It

It's All About the Network

Continued increase in data breaches reinforces need for holistic security approach

The daily increase in the number of cyber attacks launched and the success hackers are having against heavily guarded businesses are a wake-up call for all companies to be more proactive and vigilant in their security efforts. The retail industry in particular has been a recent target of attacks with a new breed of point-of-sale malware, known as GamaPoS, impacting numerous organizations across North America. This epitomizes the need for companies to properly segment network traffic and prohibit general access to the Internet. This is especially true if access is via a single or common LAN segment.

Protecting the network in general and not just a point of sale (PoS) system, a patient record database or other data sources is critically important for all companies to consider. Unfortunately, proper LAN segmentation and restricted network access is often overlooked, particularly when a company is focused primarily on meeting regulatory compliance and then goes back to normal operating procedures after the audit or required network scan has been completed. Most compliance guidelines are just that, guidelines. They do not offer tailored configurations for a business. By far the most specific compliance mandate is the PCI DSS which has evolved over a number of years and does offer a solid foundation for security.

SECURE THE NETWORKS

I frequently encounter businesses that neglect to properly segment and secure their networks for a host of reasons. Many will state that their PoS provider set up their “computers” and that they have no idea how their system operates. Others have very inexpensive and largely inexperienced IT people install, configure and maintain their systems. The problem is, I rarely see evidence of a highly skilled security engineer ever having setup and tested the network.

In the GamaPoS case, malware was introduced because someone likely gained unrestricted access to the Internet to inadvertently compromise the PoS system and critical data. Many companies balk at compliance regulations such as PCI for a number of reasons, but LAN segmentation and restricted Internet access, especially on a segment that leads to critical data, is not secure and in fact breaks security best practices and PCI rules. As an example of how critical network segmentation is, under PCI 3.1, companies must declare how they are segmenting payment card data from all other IP traffic and further, provide proof of segmentation. Having an Internet estuary is bad for any company, as it opens them up to malicious attacks. The reality: hackers use any and all routes over the Internet to infiltrate a company and find the valuables they’re looking to steal.

Network segmentation is one of the most effective controls a company can implement to mitigate the risk of a network intrusion. If implemented correctly, it makes it significantly more difficult for a cyber-criminal to locate and gain access to your most sensitive information. The goal of implementing network segmentation is to minimize access to sensitive data and more importantly deny access to people who don’t need it. The methodologies being used by hackers continues to evolve and become more sophisticated, but one common element hasn’t changed, they must have a route to the critical data.

DESCRIBE YOUR NETWORK

Scary as it may seem, a recent study IT professionals were asked to describe their network segmentation - “Only 30 percent of respondents said they had implemented a segmented network. A third stated they ‘set and forget’ their segmentation and an equal number reported they occasionally revisit it, typically around audit time. A brutally honest 6 percent said, ‘My network what?’”

Among the biggest problems businesses face is finding balance between security needs and costs. Ask any highly trained security auditor or consultant and they’ll likely suggest that you need as much as you can buy. Deploying, maintaining and managing such technologies come with a high cost and I don’t know of any consumers willing to pay $15 for a hamburger and fries. The key is finding a solution set that addresses general network segmentation and security while also providing more stringent security levels around your most critical assets/data.

It all starts with understanding what you have to protect! In order for a network segmentation strategy to work, you have to understand what your cyber assets are and where they reside. Many companies still struggle with this concept, but it’s critical that every stake holder know what hackers are after and why. The obvious choices are credit and debit information, followed closely by Personally Identifiable Information (PII) and Personal Health Information (PHI). On the rise is business theft. Criminals are stealing corporate trade secrets and financial data, and using it to blackmail the company into paying a ransom.

An alarming number of business stake holders think they are too small for a hacker to target. The reality is nothing could be further from the truth. Hackers don’t care about a business size, they look for holes in a network via scanning tools. They don’t discriminate between a luxury car or a clunker. If there’s something of value in the front seat it’s theirs for the taking. So, take the time to inventory your business and make a priority list of what’s the highest value asset that could be on your network and that is connected to the Internet. From there it’s much easier to isolate and defend and protect the business and its patrons.

TESTING SECURITY POSTURE

Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS, HIPAA and others are simply a way of testing a company’s security posture. Take a top down approach, meaning secure your sensitive information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices, so by implementing them you are effectively addressing your compliance requirements by default.

Understand the technical proficiency of your existing IT and/or security staff. If you have any. This can be a little bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, not all certified security personnel are really good at it. Often they do not “practice” security on a daily basis because they double as the IT person and are busy keeping desktops, printers and wireless devices operational. In contrast, hackers do practice their craft every day.

Every company is limited by their resources and IT/security is no exception. Make a plan to discuss your security with your staff realizing that it’s a touchy subject and one that can invoke feelings of job insecurity. It’s rare to find technical personnel that are willing to openly state they need help (beyond financing security tools) in there are of expertise. But a word to the wise, take a look at recent breaches that have made the headlines. Every one of those companies had very good security technologies and resources in place and they still got hacked. Everyone needs to be willing to accept help from other professionals.

Look to outsourcing some or all of your critical security functions to managed security providers. MSSP’s are a great way to extend your security resources without the capital outlay that accompanies doing it yourself. Let’s be real for a moment. Beyond just investing in the hardware and software, it’s going to cost roughly $500,000 per year just to staff a security team because vigilance must be around the clock, every day of the year. And by the way, there is a critical shortage of trained security experts available to the market! By focusing on the steps above and realizing what cyber assets need to be protected, what compliance mandates are required and what are your existing IT/Security limitations, you can effectively come up with a list of “must have’s” when you look for an MSSP.

This article originally appeared in the February 2016 issue of Security Today.

  • Ahead of Current Events Ahead of Current Events

    In this episode, Ralph C. Jensen chats with Dana Barnes, president of global government at Dataminr. We talk about the evolution of Dataminr and how data software benefits business and personnel alike. Dataminr delivers the earliest warnings on high impact events and critical information far in advance of other sources, enabling faster response, more effective risk mitigation for both public and private sector organizations. Barnes recites Dataminr history and how their platform works. With so much emphasis on cybersecurity, Barnes goes into detail about his cybersecurity background and the measures Dataminr takes to ensure safe and secure implementation.

Digital Edition

  • Security Today Magazine - November December 2022

    November / December 2022

    Featuring:

    • Key Tech Trend
    • Is Your Access Control System Cyber Secure?
    • Constantly Evolving
    • The Talent Shortage
    • Looking Forward to 2023

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Spaces4Learning
  • Campus Security & Life Safety