Continuing to break down how organizations can protect themselves against serious cyber threats
Previously we looked at how a company can begin to approach a cyber defense strategy. These next three steps will address how employee permissions and overall network design can be used in the ongoing protection against cyber damage. The following strategies are focused on limiting a potential attacker’s movements if your company falls victim to a partial attack or a phishing campaign. Finally, we’ll take a look at audit logs, which can be used to discover hard-to-find holes in your security setup both before and after an attack.
Before any system or device goes into production, access methods and controls need to be planned. This goes for users accessing systems and communications traversing, leaving and entering the network. All users should be given the least amount of privileges they need (based on need-to-know and job responsibilities). This prevents users from performing actions out of their job scope, connecting from a disallowed location, or connecting in an unsecured fashion—in addition to facilitating separation of duties. This should be done using centralized authentication and authorization methods whenever possible to make management simpler and enable good audit logging to external systems.
Network Access and Design
Often referred to as “defense in-depth,” a multi-layered defense strategy and network design are useful in preventing attackers from traversing the network if they have made an entry somehow, e.g. a successful phishing campaign. The most effective part of multilayer defense is internal network separation via VLANs, subnets and firewall zones. Having multiple layers of logically separate network zones and components will significantly increase the amount of effort an infiltrator will need to move laterally within the network to where protected data or assets are kept. Ideally, protected data will be behind an application, a host, at least one internal network segment, a perimeter network, and the external network. Between each logical layer a firewall and possibly other security appliances or security measures will ideally be in place.
While usually more of an after-the-fact way to assist incident response, proper audit logs help identify a lot of issues before they become security incidents, and can be extremely useful in both defending, planning and responding to incidents. Continual vulnerability management and penetration testing can highlight ways an actual attacker could infiltrate and move laterally within the network, but resist the urge to try to patch all known vulnerabilities at once! It’s all about protecting the crown jewels. Know how much risk the organization can handle and where. Use audit logs, vulnerability assessments, penetration tests and other tools at your disposal to measure actual risk compared to perceived or expected risk. Based on your asset classification, threat modeling, configuration management, access control and network design, there should be plenty of information to audit risk.
Cyber defense is deep rooted in proper controls, policies, secure design, and having the right resources on hand to manage a business day to day. Throwing additional security appliances into the mix works best when the network is designed around policies that are thoughtfully conceived from business risk management to reduce risk. Sometimes getting outside help is the faster and more efficient way to work through these policies and eliminate bias. There is no reason to succumb to fear and uncertainty in cyber security. The key to a winning defensive strategy is having a solid plan designed by experts and implemented and maintained by a team you trust.