areas that may be covered in an audit
Assign an audit lead internally – yearly internal audit checks, point of contact
Plan a portion of your budget for audit remediation
Make sure to document policies, procedures, and reports. keep them in a central location for auditing
follow standard security practices daily (link to some other hit list articles)
understand the legal and compliance ramifications of an audit
Part 1 of our “Perimeter Network Security” Hitlist covered the virtual considerations one must consider when securing their network. Now, we will cover the things one should consider when securing the physical side of their network.
Even though the virtual perimeter is the most obvious and most likely to be attacked, the physical perimeter can provide just as much access to resources inside of your network.
There was some debate as to whether to include WiFi in the “physical security” section of this post, however, the fact remains that someone must physically be on site (or very close to it) in order to hack into your WiFi network, and it provides another gateway directly into your network. Some things to think of when planning a new WiFi network, or attempting to secure your existing network are the actual corporate needs for wireless access, the type of encryption/authentication to use, the range, and whether or not to broadcast the SSID. We recently wrote a separate piece in this series about securing your corporate wireless network which you can check out for more detailed info.
All entrances and secure locations in the corporate office should be secured by electronic key card access that provides a log of all entries and exits. When a physical security breach occurs, it is important to be able to trace who was in your building, how they got in, and for how long they stayed. We have seen a number of places that will log when people enter the building or secure location, however they do not track when they leave, this can leave unanswered questions, and large gaps in time if an investigation is ever needed.
All entrances and other secure locations should also be protected by video surveillance, using cameras with a great enough resolution so that faces can be recognized. Cameras not only offer additional proof, should a breach occur, but they can also act as a deterrent against breaches from occurring in the first place. People are much less likely to attempt to do any misdeeds if they know they are being watched.
Many compliance standards may require additional controls. Organizations which are held to compliance requirement standards must be aware of exactly what they need to do in order meet those standards. These compliance requirements have to be considered when securing your network.
Users nowadays are being granted more freedom within networks, and there is an increasing trend among corporations which allow their users to bring their own devices to work (phones, tablets, laptops). This, of course, lends itself to several more attack vectors. BYOD should really only be considered if and when the organization is able to maintain control over the devices that are brought into the corporate network through mobile device management, or other similar solutions. If users are not willing to install this extra security software and put up with the extra scrutiny they will receive by bringing their personal devices onto your network, then they should not be allowed to do so.
Similar to vulnerability assessments, penetration testing not only provide a measure of your vulnerabilities, but actually tests those measurements, both physically and virtually. This allows an organization to determine if their controls and processes are actually working. Without the appropriate testing, how can you really be sure if your security measures will be enough to prevent breeches from happening?
In conclusion, there are many considerations when securing the perimeter corporate network; we just covered a few. One must think about: what data needs the most protection, where is that data located, how much would it cost if we lost the data, what solutions can be put in place quickly with minimal impact and reduced cost? Sometimes it requires someone looking from the outside in to see the forest for the trees.
To “completely” secure an enterprise network is a very complex, and often, nearly impossible task. There are several different factors that come into play that must be considered and weighed: business requirements, stakeholders, network configuration, compliance requirements, etc. We have told a number of our clients that, in most situations, if someone really wants to get into a network, they will, and you can’t stop them. However, you can prepare yourself to better recognize, and respond to attacks. This list is designed to offer a list of basic key points of entry into a network, both virtual and physical, one should consider.
The virtual perimeter of an organization often requires the most regular attention.
You should use nothing less than an enterprise class firewall. There are a number of well-known vendors that you can consider, but any firewalls securing a corporate environment should be enterprise class and not a small business or consumer class; you should not skimp on spending when it comes to your primary perimeter security device. Enterprise class devices cost what they do for a reason, and are built to protect more robust networks. They offer the performance needed, as well as the feature sets, and the configurability that an enterprise will need to secure their network. The firewall acts as the front gate to your network.
An intrusion detection/prevention system (IDS/IPS) is a very important piece to network security, both internally and externally. An intrusion detection system lets you know if something is happening, but can’t do anything about it. An intrusion prevention system allows automatic prevention measures to be taken if a threat signature is detected. These devices should be deployed behind the external firewall, in-line with network traffic, in a DMZ. If the firewall is the front gate, an IDS/IPS acts as the security guards for the gate which can detect and prevent malicious visitors from intruding on your network.
We assess many networks where there are many unused, and unnecessary ports left open on the network. A review of all externally opened ports and services should be conducted and only those necessary for business should be allowed to be opened. So, if you have your gate, and guards at the gate, if you leave unnecessary ports open on your external network, that would be like having a side entrance on your guarded gate that you just leave unlocked.
Unsecured protocols such as FTP and HTTP should not be used unless there is no other alternative. All published web applications, with the exceptions of content only websites, should be secured using HTTPS. In general I would recommend hosting the company website outside of the corporate network as it often allows unnecessary vulnerabilities. Also, file transfers should only be made using secure methods such as SSH, FTPS or SFTP. Insecure protocols could be thought of as being like weak locks on your door. So, even though there might be a lock there, it will not take much to bypass it.
