Network security requires a good firewall, detection system and containment.
Firewall, Detection, Containment. It does not help that each of these three disciplines is complicated, technical, and protecting from a diverse array of threats. They can also be expensive, many of the threats are relatively new and are designed to circumnavigate security solutions that have been trusted and effective for a generation.
Conundrum. Major network incidents are reported often in the news – and frequently the security analysis that accompanies these reports identify security measures that could have been taken to prevent the incident. So often these measures are well known procedures that should be in place for all financial services companies. What gives?
Human factors. CTP is a consulting company – we present technologies and solutions to many companies – sharing knowledge is education, and we generally find a very receptive audience. It is not unusual that implementation does not make the upcoming budget cycle!
- Companies have typically addressed network security in a serious and disciplined manner, and so in many cases the issue really comes down to keeping up to date with current best practices.
- Fitting the solution – sizing – the (expensive) solution applied to a Fortune 500 company does not fit an SMB company, and yet there is almost always a good solution that fits both the scale and the requirements of the problem.
- It is rare that security incidents are reported publicly. The ones that do make the news often would not be a concern to the SMB. I think many exploits seem arcane and unlikely to be in play for the smaller company – indeed, why would a small company be of interest enough to be a target?
- Purchase of a firewall can be straight forward – pick a manufacturer and get the sizing right. Containment and Detection solutions are more a collection of procedures and technologies directed at a plethora of disparate threats, with a wide range of pricing and impact to internal support staff. And, characteristic of IT, many of these measures can come across as mundane and more effort than they are worth.
Containment. We suggest that it is fair to assume that the network of any company, SMB and even smaller, will be compromised. If this is taken as a given, then two things follow: how can the network be arranged to make it most difficult for an intruder to steal or disrupt, and how to detect that an intrusion has occurred. The problem necessarily becomes a collection of cases – and a collection of remedies. Containment is a topic for another blog. From the technology side, we love to get into the details. On the receiving side, we are practiced at spotting the glazed eye look. Best practices – the technologies we group into containment are well known, widely recommended, and effective. Impact – security measures can impact both IT staff and end-users. These measures do not keep people from doing their job, but can require that people conform to procedures and best practices. That may require learning a new way to do a familiar task.
The ”whole field” game. There is an old saying, ball hogs die! Effectively protecting against modern day attacks requires the whole field of tools. Upon gaining entry to the network, containment measures can limit rights escalation, lateral movement, access to more secure networks that include servers and management devices, and so on. In gaining access, however, the attacker will have installed software to computers at the point of entry, in some cases under control of external computers, and these will need to be cleaned – detection measures will be important in identifying these computers. Web security, including application aware inspection, site reputation, content filtering, data loss prevention – provided by the firewall and / or a web security device or hosted service – are critical in controlling transfer of information out of the company, breaking command and control connections, and much more. And so this comes down to a whole field effort.
Moving forward. Information Technology is a service – a service that supports the business of the company. Technology that does not contribute to the success of the business will seldom get funding. What is the case, then, for implementing detection and containment security measures? A topic for another blog – but a few things to think about and research. i) malware today cannot be expected to be detected by traditional anti-virus methods. Current generation anti-virus systems now go about the problem very differently, beginning to converge with network detection technologies. ii) The business of hacking has matured, with specialists providing discrete services and marketing their product – Crime as a Service. iii) Small business, and especially in the Boston area, is an active target, and is profitable. In short – the tools in place at your company may not be able to detect current threats, you are protecting you company from specialists who collectively can understand the nature and business processes of your company, and it is likely worth their time to target your company.
- Diversity of threats – require a diversity of security measures.
- Detection & Containment – complimentary approaches that work together.
- MFA – Multi-Factor Authentication has progressed from nice-to-have to must have.
- Incident Response Plan – Containment buys time and protects information, Detection alerts of an attack that triggers an incident response. Both are important.
Questions or wish to get on our mailing list? Please call us at 888-815-5420 or write to [email protected]
Frequently Asked Questions
The harvesting of account credentials by cyber-criminals, via phishing techniques and malware has become an important means by which corporate networks have been compromised. One important defense is to ensure that management credentials are never cached on endpoint computers, via implementation of Tiered Logon Protocol (TLP). This may be done by assigning network administrators several user accounts, each restricted to certain management roles ranging from user only privileges to a high level of management rights – tiered accounts. Use of these accounts is typically restricted – for example, logon by an administrator to an endpoint computer would be restricted to an account with user only rights.
Two-Factor Authentication requires an end-user provide a password and a code from a physical device. The term Multi-Factor Authentication (MFA) has taken the place of two-factor authentication, simply because the technology deployed initially for two-factor authentication has evolved, such that the implementation has become much broader than the initial systems for two-factor authentication, while retaining the requirement of authenticating with both something memorized and something obtained from a physical device.
All computers connected to a network are able to communicate directly with each other. That network might be divided into two, with PCs connected to one and servers connected to the other – and now PCs can communicate directly with other PCs but will be unable to reach servers. The network can be viewed as two segments – one for PCs, one for servers. Each of the two network segments might be connected to a firewall, such that traffic between the segments can be inspected and controlled – now adding security. Corporate networks typically have many segments – perhaps including PCs, general servers, VoIP for IP phones, wireless, management cards of network devices, and so on. The tools available to a hacker with access to the PC network are greatly diminished once it becomes necessary to cross a firewall to access central resources.
An endpoint device is taken to be any device that is used by an end-user to connect to a network – a PC, Mac, laptop, netbook, and so on. An endpoint network segment is taken to be a local network to which only endpoint devices are connected. The endpoint network segment will be connected to a firewall, such that access to other networks can be inspected and secured. Company servers and services might be located on a secure server network.
