically scanning for vulnerabilities will reveal security risks and should be addressed timely before it results in an actual compromise.

Keeping up to date software is another vital piece in improving your cybersecurity. Not applying the latest update to the software that runs on your network is essentially inviting cybercriminals to breach your company. The cybercriminals are still successfully exploiting known software vulnerabilities. In fact, the Equifax hack that happened in May 2017 was due to an unpatched software that was running on their public-facing server³.

Monitoring

Having preventive controls are great, but we have to keep in mind that nothing is 100% secure. That said, your company’s cybersecurity solutions should include monitoring to detect and respond to security threats, incidents, and breaches.

Often times, it only takes minutes (or less) for cybercriminals to compromise a system. Unfortunately, 68% of breaches took months or longer to discover. In many cases, it’s not even the company itself that discovered the breach¹. Don’t let your company be one of them.

Conclusion

There’s no silver bullet in cybersecurity, and no products and solutions are going to give you 100% protection. The only things that companies can do are to reduce the attack surface, mitigate security risks, educate employees about cybersecurity, and be able to detect and respond quickly to security threats, incidents, and breaches.

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

What is multi-factor authentication (MFA)?
5 Network Security Principle for the Enterprise

______________________________________________________________________________________________________________________________
¹ Verizon 2018 Data Breach Investigation Report
² Hiscox Small Business Cyber Risk Report
³ Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach