When someone brings up the topic of network protection, what’s the first thing that pops into your head? Is it passwords or encryption? Does your mind go to Wi-Fi Protection Access 2 (WPA2)? Or do you think about LAN separation, physical security measures, DMZs, compensating controls, and complex architecture?
There obviously can’t be one answer that’s right for everyone. Two organizations of similar size and complexity may have very different requirements based on their internal cultures, operating models, budgets, policy obligations, and a multitude of other factors. The security implementation for individual networks can vary drastically based on the level of Confidentiality, Availability, and Integrity required by the data traversing the network.
Think of this post as an intellectual exercise—an opportunity to raise questions and stimulate your thought processes about ways to better protect your data. Without knowing the specifics of your network, we can’t offer nuts and bolts details for improving your security posture, but we can ask a few questions that will (hopefully) help you get your mindset in the right place.
The questions themselves are straightforward and deceptively simple. Don't let that fool you. Finding answers to some of them may be murky and difficult.
#1 Do you know what devices are present on your network?
We don’t mean according to your hardware list and network drawings. We mean actual devices (whether planned or unplanned) that are operating on your network. Even with relatively stiff access control measures, if you have multiple administrators, there’s a fair chance that one (or more) of them have authorized connections to devices that aren’t part of your planned network. It’s amazing how often such on-the-fly additions don’t get properly documented, even when they’re added for constructive purposes by users/administrators with only good intentions.
If you don’t know exactly what’s on your network, odds are good that some of the devices are not being scanned, patched, audited, or properly monitored. And that means you’ve got vulnerabilities and potential attack surfaces that you’re not even aware of.
Regardless of the size of your network, you should have full visibility of every connected device. Common security measures like reoccurring scanning policies, regularly scheduled firewall reviews, white/black lists, and Access Control Lists are all helpful, but one rogue device added by a well-meaning administrator can create a gaping hole in your defenses.
#2 Does your vulnerability management solution keep your security patches current?
If your cyber team is on the ball, you may be nodding your head and patting yourself on the back right now. But pause in mid-pat for a second and look back to Question #1. Even if you’ve got a rock solid process for downloading, testing, and pushing security patches, it’s only truly effective if it covers everything on your network. This is one of the places where unknown device(s) can really bite you. If you don’t know it’s there, you’re definitely not patching it.
#3 Does your access control strategy balance network security against availability and the needs of users?
Again, there is no one-size-fits-all solution. The campus network at a university may be large, general-purpose in nature, and might support a user base in which hundreds of people come and go more or less continually. Except for isolated modules protecting Personally Identifiable Information, grades, etc., much of the network’s content is likely to be relatively non-sensitive. Users may share passwords without risking major consequences. Loss of network functionality would no doubt be a significant inconvenience, but would probably not qualify as an emergency.
By contrast, a military network might have a small number of users whose account access and credentials must be rigidly controlled. The content is likely to be more narrowly focused, will tend to be sensitive in nature, and may actually be classified to protect national security. The sharing of passwords and credentials could be punishable under criminal law. Loss of network functionality can lead to degradation of mission readiness, and could—under some circumstances—actually get people killed.
Getting your access control strategy right can be a complex process. Implementation should be aligned to the size of your user base, the sensitivity of the network’s content, and the consequences of losing functionality. If you’re using a turn-key access control solution that doesn’t take these things into account, you may be drastically under protecting (or over protecting) your network.
Continued in Part 2…
No comments:
Post a Comment