Not every employee and asset in your office works for you. Sure, there are those who secretly surf the web or watch videos all day. Those are petty thieves compared to the real insider threats hiding in your organization. How did they get in? Well, some you let in and some changed over time. Some don’t even realize they’re kleptomaniacs. Once you discover them, you have no choice but to remove them at once!

Bandwidth Thieves

Bandwidth thieves are everywhere on your network. You may pay for 1 Gigabit of pure Ethernet Internet but the edge device says you’re only seeing half that. What the heck? The first place to start is the termination equipment. Is your router or firewall capable of 1 Gigabit throughput? Most are not and if you include VPN or other two-way services, the device likely will never get close to using all the bandwidth you pay for.

While you’re upgrading your Internet edge device, be sure it has the power to decrypt and inspect Secure Socket Layer (SSL) traffic. Nearly all malware, ransomware, and data miners run through standard encrypted traffic on port 443. Might as well add a secure DNS service to block unwanted outbound traffic to malicious sites and IP addresses.

But Policy, not products, will ensure your bandwidth isn’t squandered on live streams, sports brackets, and unwanted downloads. Blocking social media and streaming services not only improves overall bandwidth to and from the Internet, but also frees up local switches to process internal traffic better. Noticing high throughput on your switch uplinks? Hold off on the multi-million dollar network refresh until you’ve inspected and eliminated non-productive data flows.

Fence of Thieves

Geofencing at the furthest edge of your Internet access will also reduce traffic. What is geofencing? Basically it blocks all traffic to and from IP address blocks of specific countries. Does your organization require any Internet communications with China, India, Pakistan, Belarus, North Korea, Iran, or Russia? No? Then block them. Nearly 95% of all malicious traffic originates in these countries. Preventing all traffic to and from those locations allows your equipment to focus on legitimate traffic.

For the ultimate protection on the Internet, consider using a combination of services like Zscalar, Viptella, CloudFlare, or Akamai, to name a few. These systems used in combination masks your true IP addresses online, providing full proxy service for Internet traffic and prevents spoofed connections, mostly. And their price points are dropping below the costs of maintaining an SD-WAN with tunneled Cloud services.

Thieves on the Road Less Traveled

You’re no amateur. You, Ms. Network Guru, know better than to leave devices unprotected and out of date. You change all the default passwords to strong behemoths that require Multifactor Authentication (MFA). Guest Wi-Fi doesn’t come close to the production network. Staff are trained on phishing and email is buttoned down tight. Corporate wireless uses 802.1x authentication and MFA. But what about those devices that aren’t Windows, Apple, or Android?

Segmentation is key. Keep insecure devices in a separate VLAN and be sure to disable interVLAN routing at the switch level. Force all traffic to and from these devices through a firewall with intrusion prevention (IPS) and access control to block access in and out. Even the oldest SCADA devices can send SNMP data when accessed and you should know every time that happens.

What about printers? You know, the loudest and most promiscuous devices on the network? Have you turned off all the necessary connection methods enabled out of the box? I’ll ask a better question. Have you considered segmenting printers to ONLY communicate with your secure print servers? Add a layer of security by authenticating printers to servers using built-in hardware certificates. A locally compromised device can only communicate with the print server and only on the specified printer port. Get fancy and change those, too!

Brazen Thieves

Now that you’ve shored up your virtual connectivity, let’s focus on your castle. While building a moat will make it hard for both employees and customers to get in, you shouldn’t leave the doors open, either. Many security-conscious companies install man traps and one-way access to prevent outsiders from simply walking in. Access controls and video surveillance systems often sit on the old-school converged network as a separate VLAN. Be sure this VLAN is secure and doesn’t allow unauthorized devices to connect.

How do you control access? Start by not connecting unused physical ports to the network switches. For centralized remote administrators, this may be difficult. If you must connect all network ports to switches, ensure unused network ports are disabled and properly labeled to show the connected wall jack numbers. This prevents outsiders from adding infected or remote access devices in your lobby or warehouse.

