Categories
Research>The Hitlist

The Hitlist: Perimeter Network Security Part 2

Part 1 of our “Perimeter Network Security” Hitlist covered the virtual considerations one must consider when securing their network.  Now, we will cover the things one should consider when securing the physical side of their network.

Physical Considerations:

Even though the virtual perimeter is the most obvious and most likely to be attacked, the physical perimeter can provide just as much access to resources inside of your network.

1. Wireless

There was some debate as to whether to include WiFi in the “physical security” section of this post, however, the fact remains that someone must physically be on site (or very close to it) in order to hack into your WiFi network, and it provides another gateway directly into your network.  Some things to think of when planning a new WiFi network, or attempting to secure your existing network are the actual corporate needs for wireless access, the type of encryption/authentication to use, the range, and whether or not to broadcast the SSID.  We recently wrote a separate piece in this series about securing your corporate wireless network which you can check out for more detailed info.

2. Key Card Access

All entrances and secure locations in the corporate office should be secured by electronic key card access that provides a log of all entries and exits.  When a physical security breach occurs, it is important to be able to trace who was in your building, how they got in, and for how long they stayed.  We have seen a number of places that will log when people enter the building or secure location, however they do not track when they leave, this can leave unanswered questions, and large gaps in time if an investigation is ever needed.

3. Cameras

All entrances and other secure locations should also be protected by video surveillance, using cameras with a great enough resolution so that faces can be recognized.  Cameras not only offer additional proof, should a breach occur, but they can also act as a deterrent against breaches from occurring in the first place.  People are much less likely to attempt to do any misdeeds if they know they are being watched.

4. Compliance Requirements

Many compliance standards may require additional controls.  Organizations which are held to compliance requirement standards must be aware of exactly what they need to do in order meet those standards.  These compliance requirements have to be considered when securing your network.

5. BYOD

Users nowadays are being granted more freedom within networks, and there is an increasing trend among corporations which allow their users to bring their own devices to work (phones, tablets, laptops).   This, of course, lends itself to several more attack vectors.  BYOD should really only be considered if and when the organization is able to maintain control over the devices that are brought into the corporate network through mobile device management, or other similar solutions.  If users are not willing to install this extra security software and put up with the extra scrutiny they will receive by bringing their personal devices onto your network, then they should not be allowed to do so.

6. Penetration Testing

Similar to vulnerability assessments, penetration testing not only provide a measure of your vulnerabilities, but actually tests those measurements, both physically and virtually.  This allows an organization to determine if their controls and processes are actually working.  Without the appropriate testing, how can you really be sure if your security measures will be enough to prevent breeches from happening?

In conclusion, there are many considerations when securing the perimeter corporate network; we just covered a few.  One must think about:  what data needs the most protection, where is that data located, how much would it cost if we lost the data, what solutions can be put in place quickly with minimal impact and reduced cost?  Sometimes it requires someone looking from the outside in to see the forest for the trees.