Has Your Network Security Posture Been Vaccinated?
For executives and managers who are tasked with ensuring their company does not suffer a security event, the following Top 11 Strategic Initiatives will provide that guidance. While many believe these initiatives are already in practice, our experience has shown that attacks are often successful in organizations that thought they were completely covered…but were not. Whether this list is used to define a comprehensive data security strategy, or as a second opinion, it can help any organization reduce its risk of a security compromise.
1. Assess, Reduce and Monitor Client-side Attack Surface
Why: In 2010, we saw client-side attacks occurring faster than anyone would have predicted. Software developers of browsers, plug-ins and viewers were at times issuing security updates every couple of weeks.
How: For various classes of applications, create an organizational standard. Monitor those versions and develop a method of inventorying the applications to measure adherence to standards. Finally, develop a method of evaluating risks, communicating them if needed and rapidly patching them when required.
2. Embrace Social Networking, but Educate Staff
Why: The medium is not going away anytime soon; social networking is being used to improve brand awareness, reduce costs and connect with customers. Along with official business uses, employees are going to join the ranks of everyone else on the planet from age 2 to 102. With this come risks, such as public exposure of private company information or cybercriminals identifying targets by mining social profiles for personal information.
How: Establish a policy on what company information and activities can be shared by unofficial users. Educate staff on this policy and provide them additional awareness training on how they can protect themselves and the organization against social networking based attacks.
3. Develop a Mobile Security Program
Why: Staff with company issued smartphones, laptops and other devices carry their organization’s intellectual property with them wherever they go.
How: Evaluate the various platforms used by employees, identify those that cannot enforce enterprise profiles and decide how to phase them out. Over the next few years, mobile attacks may surpass those against desktops. Gaining as much control over the configurations of mobile devices as there is for desktop and service environments will help organizations begin to reduce risk.
4. Use Multifactor Authentication
Why: People choose easy to remember (poor) passwords if they are allowed. Even with the enforcement of password complexity rules, many often still choose passwords that are weak in strength.
How: Multifactor authentication does not work everywhere, but should be strongly considered where possible. Critically important for perimeter access such as VPN or Remote Access, the cost of implementing a multifactor solution is far less than the impact of a major breach of the corporate network and loss of data.
5. Eradicate Clear-text Traffic
Why: Cybercriminals know that businesses send sensitive data over private networks in the clear.
How: This is as simple as implementing SSL certificates for Web-based transactions, using e-mail encryption or using end-to-end encryption for transaction processing systems.
6. Virtually Patch Web Applications Until Fixed
Why: Both internal and external Web applications should be tested on a continuous basis using both manual and automated means to identify security issues. Vulnerabilities can then receive a virtual patch until a full patch can be developed.
How: Implement a Web application firewall and apply a virtual patch to protect applications based upon the result of the security testing. The development teams can then create a fix for the vulnerability; once it has been validated the Virtual Patch can be safely removed from the WAF.
7. Empower Incident Response Teams
Why: An organization’s internal incident response team should be investigating anomalies. If there is no incident response team, consider creating and maintaining one.
How: The incident response team should have access to the security team’s notifications or information stored within log aggregation or analysis systems, such as a security information and event management (SIEM) system. Empower the team to investigate even the most obscure issues. While investigating a data breach, SpiderLabs often learned there were minor signs of criminal activity identified by the organization’s internal staff several months before we arrived, but no one investigated. Security teams are often told to wait for the next large breach or HR-issued directive to take action, rather than seeking out signs of initial attack activity.
8. Enforce Security Upon Third-Party Relationships
Why: Third-party vendors and their products introduce vulnerabilities, mostly as a result of default, vendor-supplied credentials and insecure remote access implementations.
How: Organizations need to be aware of what regulations or industry requirements apply to them, and what is required of their third-party vendors to be able to know if those vendors are compliant. For large strategic partnerships, organizations should require their partners to undergo third-party security testing on a regular basis, with the results shared with the security team. In addition to functional testing, organizations should strive to include non-functional security requirements for implementation, maintenance and support services in their agreements with vendors.
9. Implement Network Access Control
Why: Most internal network environments tested by SpiderLabs had a weak security posture. Externally, attackers can only utilize Layer 3 (the network layer on the Open Systems Interconnection [OSI] model), and above to perform their attacks. On the internal network, they can start at OSI Layer 2. This means that an attack, such as MITM, is not only effective, but easily performed in most corporate environments.
How: A network access control solution combined with a segmentation strategy can help the internal network be just as resilient against attack as the externally protected perimeter.
10. Analyze All Events
Why: Network devices, servers, workstations and applications can all generate events. We often don’t let them because the “noise” they create can overwhelm the security staff. However, these events frequently serve as an early indicator of the origins of an actual attack.
How: Implement a security information and event management (SIEM) system to help turn noise into action by applying policy and workflows to environments events.
11. Implement an Organization-wide Security Awareness Program Why: Security awareness training may not stop an insider with malicious intent, but it can mean earlier detection and notification of a potential incident. Even an entry-level employee may notice something amiss if trained to be more security aware. Such security awareness training for employees can be especially effective in combating the risks posed by social engineering.
How: Organizations should look to implement a security awareness training program and make it mandatory for every employee, regardless of title or function. This training should be repeated at least annually and made it part of all new hire orientation.
Defense-in-Depth to Lower Your Threat Risk
Cybercriminals will never stop trying to obtain valuable or proprietary data. By reviewing your information security infrastructure, paying particular attention to existing vulnerabilities, the assignment of security responsibilities to specific individuals or groups, and how data flows within the organization, business leaders can reduce the threat and impact of a security incident.
Following the outlined initiatives above can be either be the start of a good defense, or affirmation that a good security strategy is in place. A comprehensive, defense-in-depth strategy for information security can help reduce risk, protect sensitive information and ultimately safeguard a company’s reputation.
** The Trustwave SpiderLabs team contributed to this post.