It

It's All About the Network

Continued increase in data breaches reinforces need for holistic security approach

The daily increase in the number of cyber attacks launched and the success hackers are having against heavily guarded businesses are a wake-up call for all companies to be more proactive and vigilant in their security efforts. The retail industry in particular has been a recent target of attacks with a new breed of point-of-sale malware, known as GamaPoS, impacting numerous organizations across North America. This epitomizes the need for companies to properly segment network traffic and prohibit general access to the Internet. This is especially true if access is via a single or common LAN segment.

Protecting the network in general and not just a point of sale (PoS) system, a patient record database or other data sources is critically important for all companies to consider. Unfortunately, proper LAN segmentation and restricted network access is often overlooked, particularly when a company is focused primarily on meeting regulatory compliance and then goes back to normal operating procedures after the audit or required network scan has been completed. Most compliance guidelines are just that, guidelines. They do not offer tailored configurations for a business. By far the most specific compliance mandate is the PCI DSS which has evolved over a number of years and does offer a solid foundation for security.

SECURE THE NETWORKS

I frequently encounter businesses that neglect to properly segment and secure their networks for a host of reasons. Many will state that their PoS provider set up their “computers” and that they have no idea how their system operates. Others have very inexpensive and largely inexperienced IT people install, configure and maintain their systems. The problem is, I rarely see evidence of a highly skilled security engineer ever having setup and tested the network.

In the GamaPoS case, malware was introduced because someone likely gained unrestricted access to the Internet to inadvertently compromise the PoS system and critical data. Many companies balk at compliance regulations such as PCI for a number of reasons, but LAN segmentation and restricted Internet access, especially on a segment that leads to critical data, is not secure and in fact breaks security best practices and PCI rules. As an example of how critical network segmentation is, under PCI 3.1, companies must declare how they are segmenting payment card data from all other IP traffic and further, provide proof of segmentation. Having an Internet estuary is bad for any company, as it opens them up to malicious attacks. The reality: hackers use any and all routes over the Internet to infiltrate a company and find the valuables they’re looking to steal.

Network segmentation is one of the most effective controls a company can implement to mitigate the risk of a network intrusion. If implemented correctly, it makes it significantly more difficult for a cyber-criminal to locate and gain access to your most sensitive information. The goal of implementing network segmentation is to minimize access to sensitive data and more importantly deny access to people who don’t need it. The methodologies being used by hackers continues to evolve and become more sophisticated, but one common element hasn’t changed, they must have a route to the critical data.

DESCRIBE YOUR NETWORK

Scary as it may seem, a recent study IT professionals were asked to describe their network segmentation - “Only 30 percent of respondents said they had implemented a segmented network. A third stated they ‘set and forget’ their segmentation and an equal number reported they occasionally revisit it, typically around audit time. A brutally honest 6 percent said, ‘My network what?’”

Among the biggest problems businesses face is finding balance between security needs and costs. Ask any highly trained security auditor or consultant and they’ll likely suggest that you need as much as you can buy. Deploying, maintaining and managing such technologies come with a high cost and I don’t know of any consumers willing to pay $15 for a hamburger and fries. The key is finding a solution set that addresses general network segmentation and security while also providing more stringent security levels around your most critical assets/data.

It all starts with understanding what you have to protect! In order for a network segmentation strategy to work, you have to understand what your cyber assets are and where they reside. Many companies still struggle with this concept, but it’s critical that every stake holder know what hackers are after and why. The obvious choices are credit and debit information, followed closely by Personally Identifiable Information (PII) and Personal Health Information (PHI). On the rise is business theft. Criminals are stealing corporate trade secrets and financial data, and using it to blackmail the company into paying a ransom.

An alarming number of business stake holders think they are too small for a hacker to target. The reality is nothing could be further from the truth. Hackers don’t care about a business size, they look for holes in a network via scanning tools. They don’t discriminate between a luxury car or a clunker. If there’s something of value in the front seat it’s theirs for the taking. So, take the time to inventory your business and make a priority list of what’s the highest value asset that could be on your network and that is connected to the Internet. From there it’s much easier to isolate and defend and protect the business and its patrons.

TESTING SECURITY POSTURE

Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS, HIPAA and others are simply a way of testing a company’s security posture. Take a top down approach, meaning secure your sensitive information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices, so by implementing them you are effectively addressing your compliance requirements by default.

Understand the technical proficiency of your existing IT and/or security staff. If you have any. This can be a little bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, not all certified security personnel are really good at it. Often they do not “practice” security on a daily basis because they double as the IT person and are busy keeping desktops, printers and wireless devices operational. In contrast, hackers do practice their craft every day.

Every company is limited by their resources and IT/security is no exception. Make a plan to discuss your security with your staff realizing that it’s a touchy subject and one that can invoke feelings of job insecurity. It’s rare to find technical personnel that are willing to openly state they need help (beyond financing security tools) in there are of expertise. But a word to the wise, take a look at recent breaches that have made the headlines. Every one of those companies had very good security technologies and resources in place and they still got hacked. Everyone needs to be willing to accept help from other professionals.

Look to outsourcing some or all of your critical security functions to managed security providers. MSSP’s are a great way to extend your security resources without the capital outlay that accompanies doing it yourself. Let’s be real for a moment. Beyond just investing in the hardware and software, it’s going to cost roughly $500,000 per year just to staff a security team because vigilance must be around the clock, every day of the year. And by the way, there is a critical shortage of trained security experts available to the market! By focusing on the steps above and realizing what cyber assets need to be protected, what compliance mandates are required and what are your existing IT/Security limitations, you can effectively come up with a list of “must have’s” when you look for an MSSP.

This article originally appeared in the February 2016 issue of Security Today.

Featured

  • Pragmatism, Productivity, and the Push for Accountability in 2025-2026

    Every year, the security industry debates whether artificial intelligence is a disruption, an enabler, or a distraction. By 2025, that conversation matured, where AI became a working dimension in physical identity and access management (PIAM) programs. Observations from 2025 highlight this turning point in AI’s role in access control and define how security leaders are being distinguished based on how they apply it. Read Now

  • Report: Cyber Attackers Continue to Turn to AI-Based Tools to Avoid Detection

    Comcast Business recently released its 2025 Cybersecurity Threat Report, a comprehensive analysis of 34.6 billion cybersecurity events detected between June 1,2024 and May 31, 2025. Now in its third year, the report offers business leaders a unique perspective into the evolving threat landscape and provides actionable insights to help organizations strengthen their defenses and align cybersecurity with business risk. Read Now

  • Axis Communications Creates AI-powered Video Surveillance Orchestra

    What if cameras could not only see the world, but interpret it—and respond like orchestra musicians reading sheet music: instantly, precisely, and in perfect harmony? That’s what global network technology leader Axis Communications set to find out. Read Now

  • Just as Expected

    GSX produced a wonderful tradeshow earlier this week. Monday was surprisingly strong in the morning, and the afternoon wasn’t bad at all. That’s Monday’s results and asking attendees to travel on Sunday. Just a quick hint, no one wants to give up their weekend to travel and set up an exhibit booth. I’m just saying. Read Now

    • Industry Events
    • GSX
  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.