Without a strong network security strategy, IT security will fall short — and vice versa.
The National Security Agency (NSA) has identified three basic functions to form the foundation of a good IT security system. These functions are critical to preventing 93% of cyber incidents, according to an NSA presentation. We at NetCraftsmen have identified four additional steps that, when combined with NSA’s three steps, create a solid foundation upon which to build a comprehensive security system.
NSA’s security steps
Step 1. Multifactor authentication
Instead of using basic passwords, enterprises should implement multifactor authentication, such as two-factor authentication (2FA). 2FA relies on something users know (a password) and something they own (a physical device, like a security token generator or a phone). Other mechanisms rely on factors like biometrics.
Text message challenges have become a popular mechanism for 2FA. During login, a security code is sent via text or phone call to a cellphone. Users input the security code in response to a login challenge. This type of challenge can be attacked by a bad actor taking over the cellphone account or number and is not suitable for highly secure accounts.
Step 2. Role-based access control
Implementing role-based access control restricts access to only those resources that are necessary for a person’s function, or role, within an organization. For example, an HR employee won’t need access to accounting functions. By limiting access, a compromised employee account will be restricted from functions and data that are outside the needs of that role.
Nearly all products have role-based access security controls, as IT security has become more important. It should be a critical criterion for product selection. There is an American National Standards Institute standard for it, as detailed in ANSI InterNational Committee for Information Technology Standards 359-2004 and INCITS 359-2012.
Step 3. Allowlist applications
Networks used to be open, and the only filtering performed was to deny certain connections. Allowlisting inverts that paradigm. Only those connections and data flows that are required for application functionality are allowed; all other connectivity is blocked. The objective is to reduce the opportunities for a security breach to spread laterally across an organization.
Teams should configure the filtering systems to record, or log, failed attempts to establish connections. Think of these alerts as trip lines that tip teams off to compromised accounts or systems. Security information and event management can help manage the deluge of events from the filtering systems.
NetCraftsmen’s security steps
Step 4. Patching and workarounds
Teams must be diligent in patching and installing workarounds against known vulnerabilities. As noted in NSA’s presentation, zero-day attacks rarely occur, and the majority of cybersecurity breaches are due to unpatched systems. Regular updates must be applied to applications, server OSes and network infrastructure. Teams will need processes and people to track updates and configuration management systems to facilitate the updates.
Step 5. Network segmentation
The goal of network segmentation is to prevent the horizontal spread of automated malware between business functions. Subdivide the network into functional segments with limited access between segments. For example, facilities infrastructure networks have no reason to access business functions, like HR or accounting. Teams should use application allowlists (see step 3 above) for any access between business segments.
Step 6. System backups
The most common intrusion has become ransomware, and a successful widespread attack can severely strain a business. System backups can eliminate much of the risk from a successful attack but only if the backups themselves cannot also be compromised. Teams must carefully design their backup systems to stay safe because attackers will monitor IT systems for weeks before triggering the encryption of an organization’s data.
Natural disasters can be just as disruptive as a ransomware attack, and backups should be stored where they won’t be subject to the same event that affected the OSes. It is instructive to research how businesses handled and recovered from natural disasters to learn what worked and what didn’t.
Step 7. Employee security education
The final security step is to educate employees. Use anti-phishing campaigns to train employees on the types of emails that facilitate intrusions or fraud. A common attack is to entice employees to click on malware-infected jokes, pictures or videos within emails. Fraud emails convince employees, typically in accounting functions, to make fraudulent financial transfers. Certain employee roles may need additional job-specific training.
Training has been demonstrated to work. It should emphasize past learning and include new attack mechanisms. An added benefit of this training is that employees become better prepared to avoid such attacks in their personal lives.
Making it all work
Good IT systems rely on the proper balance of people, process, and technology and tools. The above seven steps focus on people and processes. For a balanced security foundation, enterprises can use the Cyber Defense Matrix to evaluate security tools.