It

It's All About the Network

Continued increase in data breaches reinforces need for holistic security approach

The daily increase in the number of cyber attacks launched and the success hackers are having against heavily guarded businesses are a wake-up call for all companies to be more proactive and vigilant in their security efforts. The retail industry in particular has been a recent target of attacks with a new breed of point-of-sale malware, known as GamaPoS, impacting numerous organizations across North America. This epitomizes the need for companies to properly segment network traffic and prohibit general access to the Internet. This is especially true if access is via a single or common LAN segment.

Protecting the network in general and not just a point of sale (PoS) system, a patient record database or other data sources is critically important for all companies to consider. Unfortunately, proper LAN segmentation and restricted network access is often overlooked, particularly when a company is focused primarily on meeting regulatory compliance and then goes back to normal operating procedures after the audit or required network scan has been completed. Most compliance guidelines are just that, guidelines. They do not offer tailored configurations for a business. By far the most specific compliance mandate is the PCI DSS which has evolved over a number of years and does offer a solid foundation for security.

SECURE THE NETWORKS

I frequently encounter businesses that neglect to properly segment and secure their networks for a host of reasons. Many will state that their PoS provider set up their “computers” and that they have no idea how their system operates. Others have very inexpensive and largely inexperienced IT people install, configure and maintain their systems. The problem is, I rarely see evidence of a highly skilled security engineer ever having setup and tested the network.

In the GamaPoS case, malware was introduced because someone likely gained unrestricted access to the Internet to inadvertently compromise the PoS system and critical data. Many companies balk at compliance regulations such as PCI for a number of reasons, but LAN segmentation and restricted Internet access, especially on a segment that leads to critical data, is not secure and in fact breaks security best practices and PCI rules. As an example of how critical network segmentation is, under PCI 3.1, companies must declare how they are segmenting payment card data from all other IP traffic and further, provide proof of segmentation. Having an Internet estuary is bad for any company, as it opens them up to malicious attacks. The reality: hackers use any and all routes over the Internet to infiltrate a company and find the valuables they’re looking to steal.

Network segmentation is one of the most effective controls a company can implement to mitigate the risk of a network intrusion. If implemented correctly, it makes it significantly more difficult for a cyber-criminal to locate and gain access to your most sensitive information. The goal of implementing network segmentation is to minimize access to sensitive data and more importantly deny access to people who don’t need it. The methodologies being used by hackers continues to evolve and become more sophisticated, but one common element hasn’t changed, they must have a route to the critical data.

DESCRIBE YOUR NETWORK

Scary as it may seem, a recent study IT professionals were asked to describe their network segmentation - “Only 30 percent of respondents said they had implemented a segmented network. A third stated they ‘set and forget’ their segmentation and an equal number reported they occasionally revisit it, typically around audit time. A brutally honest 6 percent said, ‘My network what?’”

Among the biggest problems businesses face is finding balance between security needs and costs. Ask any highly trained security auditor or consultant and they’ll likely suggest that you need as much as you can buy. Deploying, maintaining and managing such technologies come with a high cost and I don’t know of any consumers willing to pay $15 for a hamburger and fries. The key is finding a solution set that addresses general network segmentation and security while also providing more stringent security levels around your most critical assets/data.

It all starts with understanding what you have to protect! In order for a network segmentation strategy to work, you have to understand what your cyber assets are and where they reside. Many companies still struggle with this concept, but it’s critical that every stake holder know what hackers are after and why. The obvious choices are credit and debit information, followed closely by Personally Identifiable Information (PII) and Personal Health Information (PHI). On the rise is business theft. Criminals are stealing corporate trade secrets and financial data, and using it to blackmail the company into paying a ransom.

An alarming number of business stake holders think they are too small for a hacker to target. The reality is nothing could be further from the truth. Hackers don’t care about a business size, they look for holes in a network via scanning tools. They don’t discriminate between a luxury car or a clunker. If there’s something of value in the front seat it’s theirs for the taking. So, take the time to inventory your business and make a priority list of what’s the highest value asset that could be on your network and that is connected to the Internet. From there it’s much easier to isolate and defend and protect the business and its patrons.

TESTING SECURITY POSTURE

Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS, HIPAA and others are simply a way of testing a company’s security posture. Take a top down approach, meaning secure your sensitive information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices, so by implementing them you are effectively addressing your compliance requirements by default.

Understand the technical proficiency of your existing IT and/or security staff. If you have any. This can be a little bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, not all certified security personnel are really good at it. Often they do not “practice” security on a daily basis because they double as the IT person and are busy keeping desktops, printers and wireless devices operational. In contrast, hackers do practice their craft every day.

Every company is limited by their resources and IT/security is no exception. Make a plan to discuss your security with your staff realizing that it’s a touchy subject and one that can invoke feelings of job insecurity. It’s rare to find technical personnel that are willing to openly state they need help (beyond financing security tools) in there are of expertise. But a word to the wise, take a look at recent breaches that have made the headlines. Every one of those companies had very good security technologies and resources in place and they still got hacked. Everyone needs to be willing to accept help from other professionals.

Look to outsourcing some or all of your critical security functions to managed security providers. MSSP’s are a great way to extend your security resources without the capital outlay that accompanies doing it yourself. Let’s be real for a moment. Beyond just investing in the hardware and software, it’s going to cost roughly $500,000 per year just to staff a security team because vigilance must be around the clock, every day of the year. And by the way, there is a critical shortage of trained security experts available to the market! By focusing on the steps above and realizing what cyber assets need to be protected, what compliance mandates are required and what are your existing IT/Security limitations, you can effectively come up with a list of “must have’s” when you look for an MSSP.

This article originally appeared in the February 2016 issue of Security Today.

Featured

  • Freedom of Choice

    In today's security landscape, we are witnessing a fundamental transformation in how organizations manage digital evidence. Law enforcement agencies, campus security teams, and large facility operators face increasingly complex challenges with expanding video data, tightening budget constraints and inflexible systems that limit innovation. Read Now

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • Midtown Manhattan Shooting Kills 4, Including NYPD Officer

    Four people were killed, including a NYPD officer, in a midtown Manhattan shooting on Monday. That’s according to CNN. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.