How do I secure my network?

Practical advice for improving your Security Posture

Making Your Network an Unattractive Target

To say the IT security industry is booming at the moment would be a significant understatement. IT security companies, Managed Service Security Providers (MSSPs), and the options for security-centric SaaS tools are all exploding. How do decision makers evaluate the options and maintain a secure network?

When thinking about IT security, physical security analogies are helpful. When it comes to your personal security, the first objective is to make yourself an unattractive target. We avoid bad neighborhoods at night, maintain awareness of our surroundings at all times, walk with a partner, don’t stare at your phone in unsafe locations, and let suspicious individuals know we see them before they get too close. All of these steps make an attacker think twice before targeting you.

Sophisticated cybercriminals, like assailants, choose their victims wisely. They are looking for easy prey. They want a high probability of success and to escape unscathed. If you can make those outcomes appear to be unlikely, an attacker will move on to the next target.

Establishing Your Risk Profile

The first question to ask about your business is, are we an attractive target? To answer this question, you must look at your business like a criminal. Returning to our personal security analogy, is your business more like a elderly, well-dressed, money-to-burn rich person walking around flashing expensive bling? Or is it more like a scrappy teenager in a t-shirt and jeans? Even if the teenager is in a bad part of town, he is not a high-risk target because he might know how to fight back and he doesn’t have anything valuable to steal.

Here are some questions to ask to determine your risk profile:

1. Do you move large amounts of money around by electronic means? Law firms, banks, and financial services firms are all high profile targets because they are regularly wiring large amounts of money around. 
2. Are you doing international wire transfers or transferring cryptocurrency? These types of transfers are even more attractive to cybercriminals because they are impossible to retrieve once sent.
3. How large is your organization? Larger organizations generally have more money to work with. All other things being equal, large organizations are more attractive targets for bad guys.
4. Are you in an industry that is known to be an easy target? For example, there have been a number of news articles recently about municipal and county governments being easy targets due to poor IT security implementations combined with large insurance policies. 

If your company has a high risk profile, you will need to take a stronger defensive posture. 

However, just because you are low-profile does not mean you are immune to attack. Criminals may not spend hours targeting your organization, but if your security posture is poor enough, you could fall victim to a spray and pray attack. As we’ve seen from numerous small business ransomware attacks, all businesses are at risk to low-sophistication attacks.

Establishing a Security Posture

With you risk profile established, it’s time to establish your security posture. The posture includes the set of tools and processes that provide protection against cyber threats . Security Posture should be informed by your Risk Profile.

Tools

A Low Risk Profile business should have the following set of tools:

1. Definition-based Anti-Virus. Although often defeated by more sophisticated attacks, definition-based anti-virus is still an important component of a security baseline. These are low cost solutions that are easy to deploy, and far better than nothing at all.
2. Layer-7 Firewall with Content Filtering. Layer-7 Firewalls (also known as Application Layer Firewalls) with content filtering capability are very sophisticated and affordable. Unlike Layer-3 firewalls (typical of home network firewalls), which only block traffic based on TCP/IP addresses and ports, Layer-7 firewalls inspect application traffic, making them much more capable of detecting and blocking malicious traffic on the network.
3. Cloud-based Anti-Spam Software. Since the majority of phishing attempts originate via email, a robust anti-spam solution is required. Anti-spam solutions are not all created equal and vendors vary widely in the efficacy of their solutions. We recommend an industry leader such as Mimecast.
4. Local anti-crypto policy tool such as CryptoPrevent. This blocks ransomware from executing by applying a set of computer hardening policies.
5. User training. Basic user training is sufficient for low-risk users. The users should be trained on the company’s IT Acceptable Use Policy, as well as the basics of proper email use and common scamming/phishing techniques. Training needs to be conducted regularly as users tend to forget best practices over time.
6. Robust backup system. With the high prevalence of ransomware, and the destruction it can cause, your backup system is arguably the most important component of your security posture. It is critical to ensure your backup system is properly secured and segmented so the backups don’t get encrypted during a ransomware attack.

These are the elements of a basic security posture. If your organization’s risk profile is higher than low, read on for more advanced tools.

Businesses with a medium-risk profile should add the following tools to the list above:

1. Behavior-based (Next-Gen) Anti Virus. These antivirus products are based on newer technology that utilize machine learning algorithms to detect viruses based on their behavior. They do not rely on signatures, so they are able to catch viruses even if they have never seen them before.
2. DNS and network level filtering from a product such as Cisco Umbrella. Although somewhat redundant in function with a Layer-7 firewall, Umbrella provides an extra layer of protection, as well as protection for mobile and remote workers, something a firewall cannot do efficiently .
3. Managed SIEM. A SIEM is a Security Information and Event Management platform. SIEMs gather log data from the various systems on the network, looking for data that would indicate malicious traffic. SIEMs need to be tuned and monitored for each environment, which is why they need to be managed. Management can be performed by an in-house resource, an MSSP, or an MSP with capable security personnel.
4. Advanced User Training with Testing. In-depth user training surrounding general IT security and email usage policies is essential. Additionally, users should be tested on an ongoing basis to ensure they are in constant compliance. 

High-risk organizations should add the following:

1. Chief Information Security Officer (CISO) and supporting staff. The CISO is responsible for maintaining an appropriate security posture, leading the business IT security initiatives, and responding to the evolving threat landscape.
2. Security Operations Center (SOC). The SOC can be built in-house or outsourced. The SOC is responsible for 24x7 detection and remediation of security incidents. The SOC should report to the CISO.

Processes

The processes required for a healthy security posture are similar for all risk profiles. However, organizations with higher risk profiles will require more complex and detailed procedures than organizations with lower risk profiles. All organizations should develop the following documents and processes:

1. Acceptable Use Policy. This is a policy that describes how employees are to use the information systems within the organization. Limiting IT systems to business-use-only and employee-use-only are great first steps in preventing a breach.
2. Incident Response Plan. This plan details the steps to take in the event of a security breach or data loss. While it’s impossible to anticipate the specific details of an incident, it’s important to plan for every contingency and formulate all necessary procedures to minimize and mitigate damage. Developing the incident response plan will help identify gaps in the current IT infrastructure environment. The plan should be stored in hard copy or elsewhere outside the IT system in case it’s inaccessible during an incident.
3. Backup and Disaster Recovery Plan. This document describes how systems and data are backed up and what steps will be taken to recover from data loss, attack, or disaster. Defining responses to common data loss scenarios is a sure way to ensure bad decisions are not made during a stressful situation. Like the Incident Response Plan, the Backup & DR plan should be kept in hard copy or elsewhere outside the company IT system.
4. Updated Vendor Agreement Documents. Ensuring all your IT vendor agreement documents are up-to-date and with well defined responsibilities for each party is essential. The last thing you want to hear from your backup vendor when you’ve suffered data loss, is that they are not responsible for helping you when you thought they were. 

Being proactive in defining your security posture will protect you from the bad guys and protect you from your own bad decisions if you should find yourself under attack. Do the hard work up-front and you’ll be a hero when disaster strikes.

Staying Vigilant

It’s important to review an organization’s Risk Profile and Security Posture at least annually. A change in size or business strategy may increase or decrease the risk profile. Security threats are evolving constantly as the bad guys are always looking for new ways to separate businesses and individuals from their hard earned cash. Put in the time, do the work, and stay vigilant to make sure your organization does not become a victim of cybercrime.