? ???????? ???????? ???????????????????????? ???????? ???????? ???????? ???? ??????????????? ??????'??!
If you have undertaken some form of external security assessment, you will most certainly had the assessor first review your business processes and then your network processes.?It’s my personal opinion that it should be in that order to save you time and effort – understand the business processes, understand data flows, then map the data flows across the network. In effect, what we are doing is to understand the scope.
Then, we would undertake the next step in scoping to understand what parts of our network are actually to be in-scope for assessment.?Here is where the problem occurs.
What I often find is that SMBs grow in size, but their security does not keep up.?When I talk to the SMBs, one thing they often rely upon is a false belief that IT should fully manage their data security.?Wrong, wrong, wrong. IT put together the Lego bricks that support the processing of data.?Perhaps IT may do some level of security, based on what they have put in a search engine, based on experience of doing something in a previous company, or based on lessons learned from a previous breach. In many cases, IT are not trained in data security and therefore dabble.?I don’t like dabblers, because that’s what can lead to vulnerabilities in your company.?How do I know??I was often brought into an organisation because a security incident and it was quite obvious they were missing the fundamentals.?IT were missing the fundamentals of securing the network, and also there were no governing principles how the network should be designed.
easy access and easy administration...
Without governing principles, one type of network that is quite common is the ‘flat network’. So what do I mean by a ‘flat’ network. In short, this is where devices and systems are connected to the same environment without rules to separate traffic.??Where network traffic rules are in place to block everything by default, create different segments (zones), and only allow authorised and specific traffic to go to specific segments and systems, we then start to ‘segment’ the network.
Now a flat network is a concept to get started with in IT. You plug a few devices and workstations together by a single switch and hey presto you have a network. It’s great from a cost point of view, ?and allows easy access and easy administration.?But the problem is that it… allows easy access and easy administration – making the life of an attacker easier to cause damage.
Segmenting your network not only makes it harder for an attacker to traverse across the network, but also from a compliance perspective can reduce the scope for security assessments, saving your organisation time, money and faster compliance.
?
So what should do I?
When you have an SMB, you are likely to require different segments. Here are some examples:
So speak to your IT, segment these areas and make sure you do not have a flat network. But make sure your organisation properly scopes first.?
领英推荐
We cover scoping and cover these principles to help you improve your security and help you get compliance quicker, using The PROTECT Protocol?.?If you feel you are not sure about your security, why not undertake a security healthcheck and/or apply The PROTECT Protocol?.
Hope that helps. Feel free to share if it will help someone. Until the next post...
Be Secure.
Minerva Secure.
?? Like What You Read? Be a rockstar and just give me 5 more seconds by hitting the Like and Share buttons below.
?? Want More Tips/Hacks To Improve Security and Compliance Faster? Then take 10 more seconds to click on my profile, connect and follow me: https://www.dhirubhai.net/in/mqhopewell/
?