Cyber Defense – The Meaning of…Technology
OR Not In Front of the Interns!
Life is hard enough without constantly worrying about cybercrime. Did you know cybercrime is now the world’s third-largest economy? These enemies are state-funded and numerous, looking to steal your data, money, and put you completely out of business. You need Policy, Education, and Technology working together, driven by the ownership, to be successful. While it may feel like a flying circus at times, this is your circus, and these are your monkeys.
Everyone wants to talk about tools, magic boxes, and software for security. Yes, all that’s important, but what happens when the Internet is dead? Or the zero-day exploits work around them? Or your own administrator is the threat actor? Go beyond the technology to protect your data in our final installment of Cyber Defense as we discuss the right way to use Technology.
Something Completely Different – The network is the path all data in the organization traverses. If the road isn’t safe, neither is your data. Sure, your off-the-shelf switch connects your office computers, but it doesn’t protect you. Anyone can plug in and see every network device in the building! Use a centralized Security Authority that requires authentication of the device through certificates AND a valid login BEFORE granting access to the network. Entry-level systems can be created with only a Windows Server running a domain-based certificate authority and a third-party Authentication, Authorization, and Accounting (AAA) server for 802.1x authentication.
I Always Wanted to Be…A Hacker – Antivirus and antimalware programs protect you from known exploits using a signature-based approach. Some prevent the execution of malicious applications. However, the best programs are those that live between the kernel and the operating system. They recognize escalation attempts and can block any program, not on the whitelist. Centralized management and alerting initiates quarantines of the computer at the network level to prevent further contamination of the network. If you’re still using Norton or ESET, it’s time for a change. No heels required.
Comfy Chair! – No matter where your office is, your data must be protected. Multifactor Authentication (MFA) requires a second or third option beyond just your password (something you know). It can be a fingerprint (something you are) or an authenticator app on your phone (something you have). It doesn’t need to be torture, but it should prevent someone from accessing your account with only your password. Additionally, not all users require access to all systems all the time. Implementing acceptable login schedules reduces the availability and temptation of corporate data and can alert to potential breaches.
Protest and Protect – Every legitimate application used in business today includes the ability to encrypt traffic end to end. You might think you don’t need that level of protection inside your own office, but data is transmitted in plain text by default. If someone is watching your network traffic with a packet sniffer, like WireShark, unencrypted data is visible. Even data such as picture and video and be reassembled from a packet capture!
I Sleep All Night – If you have strong IT policies and procedures, then you have rules laid out describing the best practices for deploying computers. If not, IT’s only goal will be to make it work. Far too many breaches occur on systems that were installed or configured incorrectly. Every vendor provides best practices to implement and secure their technology. Windows and Linux servers should be locked down to only allow administrators access. Administrators should only use their admin credentials when necessary and their user-level access for everything else. Never log into your primary computer as an administrator. Drive-By Downloads can install without your knowledge and bypass even the most sophisticated endpoint security.
And I Work All Day – Another major failure by IT is “set it and forget it.” Every vendor provides constant updates to software, firmware, and settings meant to keep your network safe. This includes Internet of Things (IoT), industrial equipment, printers, surveillance cameras, access control locks, anything that connects to the network. If one item is breached, the whole network is accessible. Trust me; you will not be “OK” when this happens to you.
Buckets – Looking for “one easy trick” to keep your network safe using the technology you have today? All you need is a switch capable of virtual LANs (VLANs) and a firewall. Not all devices on the network need direct access to all other networks. For instance, printers should not have direct access to anything except the servers that control them. No, users should not be allowed to print directly to anything. What is this, the 90s? Separate your network into functional buckets or networks based on function. Then, force all traffic between the networks through a firewall. You now have full control over which networks can communicate. This is especially useful when segmenting IoT, surveillance, or other network devices that require only limited internal connectivity and prevents Internet access outbound. And if you’re not monitoring and blocking outbound Internet traffic, you will never know if you’re breached until the ransom messages are on your computers.
Every Frame is Sacred – What is normal traffic for your servers and network? A baseline is created by monitoring and cataloging traffic in and out over time. You will discover patterns, such as weekly uploads for payroll, backups, and other traffic flows. Knowing what is normal will bring abnormal traffic into focus immediately. Is it normal for the CEO’s computer to upload the entire customer database at 3AM on a Wednesday? Probably not!
Sorry, this is “abuse” – Cloud assets with Google, AWS, and Microsoft are the most vulnerable. None of these providers stress security over accessibility and ease of use. In fact, if you are connecting to your Cloud assets directly without using a VPN, you may already be compromised! If you can reach your SQL database via a public IP address, anyone else can as well. Remote Desktop Protocol (RDP) is notoriously lacking security, and no Cloud provider actively monitors or blocks connection attempts. Many breaches start with insecure Cloud implementations of Kubernetes or Docker. These are just Linux-based containers will much less security. You should protect them the same as you would a text file filled with your passwords.
Completely Gratuitous Locks – Even with a mobile workforce, at some point, a physical device is involved. Laptops, tablets, desktops, or network equipment can provide direct access to data if not properly protected. Workstations should always be locked with PINs, passwords, and biometrics. Multifactor Authentication must be required for devices directly connected to data, either on corporate office servers or in the Cloud. Once they’re in, they’re in. Cameras, door locks, and a physical presence deter unauthorized entry. Door and cabinet sensors can alert to unauthorized access and alert to environmental failures such as water leaks, high temperature, and humidity.
Americans! All you ever do is talk! – So, you followed your insurance company’s advice and bought all this great technology to secure and protect everyone. You have endpoint protection, hardened network devices, automated system upgrades, monitoring, and a million-dollar Security Incident and Event Manager (SIEM). Then you stopped watching it. While you’re at the water cooler talking about your new comfy chair, the new mailroom clerk is stealing data to sell to your competitor. That’s what you get for buying the machine that goes ping.
Nobody Expects the Russian Ransomware – Initial compromise is inevitable. No system is 100% protected from every threat actor if the bad guy has time to test defenses. What if the attacker is an insider? How would you know? You have minutes to react to compromises. Many hackers are in a system up to 6 months or more before releasing ransomware. What are they doing in the meantime? Stealing all of your company and employee data. You could have stopped them if you were paying attention. Now the parrot’s dead.
Too many tools eat memory, processor, and bandwidth. If you’re not paying attention, all the technology in the world can’t protect you. But, with the right strategy and tools specific to your organization and needs, at least you can understand what’s normal, at least for your network.