What measures might be taken to make a hacker’s work as difficult as possible?
We suggest a fundamental change has come about – where ten years ago companies could reasonably strive to prevent a successful network attack and penetration, the likelihood now is that networks of most companies will be compromised in spite of those efforts. It follows that attention should now turn to minimizing or even preventing damage in such an event – taking measures to make the job of the hacker as difficult as possible.
Goals:
- Keep information in. Given the working assumption that at some point a cyber-criminal will gain access to the network, via a compromised end-user computer or other, there are good ways to detect and prevent the export of information.
- Protect against escalation of rights / lateral movement. Attempted penetration often focuses on moving from the point of entry to critical servers and resources, requiring escalation of user rights and discovery of the network and resources. There are good management techniques Network segmentation, such that endpoint devices are separated from servers and other secure networks, will facilitate this goal.
- Remote workers. Cloud hosted services are available to provide firewall, web security and VPN solutions for remote workers. These effectively move the sphere of end-point protection out to cover any Internet access – from a hotel, home, or other location.
- Perimeter defense. The firewall and restriction of any Internet facing services to isolated DMZ zones is standard practice. Multi-Factor Authentication and enforcement of strong passwords has become all but mandatory, even more so as critical services increasingly are moving to hosted cloud services.
In short, arrange the network such that a cyber-criminal will have access only via an endpoint network, that once connected there is precious little a cyber-criminal can do on that endpoint network, and make export of information from any network as difficult as possible – with good monitoring to alert of an intrusion.
Meeting new threats does not take from the old ones – strong network monitoring, Intrusion Detection, routine penetration testing, strong password enforcement, restrictive firewall policies, comprehensive anti-virus and patch management, and frequent end-user reminders of the dangers of phishing and related attacks have all become standard practice and a good foundation for security.
Tools that Support the Goals
CTP has found that there is good recognition for the many security technologies- Multi-Factor Authentication (MFA), network segmentation, monitoring, in-house Public Key Infrastructure (PKI), Internet Web Security (including decryption of HTTPS traffic), Data Loss Prevention (DLP) tools, file level encryption. We find that it can help to go at the problem by starting with the goals, and then consider the technologies that support those goals. It can be much easier to develop a rational plan for implementing technologies based upon the most immediate security requirements of the company, as a starting point.
As a point of interest, there is a carefully and concisely (and densely) written paragraph for guidance of network security, taken from the SEC Investment Management Guidance Update document:
Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;5 (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;6 (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.
As we parse through this paragraph, we find that the goals that we have discussed in this blog correspond closely.
Our take-home message is that there are a series of security measures that have evolved and are effective in protecting company data from today’s cyber-attacks.
Collaborative Technology Partners, Inc., is a Boston MA based IT consulting company. We have been providing design and implementation of IT security solutions, often to meet compliance requirements of a variety of financial services companies, since 2001.
Frequently Asked Questions
The harvesting of account credentials by cyber-criminals, via phishing techniques and malware has become an important means by which corporate networks have been compromised. One important defense is to ensure that management credentials are never cached on endpoint computers, via implementation of Tiered Logon Protocol (TLP). This may be done by assigning network administrators several user accounts, each restricted to certain management roles ranging from user only privileges to a high level of management rights – tiered accounts. Use of these accounts is typically restricted – for example, logon by an administrator to an endpoint computer would be restricted to an account with user only rights.
Two-Factor Authentication requires an end-user provide a password and a code from a physical device. The term Multi-Factor Authentication (MFA) has taken the place of two-factor authentication, simply because the technology deployed initially for two-factor authentication has evolved, such that the implementation has become much broader than the initial systems for two-factor authentication, while retaining the requirement of authenticating with both something memorized and something obtained from a physical device.
All computers connected to a network are able to communicate directly with each other. That network might be divided into two, with PCs connected to one and servers connected to the other – and now PCs can communicate directly with other PCs but will be unable to reach servers. The network can be viewed as two segments – one for PCs, one for servers. Each of the two network segments might be connected to a firewall, such that traffic between the segments can be inspected and controlled – now adding security. Corporate networks typically have many segments – perhaps including PCs, general servers, VoIP for IP phones, wireless, management cards of network devices, and so on. The tools available to a hacker with access to the PC network are greatly diminished once it becomes necessary to cross a firewall to access central resources.
An endpoint device is taken to be any device that is used by an end-user to connect to a network – a PC, Mac, laptop, netbook, and so on. An endpoint network segment is taken to be a local network to which only endpoint devices are connected. The endpoint network segment will be connected to a firewall, such that access to other networks can be inspected and secured. Company servers and services might be located on a secure server network.
