Threats & Defenses
Walk, Don’t Run: A Security Framework for a Healthy Network (Part 1)By: Jeff Multz
Just as no business becomes an overnight sensation, neither does an organization’s security posture. Security is a process, not a destination. It takes time, patience and hard work. You must start with the basics, work up to advanced moves and commit to security for life. In my security plan “Crawl, Walk, Run,” in three separate pieces I present the basic steps to obtaining and maintaining a fit and healthy network.
Implement basic security measures:
- Monitor your firewalls – Firewalls are your first level of detection, so if they are monitored continuously, you can see an intrusion immediately and get the attackers out quickly before they move laterally into other systems. Neither the brand of your equipment nor the amount of blinking blue lights it has is as important as constant monitoring so that when the monitor sees either suspicious or malicious activity you are notified immediately so you can take proper action.
- Monitor your endpoints 24/7 – Endpoints (servers, laptops and workstations) have become the most popular method attackers use to break into networks. It takes only one employee to open a phishing email and click on a malicious link or attachment to compromise your network. Phishing attacks cannot be solved totally with technology, such as antivirus or Advanced Malware Protection software. You need technology and a monitoring service that can detect threats and respond to threats, and can conduct a forensic investigation.
- Invest in an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) that is separate from the firewall – An IDS/IPS can detect and block known threats. An IDS/IPS behind the firewall can catch thousands of threats daily that get past the firewall daily and can catch threats that are trying to leave the network as well. A security specialist must proactively update the IDS/IPS with threats and policies and must ensure it is being monitored 24/7. Depending upon how often an organization is targeted, IDS/IPS devices that are not tuned properly can generate false-negative responses to true threats or can generate thousands or millions of false-positive alerts each day, making it difficult to identify true threats and take timely action. The device must continually be tuned (sometimes daily or more) and be updated to provide the latest defenses and ensure that you are being alerted the right activities. If your security devices continually sends false alerts, your staff will likely ignore them as well as those that actually are true-positive alerts. Many companies have been breached because their security teams ignored the alert. An IDS/IPS also lets you store its information for analysis and reporting at a later date. The company that codes and builds your IDS/IPS should be different than the one that codes and builds your firewall, and the two should be physically separate to ensure that they both aren’t blind to the same vulnerabilities and exploits. Even if you have an appliance that is a mixture of a firewall and an IDS/IPS, you still need a separate layer of IPS/IDS protection behind your firewall to have a defense-in-depth strategy. You should place a network IDS/IPS at all possible points of entry to your network, a host IDS/IPS on your most valuable servers to prevent intrusion and a wireless IPS to prevent attacks that use your wireless Internet connection.
- Conduct Bi-annual Penetration Tests – A Pen Test assesses the software updates and policies of your firewalls, the software updates on your IDS/IPS and its ability to detect attacks, and the vulnerabilities of your routers. Companies should conduct a Penetration Test at least twice a year but quarterly tests are ideal.
- Develop a Computer Security Incidence Response Plan (CSIRP) for the inevitable security incident –A CSIRP prepares your security team and business units to be well prepared for a breach so they can take swift and proper action. A cybersecurity professional should help develop the CSIRP and should conduct table-top exercises with your IT security and business leaders intermittently throughout the year. A table-top exercise is a rehearsal of activities your leaders will be responsible for doing when your company has been breached. The cybersecurity consultant will recreate actual scenarios that have occurred elsewhere and your CSIRP team, which consists of business leaders and IT leaders, will discuss the steps each person will take. This rehearsal will save you time when trying to respond to breaches and will spare you from making many mistakes. Put a 40-hour incident response (IR) retainer in place so you can use many of those hours for CSIRP training and so can have an IR team on-call so you don’t waste time negotiating IR contracts while under siege. An IR retainer can guarantee an IR team can be on site and begin remediation of the incident within 24 hours. The longer you wait to get intruders out of your network, the most downtime you experience and the greater your costs of expelling the intruders. The cost of hiring an incident responder who is not on a retainer can go as high as $400 an hour, whereas hourly IR costs for organizations with a retainer are about $100 cheaper. Most IR plans I’ve reviewed are far from sufficient to meet today’s threats.
- Implement Security Awareness Training – Conduct comprehensive, on-going Security Awareness Training so that employees will understand common attacks techniques regarding the websites they visit, social engineering and spearphishing. Annual testing does not produce vigilant employees, so Security Awareness Training must be a continual part of your culture.