[BreachExchange] 5 Tips to Harden Network Security in a Connected Enterprise
Destry Winant
destry at riskbasedsecurity.com
Wed Nov 14 03:00:06 EST 2018
https://www.networkcomputing.com/network-security/5-tips-harden-network-security-connected-enterprise/1449502715
As security efforts evolve from the fixed edge to the elastic edge,
organizations need to combine traditional and new best practices to
keep their networks safe from today’s evolving cyber threats.
Financial damages from consumer data breaches are being brought to
light on a grand scale. Facebook may face a $1.6 billion fine in
Europe for compromising 30 million user accounts, while Uber is
expected to pay $148 million for its 2016 data breach. Harsh fines
prove even the largest global enterprises are vulnerable and now more
accountable by governments for their security practices.
Government fines aside, experts predict cybercrime damages will reach
$6 trillion by 2021. Cybercriminals are making their way into what
many believe are secure networks with increasingly complex and
sophisticated cyber attacks, and it's becoming more challenging as
Wide Area Networks expand to connect more people, IoT devices, and
places.
IoT rising
IDC predicts that by 2020, 75 percent of all people will work entirely
or partly in a mobile environment. Mobile enterprises will create a
new range of security risks and challenges. An estimated 23 billion
IoT devices are being installed worldwide, which cybercriminals can
use to introduce malware or initiate denial of service attacks.
Gartner predicts that by 2020, more than 25 percent of cyber-attacks
will involve IoT.
Security models will no longer be able to secure fixed places only.
This new WAN landscape demands elasticity. Unlike the fixed edge that
relies on physical security and static security infrastructure,
elastic edge networks encompass endpoints of people, mobile and
connected devices, and even vehicles that are in the field, deployed
within third-party environments, and on the move. It’s important to
keep in mind that often networks can be penetrated from within by
employees using unsecure personal devices and shadow IT deployments,
such as unsanctioned file-sharing clouds.
Hardening network security
As our security efforts evolve from the fixed edge to the elastic
edge, we can keep our networks safe with a combination of traditional
and new best practices:
1) Educate employees – It never hurts to partner with HR to conduct
training on network security as an ongoing development requirement.
Administrators should hold regular discussions with employees whenever
a major breach occurs, explaining the latest ways cybercriminals are
gaining access to networks and the damage they’re causing. As part of
the education process, IT can create simulated events so employees can
see firsthand how phishing attacks occur and recruit their help to
identify potential vulnerabilities.
2) Adopt a Zero Trust culture: authenticate first, connect second,
segment everything –Traditionally, devices have first connected to a
network before being authenticated. Now, with a huge volume of
potentially vulnerable IoT devices, organizations should improve
network security by authenticating devices before they connect to the
network. Adding a software-defined perimeter will hide connections
from the publicly visible Internet, significantly reducing the
available attack surface. Each new device and user is then
authenticated before being given access to the application layer. This
approach is effective against most network attacks, including DDoS,
man-in-the-middle, east-west traverse, and advanced persistent
threats.
3) Blend on-premise and cloud-based security measures – Combining
onsite with cloud-based solutions provides administrators the ability
to be virtually anywhere and everywhere, which is extremely difficult
if you’re managing support for hundreds of remote locations and
thousands of kiosks. Cloud-based solutions facilitate large-scale
configuration changes, manage remote routers, and quickly roll out
firmware updates. They can also provide software-defined perimeters to
create a separate network overlay that places IoT devices on different
networks to prevent hackers from using them to access the primary
network.
4) Use out-of-band remote access controls – When administrators need
entry points to make changes to something like a remote IP camera,
hackers can take advantage of an open firewall port to set up
long-term, gradual incursions that are small enough and infrequent
enough to avoid detection. Use out-of-band methods where possible for
remote access rather than opening up your firewalls to inbound network
attacks.
5) Automate configuration management and firmware updates – Leaving
platforms prone to configuration mistakes or open to known
vulnerabilities can be mitigated by automation.
As we move into the era of the connected enterprise and the need for
more agile and pervasive networks, we need to recommit to tried and
true security practices while adopting new approaches that leverage
wireless, software-defined, and cloud technologies.
More information about the BreachExchange
mailing list