It

It's All About the Network

Continued increase in data breaches reinforces need for holistic security approach

The daily increase in the number of cyber attacks launched and the success hackers are having against heavily guarded businesses are a wake-up call for all companies to be more proactive and vigilant in their security efforts. The retail industry in particular has been a recent target of attacks with a new breed of point-of-sale malware, known as GamaPoS, impacting numerous organizations across North America. This epitomizes the need for companies to properly segment network traffic and prohibit general access to the Internet. This is especially true if access is via a single or common LAN segment.

Protecting the network in general and not just a point of sale (PoS) system, a patient record database or other data sources is critically important for all companies to consider. Unfortunately, proper LAN segmentation and restricted network access is often overlooked, particularly when a company is focused primarily on meeting regulatory compliance and then goes back to normal operating procedures after the audit or required network scan has been completed. Most compliance guidelines are just that, guidelines. They do not offer tailored configurations for a business. By far the most specific compliance mandate is the PCI DSS which has evolved over a number of years and does offer a solid foundation for security.

SECURE THE NETWORKS

I frequently encounter businesses that neglect to properly segment and secure their networks for a host of reasons. Many will state that their PoS provider set up their “computers” and that they have no idea how their system operates. Others have very inexpensive and largely inexperienced IT people install, configure and maintain their systems. The problem is, I rarely see evidence of a highly skilled security engineer ever having setup and tested the network.

In the GamaPoS case, malware was introduced because someone likely gained unrestricted access to the Internet to inadvertently compromise the PoS system and critical data. Many companies balk at compliance regulations such as PCI for a number of reasons, but LAN segmentation and restricted Internet access, especially on a segment that leads to critical data, is not secure and in fact breaks security best practices and PCI rules. As an example of how critical network segmentation is, under PCI 3.1, companies must declare how they are segmenting payment card data from all other IP traffic and further, provide proof of segmentation. Having an Internet estuary is bad for any company, as it opens them up to malicious attacks. The reality: hackers use any and all routes over the Internet to infiltrate a company and find the valuables they’re looking to steal.

Network segmentation is one of the most effective controls a company can implement to mitigate the risk of a network intrusion. If implemented correctly, it makes it significantly more difficult for a cyber-criminal to locate and gain access to your most sensitive information. The goal of implementing network segmentation is to minimize access to sensitive data and more importantly deny access to people who don’t need it. The methodologies being used by hackers continues to evolve and become more sophisticated, but one common element hasn’t changed, they must have a route to the critical data.

DESCRIBE YOUR NETWORK

Scary as it may seem, a recent study IT professionals were asked to describe their network segmentation - “Only 30 percent of respondents said they had implemented a segmented network. A third stated they ‘set and forget’ their segmentation and an equal number reported they occasionally revisit it, typically around audit time. A brutally honest 6 percent said, ‘My network what?’”

Among the biggest problems businesses face is finding balance between security needs and costs. Ask any highly trained security auditor or consultant and they’ll likely suggest that you need as much as you can buy. Deploying, maintaining and managing such technologies come with a high cost and I don’t know of any consumers willing to pay $15 for a hamburger and fries. The key is finding a solution set that addresses general network segmentation and security while also providing more stringent security levels around your most critical assets/data.

It all starts with understanding what you have to protect! In order for a network segmentation strategy to work, you have to understand what your cyber assets are and where they reside. Many companies still struggle with this concept, but it’s critical that every stake holder know what hackers are after and why. The obvious choices are credit and debit information, followed closely by Personally Identifiable Information (PII) and Personal Health Information (PHI). On the rise is business theft. Criminals are stealing corporate trade secrets and financial data, and using it to blackmail the company into paying a ransom.

An alarming number of business stake holders think they are too small for a hacker to target. The reality is nothing could be further from the truth. Hackers don’t care about a business size, they look for holes in a network via scanning tools. They don’t discriminate between a luxury car or a clunker. If there’s something of value in the front seat it’s theirs for the taking. So, take the time to inventory your business and make a priority list of what’s the highest value asset that could be on your network and that is connected to the Internet. From there it’s much easier to isolate and defend and protect the business and its patrons.

TESTING SECURITY POSTURE

Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS, HIPAA and others are simply a way of testing a company’s security posture. Take a top down approach, meaning secure your sensitive information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices, so by implementing them you are effectively addressing your compliance requirements by default.

Understand the technical proficiency of your existing IT and/or security staff. If you have any. This can be a little bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, not all certified security personnel are really good at it. Often they do not “practice” security on a daily basis because they double as the IT person and are busy keeping desktops, printers and wireless devices operational. In contrast, hackers do practice their craft every day.

Every company is limited by their resources and IT/security is no exception. Make a plan to discuss your security with your staff realizing that it’s a touchy subject and one that can invoke feelings of job insecurity. It’s rare to find technical personnel that are willing to openly state they need help (beyond financing security tools) in there are of expertise. But a word to the wise, take a look at recent breaches that have made the headlines. Every one of those companies had very good security technologies and resources in place and they still got hacked. Everyone needs to be willing to accept help from other professionals.

Look to outsourcing some or all of your critical security functions to managed security providers. MSSP’s are a great way to extend your security resources without the capital outlay that accompanies doing it yourself. Let’s be real for a moment. Beyond just investing in the hardware and software, it’s going to cost roughly $500,000 per year just to staff a security team because vigilance must be around the clock, every day of the year. And by the way, there is a critical shortage of trained security experts available to the market! By focusing on the steps above and realizing what cyber assets need to be protected, what compliance mandates are required and what are your existing IT/Security limitations, you can effectively come up with a list of “must have’s” when you look for an MSSP.

This article originally appeared in the February 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3