How to achieve better cybersecurity assurances and improve cyber hygiene – Help Net Security
How can your business reduce the risk of a successful cyber attack and create a defendable network?
It’s best to start with the three don’ts:
Don’t believe that network engineers are immune to misconfiguring devices (including firewalls, switches, and routers) when making network changes to meet operational requirements.
Human error creates some of the most significant security risks. It’s typically not the result of malicious intent – just an oversight. Technicians can inadvertently misconfigure devices and, as a result, they fall out of compliance with network policy, creating vulnerabilities. If not monitored closely, configuration drift can result in significant business risk.
Don’t underestimate the risk that unsegmented networks pose by believing that they improve operational efficiency and reduce network complexity. The risk is far greater than the reward.
Many examples of network breaches could have been far less devastating had sufficient network segmentation been in place. The 2017 Equifax data breach is a prime example, and resulted in Equifax having to pay out up to $425 million in a settlement made with the Federal Trade Commission and Consumer Financial Protection Bureau to help those affected.
Stop believing that software patching and auditing the perimeter annually on only on a handful of devices is adequate to keep your network safe.
Configuration errors can’t be patched away in the way software vulnerabilities can. Misconfiguration vulnerabilities will persist through every software patch upgrade until they are detected and corrected by a network engineer. They need to be continually discovered and mitigated within your daily cyber hygiene processes. It’s an important first step in a zero-trust security strategy.
All of this requires changing your mindset to accept that security risks are now so significant you must invest adequately in managing them before they cause critical business issues.
Where do you start? There are three things will help you achieve better cybersecurity assurances and improve cyber hygiene.
Segment your network – split it into sub-networks. One way is to create separate areas within a network protected by secure firewalls and routers that are configured to reject unauthorized traffic. By preventing lateral movement within the network, you can limit the amount of damage caused by bad actors during an attack.
Network segmentation is a robust security measure often underutilized by network security teams. In the current threat landscape with increasingly sophisticated attacks, the successful prevention of network breaches cannot be guaranteed. However, a network segmentation strategy, when implemented correctly, can mitigate those risks by effectively isolating attacks to minimize harm.
With a well-planned segmented network, it is easier for teams to monitor the network, identify threats quickly and isolate incidents. It also makes it easier to more frequently assess every networking device – firewall, switch, and router – for misconfigurations on critical compared to administrative network segments. This can help to lower the mean time to detect (MTTD) and mean time to remediate (MTTR) critical risks, both key objectives of security teams.
Meet and maintain compliance requirements. Compliance is one way how organizations can manage risks, but it is too often a resource-intensive process that doesn’t bring about a significant improvement in security posture. That’s because, in the past, demonstrating that a sample of devices was compliant was enough – but not anymore. Networks need to be continuously assessed, and regulators are taking note.
Segmenting a network can make managing your compliance requirements easier and using a targeted approach to applying policies. You can choose to segment data by a degree of sensitivity and regulated data can be separated from other systems. For example, PCI-DSS is only applicable to your Cardholder Data Environment (CDE), so effective network segmentation reduces the PCI DSS compliance burden.
If you are in the federal supply chain, you are now subject to CMMC or NIST 800-171 standards. A well-segmented network can help you meet the mandatory compliance reporting requirements to continue to be eligible to work on government contracts.
Adopt a zero-trust mindset. Recognize that you can’t trust your network, applications, or your employees to be secure, and assume that you have been or will be compromised. Adopting zero trust means you invest in people, processes, and best-of-breed security automation to continually validate that those employees, networks, and applications are secure – and that your business operations, customers, staff, and data are safe.
We’re seeing more adoption of this. For example, the Department of Defense published its first zero-trust reference framework last year, highlighting the steps agencies need to take to achieve effective zero-trust architecture. But it might take a sizeable corporate collapse with devasting shareholder and employee losses followed by regulatory penalties at a personal and corporate level to get businesses in other sectors to open their eyes and act with the required speed and scale to effectively secure their networks.
The best way to achieve success across all three strategies is to adopt a continuous approach to assessing and monitoring devices. This means checking everything as part of a constant process, because a device that’s secure today may not be secure tomorrow. Whether it’s from a simple internal mistake resulting in configuration drift, or a malicious attack enabled by lateral movement across your network, you cannot assure yourselves or your regulators that your network remains rock solid if you aren’t repeatedly checking and fixing.
Traditionally, assessing the security status of a network involved personnel conducting penetration testing of devices. Even in the best circumstances, this isn’t efficient: it’s time-consuming, requires a large skilled staff and only a handful of devices can be tested. As a result, the scope and cadence of these assessments is not frequent, resulting in risks going unnoticed for an extended period.
You need to invest in a tool that can deliver accurate, prioritized, actionable network risk information. One that can identify to your teams which vulnerabilities pose critical security risks and how to fix them, wherever they lie on the network. Automating the entire assessment process is just the start.