It's All About the Network
Continued increase in data breaches reinforces need for holistic security approach
- By Gregory Grant
- Feb 01, 2016
The daily increase in the number of cyber attacks launched and the
success hackers are having against heavily guarded businesses are
a wake-up call for all companies to be more proactive and vigilant
in their security efforts. The retail industry in particular has been a
recent target of attacks with a new breed of point-of-sale malware,
known as GamaPoS, impacting numerous organizations across North America.
This epitomizes the need for companies to properly segment network traffic and
prohibit general access to the Internet. This is especially true if access is via a single
or common LAN segment.
Protecting the network in general and not just a point of sale (PoS) system, a
patient record database or other data sources is critically important for all companies
to consider. Unfortunately, proper LAN segmentation and restricted network
access is often overlooked, particularly when a company is focused primarily on
meeting regulatory compliance and then goes back to normal operating procedures
after the audit or required network scan has been completed. Most compliance
guidelines are just that, guidelines. They do not offer tailored configurations
for a business. By far the most specific compliance mandate is the PCI DSS which
has evolved over a number of years and does offer a solid foundation for security.
SECURE THE NETWORKS
I frequently encounter businesses that neglect to properly segment and secure their
networks for a host of reasons. Many will state that their PoS provider set up their
“computers” and that they have no idea how their system operates. Others have
very inexpensive and largely inexperienced IT people install, configure and maintain
their systems. The problem is, I rarely see evidence of a highly skilled security
engineer ever having setup and tested the network.
In the GamaPoS case, malware was introduced because someone likely gained
unrestricted access to the Internet to inadvertently compromise the PoS system
and critical data. Many companies balk at compliance regulations such as PCI
for a number of reasons, but LAN segmentation and restricted Internet access,
especially on a segment that leads to critical data, is not secure and in fact breaks
security best practices and PCI rules. As an example of how critical network segmentation
is, under PCI 3.1, companies must declare how they are segmenting
payment card data from all other IP traffic and further, provide proof of segmentation.
Having an Internet estuary is bad for any company, as it opens them up to
malicious attacks. The reality: hackers use any and all routes over the Internet to
infiltrate a company and find the valuables they’re looking to steal.
Network segmentation is one of the most effective controls a company can
implement to mitigate the risk of a network intrusion. If implemented correctly, it
makes it significantly more difficult for a cyber-criminal to locate and gain access
to your most sensitive information. The goal of implementing network segmentation
is to minimize access to sensitive data and more importantly deny access to
people who don’t need it. The methodologies being used by hackers continues to
evolve and become more sophisticated, but one common element hasn’t changed,
they must have a route to the critical data.
DESCRIBE YOUR NETWORK
Scary as it may seem, a recent study IT professionals were asked to describe their
network segmentation - “Only 30 percent of respondents said they had implemented
a segmented network. A third stated they ‘set and forget’ their segmentation
and an equal number reported they occasionally revisit it, typically around
audit time. A brutally honest 6 percent said, ‘My network what?’”
Among the biggest problems businesses face is finding balance between security
needs and costs. Ask any highly trained security auditor or consultant and they’ll
likely suggest that you need as much as you can buy. Deploying, maintaining and
managing such technologies come with a high cost and I don’t know of any consumers
willing to pay $15 for a hamburger and fries. The key is finding a solution
set that addresses general network segmentation and security while also providing
more stringent security levels around your most critical assets/data.
It all starts with understanding what you have to protect! In order for a network
segmentation strategy to work, you have to understand what your cyber assets are
and where they reside. Many companies still struggle with this concept, but it’s
critical that every stake holder know what hackers are after and why. The obvious
choices are credit and debit information, followed closely by Personally Identifiable
Information (PII) and Personal Health Information (PHI). On the rise is business
theft. Criminals are stealing corporate trade secrets and financial data, and
using it to blackmail the company into paying a ransom.
An alarming number of business stake holders think they are too small for
a hacker to target. The reality is nothing could be further from the truth. Hackers
don’t care about a business size, they look for holes in a network via scanning
tools. They don’t discriminate between a luxury car or a clunker. If there’s something of value in the front seat it’s
theirs for the taking. So, take the time
to inventory your business and make a
priority list of what’s the highest value
asset that could be on your network
and that is connected to the Internet.
From there it’s much easier to isolate
and defend and protect the business
and its patrons.
TESTING SECURITY POSTURE
Focus on security first and not regulatory
compliance. This may seem counterintuitive,
but compliance mandates
such as PCI DSS, HIPAA and others
are simply a way of testing a company’s
security posture. Take a top down approach,
meaning secure your sensitive
information and the remaining items to
meet compliance standards are minimized.
These standards are based on
security best practices, so by implementing
them you are effectively addressing
your compliance requirements
Understand the technical proficiency
of your existing IT and/or security
staff. If you have any. This can be a
little bit of a sore subject, but the reality
is that not all IT personnel are really
good at security. In fact, not all certified
security personnel are really good at it.
Often they do not “practice” security
on a daily basis because they double
as the IT person and are busy keeping
desktops, printers and wireless devices
operational. In contrast, hackers do
practice their craft every day.
Every company is limited by their
resources and IT/security is no exception.
Make a plan to discuss your
security with your staff realizing that
it’s a touchy subject and one that can
invoke feelings of job insecurity. It’s
rare to find technical personnel that
are willing to openly state they need
help (beyond financing security tools)
in there are of expertise. But a word to
the wise, take a look at recent breaches
that have made the headlines. Every
one of those companies had very good
security technologies and resources in
place and they still got hacked. Everyone
needs to be willing to accept help
from other professionals.
Look to outsourcing some or all of
your critical security functions to managed
security providers. MSSP’s are a
great way to extend your security resources
without the capital outlay that
accompanies doing it yourself. Let’s be
real for a moment. Beyond just investing
in the hardware and software, it’s
going to cost roughly $500,000 per year
just to staff a security team because
vigilance must be around the clock,
every day of the year. And by the way,
there is a critical shortage of trained
security experts available to the market!
By focusing on the steps above and
realizing what cyber assets need to be
protected, what compliance mandates
are required and what are your existing
IT/Security limitations, you can effectively
come up with a list of “must
have’s” when you look for an MSSP.
This article originally appeared in the February 2016 issue of Security Today.