In the first part of this blog series, we discussed what Shiny Object Syndrome is, how it comes to be and what effect it can have on your organization’s information security program. This blog provides more detail about how organizations can combat S.O.S. at the foundational security practice level by focusing on: network segmentation, access control and authentication, and data encryption.
Network segmentation is a basic tenet to building a secure and high performing network. It’s the first step you can take to make it more difficult for an attacker to move around when they get access to a system. Yes, I said WHEN they get access… because it is inevitable that your organization will or already has at least one compromised system. However, you can control how frustrating and/or difficult it is for hackers to move throughout your network.
Unfortunately, while many organizations use segmentation when they initially build their networks, it often goes by the wayside in the name of manageability as those networks grow and merge with others over time. I’ve seen many cases where one network is merged with another as part of an acquisition, and all segmentation gets removed to facilitate the interoperability. In most cases, there were plans to re-segment the combined network, but as often happens, those plans never made it to the top of the to-do list. The result is a flat network where every device has access to every other. As security professionals all know, this makes it much harder to secure important data.
Before you can effectively segment your network, you need to know where all the valuable data you want to protect is. If you haven’t done a recent data inventory, then this is the time to do one. Once you can identify what systems hold your most valuable information, you’ll be able to start your segmentation exercise. The idea behind segmentation is to isolate this data into smaller, easier to protect locations where you can strictly define perimeters and tightly control network level access.
This can be accomplished by creating VLANs for each set of systems and then limiting access to them via access control lists and/or firewall rules. The result is that sensitive network resources are only viewable from allowed segments of your network. The network gear you have already allows you to do this, it’s just a matter of taking the time to create and implement a plan. Once implemented, this will make it much more difficult for an attacker to move laterally through your network and, in many cases, will cause enough frustration that the attacker will move on.
Access Control and Authentication
Network segmentation is a great start, but without an effective access control and authentication strategy that is integrated with your segmentation plan, its benefits are limited.
The first step in developing an access control and authentication strategy is organizing your users into groups with common needs for corporate resources. This typically starts with the creation of roles to which access permissions can be assigned. Once the roles have been defined, a set of access permissions needs to be defined for each role. This typically involves the system owners reviewing the roles and defining what level of access is required for the role to carry out its responsibilities. Access permissions should be limited to the least needed to accomplish the duties of the role.
Another important part of your access control strategy is to have processes for assigning roles and their permissions to users when they join the organization, when current employees switch roles, and when they leave the organization. Most companies do a reasonably good job at the joining and leaving efforts, but many do not have a process for role changes. This missing piece leads to an aggregation of permissions and a weakening of the overall security posture. The most effective role change processes I have seen involve a complete revocation of rights to the old role and assignment of rights to the new role.
Once you have the roles and their associated access permissions defined, you can group users based on the permissions they need. Often this follows the organizational structure of the company as departments typically have the most common access needs. Integrating these user groups into your network segmentation design requires that you create VLANs for the common groups and then define your network access controls (access control lists and firewall rules) to enforce rules based on the groups access requirements.
Taking this step increases the security of your network and makes it more difficult for an attacker to move laterally.
While most access control is process oriented, authentication is the technical enforcement of access control. Systems like Active Directory and LDAP provide logical access to the resources themselves by enforcing user credentials (user name and password). As we have all become painfully aware of, the use of just user names and passwords is not enough to keep attackers out. Many malware and phishing attacks after all target user credentials and have been quite successful.
This is why I strongly recommend implementing multi-factor authentication (MFA) for access to sensitive data. MFA solutions have become much easier to deploy and integrate into your access control systems and applications, and are widely used as a way to access online banking accounts and other sites. MFA also renders the user credential essentially worthless if it is stolen because it alone can’t be used to gain access on its own.
Data encryption is a last line of defense, and should be done regardless of any other security controls you have in place. There are two parts to this: encryption; and the creation, management and protection of the encryption keys.
There are plenty of strong encryption ciphers in existence and they are relatively easy to use. The important task is the creation, management and protection of the keys used to encrypt (and decrypt) the data. If done properly, you can virtually guarantee that any encrypted data that is lost will not be usable.
The best encryption solutions use what is called role-based or logical control over the encryption keys. Only authorized individuals are allowed to use the keys to encrypt and decrypt the data. This is important because you want to only allow access to unencrypted data to specific accounts under specific circumstances. Since most data is not directly accessed from server file systems anymore, consideration should be given to only allow non-interactive service/application accounts to have access to encryption keys. If you have users who need access, then you should create an application interface that allows them to make requests, but does not give them direct access.
Tightly controlling access to your encryption keys is critical to protecting your data. Many encryption solutions utilize HSM’s (hardware security modules), both physical and virtual that have integrated applications that provide the ability to securely create and manage keys, and they provide very strong protection against compromise.
In conclusion, I believe that implementing these three foundational security practices provides the greatest risk reduction to the loss of valuable data and can be done for much less than continuing to suffer from the effects of Shiny Object Syndrome. In the next blog, we will review how you can combat S.O.S. on an organizational level.