Improving Network Security: Where to Begin…
If you’re reading this, you are presumably interested in what high-level steps you should be thinking about to make your organization’s network more secure than it is today, or perhaps you just have a passing interest in information security. This is most definitely not an exhaustively complete how-to guide for anything. What follows here are just a few very general thoughts about where one might begin if they were asked to improve the overall security of most networks.
Learn The Lay of the LAN
One of the most daunting aspects of computer security is the sheer scale of the problem space. Every single device attached to every network has its own instances of running applications (client, server, or both), an operating system, a networking protocol stack, device drivers, and firmware. Security vulnerabilities can potentially exist anywhere where code runs and even where it doesn’t when you consider physical security. An initiative to improve the overall computer security of an organization should be rooted in a sound understanding of what devices exist on the network, what must run on each of these devices at each layer of the stack and why, and which users require access to services on those devices. It might seem obvious, but you can’t secure a system if you don’t know it exists, who uses it, and how and why they use it. Asset discovery utilities and port scanners can help you to ensure you have a complete and current picture of the devices and services in use on the network. From there, system and application logs can often help to identify the de-facto user base.
Know Your External Attack Surface Area
Once you know what key assets need to be protected, you can begin to think about how best to control access to these systems. Begin at the edges of the network and work your way inward. Read through the NAT policies and access control lists on your edge firewalls and routers to determine which machines (if any) on your network are permitted to accept traffic from the outside world and to validate that these policies are still required. Every system that needs to be accessible from the Internet is one more system that needs to be diligently patched, monitored, and isolated from other internal systems. Consider using an application security vulnerability utility to scan your applications for known vulnerabilities. If you have a web application that stores or processes credit card information, you are required to do this at least quarterly to be PCI compliant. Consider protecting public-facing services with an application firewall in addition to or instead of an ordinary firewall. While an ordinary firewall protecting a web application might be configured to allow all traffic from all IP addresses through to the web server when the destination ports are 80 or 443, a web application firewall can do this while also potentially recognizing and blocking HTTP requests consistent with common attacks such as cross-site scripting (XSS) and SQL injection.
Many organizations have moved their public-facing applications to cloud hosting providers in an effort to reduce or eliminate these administrative chores, but the cloud is not a magic bullet. Know which security-related maintenance tasks any hosting providers are obligated to perform and which items are still your responsibility. Examples might include activities such as patch management, firewall configuration support, DOS attack mitigation, and SSL certificate renewals just to name a few.
Client Device Security
Most organizations have a lot more desktops, laptops, tablets, and smartphones than they do servers, and a compromised mobile device can potentially be walked around the firewall to attack a network from within. Consider restricting all wireless networks to the Internet so that it is impossible to reach any internal networks from any wireless access point without a VPN connection. Mobile device management solutions exist which are capable of restricting which mobile apps users are allowed to install. A typical use case would be defining a policy that forbids the installation of any VPN apps to the phones and pushes the deployment of an anti-virus app to the device. Centrally managed host firewall software can help to protect laptops that are off-site. Any device small enough to be mobile is also small enough to be lost or stolen, so use disk encryption whenever it is practical.
In most networks with lots of client workstations, centrally-managed antivirus is essentially a necessity, but it ideally should not be the only line of defense. Most malware that finds its way on to workstations gets there because the user downloaded it without ever realizing it, so your goal should be to prevent the download from happening in the first place. Use an e-mail provider that scans and scrubs infected attachments before delivery, or software to do the same if you operate your own mail servers. Consider routing Internet traffic for workstations through a firewall that is capable of scanning and filtering executable downloads and blocking traffic to known malicious domains and/or requiring all web traffic to go through a proxy server.
Encourage an Information Security Aware Culture
Security researcher and expert, Bruce Schneier famously wrote that, “Security is a process, not a product.” There are lots of good products that can help you achieve your security goals, but none of them can stop users from storing all their passwords on a sticky note under their keyboard. The process of maintaining security requires continued regular iterations, and ultimately depends on people who take the process seriously. Make it your goal to devise security procedures that are so streamlined and easy that people have no excuse not to follow them. This is not always possible, and some policies and procedures are bound to be unpopular. In these cases, be prepared to clearly communicate and document the risks of using an insecure process.
© 2016-2020 Envisa® All Rights Reserved.