It

It's All About the Network

Continued increase in data breaches reinforces need for holistic security approach

The daily increase in the number of cyber attacks launched and the success hackers are having against heavily guarded businesses are a wake-up call for all companies to be more proactive and vigilant in their security efforts. The retail industry in particular has been a recent target of attacks with a new breed of point-of-sale malware, known as GamaPoS, impacting numerous organizations across North America. This epitomizes the need for companies to properly segment network traffic and prohibit general access to the Internet. This is especially true if access is via a single or common LAN segment.

Protecting the network in general and not just a point of sale (PoS) system, a patient record database or other data sources is critically important for all companies to consider. Unfortunately, proper LAN segmentation and restricted network access is often overlooked, particularly when a company is focused primarily on meeting regulatory compliance and then goes back to normal operating procedures after the audit or required network scan has been completed. Most compliance guidelines are just that, guidelines. They do not offer tailored configurations for a business. By far the most specific compliance mandate is the PCI DSS which has evolved over a number of years and does offer a solid foundation for security.

SECURE THE NETWORKS

I frequently encounter businesses that neglect to properly segment and secure their networks for a host of reasons. Many will state that their PoS provider set up their “computers” and that they have no idea how their system operates. Others have very inexpensive and largely inexperienced IT people install, configure and maintain their systems. The problem is, I rarely see evidence of a highly skilled security engineer ever having setup and tested the network.

In the GamaPoS case, malware was introduced because someone likely gained unrestricted access to the Internet to inadvertently compromise the PoS system and critical data. Many companies balk at compliance regulations such as PCI for a number of reasons, but LAN segmentation and restricted Internet access, especially on a segment that leads to critical data, is not secure and in fact breaks security best practices and PCI rules. As an example of how critical network segmentation is, under PCI 3.1, companies must declare how they are segmenting payment card data from all other IP traffic and further, provide proof of segmentation. Having an Internet estuary is bad for any company, as it opens them up to malicious attacks. The reality: hackers use any and all routes over the Internet to infiltrate a company and find the valuables they’re looking to steal.

Network segmentation is one of the most effective controls a company can implement to mitigate the risk of a network intrusion. If implemented correctly, it makes it significantly more difficult for a cyber-criminal to locate and gain access to your most sensitive information. The goal of implementing network segmentation is to minimize access to sensitive data and more importantly deny access to people who don’t need it. The methodologies being used by hackers continues to evolve and become more sophisticated, but one common element hasn’t changed, they must have a route to the critical data.

DESCRIBE YOUR NETWORK

Scary as it may seem, a recent study IT professionals were asked to describe their network segmentation - “Only 30 percent of respondents said they had implemented a segmented network. A third stated they ‘set and forget’ their segmentation and an equal number reported they occasionally revisit it, typically around audit time. A brutally honest 6 percent said, ‘My network what?’”

Among the biggest problems businesses face is finding balance between security needs and costs. Ask any highly trained security auditor or consultant and they’ll likely suggest that you need as much as you can buy. Deploying, maintaining and managing such technologies come with a high cost and I don’t know of any consumers willing to pay $15 for a hamburger and fries. The key is finding a solution set that addresses general network segmentation and security while also providing more stringent security levels around your most critical assets/data.

It all starts with understanding what you have to protect! In order for a network segmentation strategy to work, you have to understand what your cyber assets are and where they reside. Many companies still struggle with this concept, but it’s critical that every stake holder know what hackers are after and why. The obvious choices are credit and debit information, followed closely by Personally Identifiable Information (PII) and Personal Health Information (PHI). On the rise is business theft. Criminals are stealing corporate trade secrets and financial data, and using it to blackmail the company into paying a ransom.

An alarming number of business stake holders think they are too small for a hacker to target. The reality is nothing could be further from the truth. Hackers don’t care about a business size, they look for holes in a network via scanning tools. They don’t discriminate between a luxury car or a clunker. If there’s something of value in the front seat it’s theirs for the taking. So, take the time to inventory your business and make a priority list of what’s the highest value asset that could be on your network and that is connected to the Internet. From there it’s much easier to isolate and defend and protect the business and its patrons.

TESTING SECURITY POSTURE

Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS, HIPAA and others are simply a way of testing a company’s security posture. Take a top down approach, meaning secure your sensitive information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices, so by implementing them you are effectively addressing your compliance requirements by default.

Understand the technical proficiency of your existing IT and/or security staff. If you have any. This can be a little bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, not all certified security personnel are really good at it. Often they do not “practice” security on a daily basis because they double as the IT person and are busy keeping desktops, printers and wireless devices operational. In contrast, hackers do practice their craft every day.

Every company is limited by their resources and IT/security is no exception. Make a plan to discuss your security with your staff realizing that it’s a touchy subject and one that can invoke feelings of job insecurity. It’s rare to find technical personnel that are willing to openly state they need help (beyond financing security tools) in there are of expertise. But a word to the wise, take a look at recent breaches that have made the headlines. Every one of those companies had very good security technologies and resources in place and they still got hacked. Everyone needs to be willing to accept help from other professionals.

Look to outsourcing some or all of your critical security functions to managed security providers. MSSP’s are a great way to extend your security resources without the capital outlay that accompanies doing it yourself. Let’s be real for a moment. Beyond just investing in the hardware and software, it’s going to cost roughly $500,000 per year just to staff a security team because vigilance must be around the clock, every day of the year. And by the way, there is a critical shortage of trained security experts available to the market! By focusing on the steps above and realizing what cyber assets need to be protected, what compliance mandates are required and what are your existing IT/Security limitations, you can effectively come up with a list of “must have’s” when you look for an MSSP.

This article originally appeared in the February 2016 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3