This is necessary to measure your efforts at protecting your network. If you do not test your network for vulnerabilities, how will you know whether they exist or not? Vulnerability Assessments provide a way to scan all externally facing IPs and web applications in your network, and measure the effectiveness of the defenses you have in place.
As we previously mentioned, if someone really wants to get into your network, and has the resources and motivation, they probably will. Without logging, you may never know that it happened. Centralized Logging with an enterprise class SIEM solution provides correlation between events and logs. This allows you to quickly and effectively review logs and determine if/when an attack has occurred.
This is often one avenue that people forget to consider when securing their network. Even if you think you have done everything possible to button up your network by purchasing and implementing thousands of dollars of network security hardware/software, your users can still be the weakest point of failure. Social engineering comes in many forms, including phishing emails, malware, phone calls, and more. The types that we most commonly see are phishing and phone calls. End users should be trained to spot phishing emails and recognize suspicious phone calls in order to reduce the amount of information that freely given out to potential attackers.
Remote access is one of the easiest ways to breach a network if it is not properly secured. Several home users do not have a firewall, and many don’t even have antivirus, and if they are using their home computer to connect to your corporate network, their home devices can easily be compromised and provide direct access into your network. Consider only allowing firm owned or secured devices to connect to the corporate network remotely, and only with an enterprise class VPN solution. An alternative could also be to use a virtual desktop solution to provide remote access, this would prevent opening any services to the outside except for HTTPS.
The virtual perimeter of a network is constantly changing on a number of fronts. Often, not by way of attack surface, but by way of tactics. In Part 2 we cover the physical considerations for securing the perimeter of a corporate network.
Many organizations are faced with the decision to implement or to forgo corporate WiFi. There are a number of considers to think about when contemplating this and many are business and security related and not merely technical in nature. Here are some things to consider:
The first question to ask yourself is whether or not WiFi is necessary, and you must also realize that there are different levels of what is “actually” necessary. If the CEO says that it is necessary to implement WiFi, you must consider the business reason for why it is needed. Would it be used for guest access, internal access, only in conference rooms, or so that tablets can easily access documents? If its the latter, then there are other far reaching things to consider regarding compliance (see our first post in this series). Think long and hard about whether WiFi is really necessary, and whether or not the infrastructure, policies and procedures, and executive buy-in are in place to support a well secured corporate WiFi infrastructure.
At this point we assume that WiFi is, indeed, necessary. Now, when deciding on what hardware to use, you should use nothing less than enterprise class hardware, end of story. A home network class access point, such as Linksys or D-Link should not be relied upon to protect your corporate network. If you can’t do it right, don’t do it at all.
The encryption should be nothing less than WPA2-Enterprise with 802.1x (LDAP/RADIUS authentication). Another option is certificate based authentication so that only devices with corporately issued certificates can connect. If guest access is available, it should have nothing less than WPA2 and one time passwords issued at a splash screen. These passwords should be directly issues by corporate resources, and not in the form of handouts or posted fliers around the office, and available to your next door tenants.
If guest WiFi is required, it should not be public as stated above, it should be protected by WPA2 and require one time passwords for access. Under no circumstance should guest WiFi provide any access to internal network resources. Ideally, there would be a physical separation from internal resources, but a strong logical separation can work as well.
Configure the power output on the access point antennas so that the signal does not extend far outside of your physical location. There is no reason to broadcast any more than is necessary to provide useful coverage, and you should definitely not be broadcasting your WiFi to anyone outside of your corporation.
There are differing opinions on this, even among my colleagues. I will cover both lines of thought. If SSID is not broadcast, it helps keep random, non-technical people from attempting to connect to the network, but a well trained individual can easily get around this. If an SSID is not broadcast, the devices connecting to it are set to automatically connect so that they do not have to be configured every time. This opens those devices up to a rather simple man in the middle attack. So not broadcasting an SSID can offer some obfuscation, but it does not offer any real additional security benefit for the organization. On the other side, if the SSID is broadcast, it’s there for the world to see, and it does not mean the devices won’t automatically connect (though this can be managed through policy). This is a discussion that should be thoroughly investigated for a particular company. My opinion on this is that the SSID should be broadcast because there should be other security measures already in place.
Personal devices should not be allowed to connect to the internal network. The only exception that I would consider are devices managed through a mobile device management (MDM) system. Even then, I am hesitant to recommend this because of the lack of malware and monitoring on personal devices.
On the flip side of the previous item, corporate devices should not be allowed to connect to the guest WiFi at all, but especially when connected to the physical internal network. This it the equivalent of leaving a window open.
In conclusion, WiFi adds additional attack vectors to a network, it requires additional management from the existing physical LAN, and there a number of factors that are difficult to manage regarding access, authentication and enforcement. If the business does not require it, and it is only a nice to have for convenience; I would consider long and hard whether or not the benefits outweigh the detriments to network security.
1420 NW Vivion Road, STE 102
Kansas City, MO 64118
3000 Riverchase Galleria, STE 700
Birmingham, AL 35244