Add a layer of security by implementing a network access control (NAC) system that validates each connected device centrally before permitting access to the network. How? Several options are available, including a valid Active Directory login, certificates for domain-enabled devices, or passwordless multifactor authentication. What about MAC address validation and sticky ports? Sorry, it’s far too easy to imitate MAC and IP addresses bypassing any MAC-based security.

Protection in the Field

When devices and data leave the castle, you must protect them. This typically comes in the form of data encryption at the drive level for computers. But strong passwords and required MFA ensures the encryption can’t be bypassed by brute force password attacks. What about mobile devices? A mobile device management (MDM) app with the ability to remotely wipe devices are required today. No more BYOD for those with access to sensitive corporate data. The hardest part is training users to take better care of devices.

Cloud services, by default, connect through the open Internet across not-so-secure SSL encryption. Don’t expect Microsoft, Google, AWS, or SalesForce to evaluate and recommend additional layers of security. Let’s face it, their products scream ease of use, not security. How do you ensure the highest level security passing traffic across the web? Simple. Tunnels. If you’re still stuck using SD-WAN, nearly all firewall vendors offer virtual firewalls to load into Cloud services. This ensures all traffic to and from your Cloud provider is fully encrypted, monitored, and secured. If your insurance provider has not required this in the past, be ready for it in 2024.

Policy Polices Chaos

Sure, you have a strong patch management solution, but how does your change management compare? Too often IT  change management is lumped in with development or business changes or overlooked all together as a speed bump of inefficiency. Stand firm. Change Management is often the only thing preventing accidental network outage or loss of functionality.

Training the security staff and public-facing gatekeepers to watch for suspicious activity is key. This includes USB keys and drives found in lobbies or on the property. You know not to plug in a USB device, but disabling the ability to connect USB devices without an administrator account ensures it. This can easily be accomplished though Group Policy in Windows or other lock down policies and tools in Linux, Apple, and Android.

Who Do You Trust?

What about real insider threats? Financial hardships can befall anyone and your IT staff is no exception. Bribes and cash payments for corporate data are a greater risk than ransomware and threat actors are throwing money at your IT staff. Your customer list or secret schematics could fetch hundreds of thousands to simply upload a file or send an email. Data Loss Prevention (DLP) blocks the flow of data out, but most IT staff have the capability and permission to bypass it.

Anyone with direct data access should stay under the microscope. Prevent IT staff from listing their positions on social media or alumni websites. Ensure all staff are trained to cover the jobs and projects of others, allowing direct access to files and communications. Force IT staff to take vacations where their actions and communications can be audited. And probably the hardest but most crucial advice, run annual credit reports on all IT staff to alert on shifting financial situations.

Swimming In a Sea of Thieves

Vendors and contractors bring along their own concerns. Any third-party not willing to follow your strict security policy aren’t worth having. Strong statement, but whose data are we talking about? Did you hear that Home Depot was breached AGAIN, this time due to faulty security practices by a vendor (Link)? Be extra careful when signing up for Sofware-as-a-Service (SaaS) providers. Are you certain they share your love of security?

How do you combat all the attacks and roadblocks facing IT today? Start with a strong policy, driven by champions in the boardroom. C-levels who misunderstand or underestimate the value of IT and cybersecurity will find themselves facing not just data breaches and ransoms from threat actors, but government fines and direct lawsuits for the negligence. Don’t believe me? Ask Timothy Brown of SolarWinds who is being sued personally (Link) or non-profit New York hospital Montefiore and their $4.75 million dollar fine from the US Department of Health and Human Services (HHS) for HIPAA violations from a 2015 data theft (Link).

The greatest thieves of all could be the ones you unknowingly let in yourself. Learn more protection options in this blog, “C” Is For Clueless (Link) and Privacy for Business Owners (Link).