Research>The Hitlist

The Hitlist: Remote Access

Remote access is often one of the weakest points we find in a customer’s network.  Corporations allow home users, with no real security on their home network, to remotely connect to their corporate network, access, and even download content.  This alone is a breach of security, and could even facilitate a data breach.  We have all known of users who email themselves company files, but what if those files contained Personally Identifiable Information (PII) or Personal Health Information (PHI)?  We have seen it happen.  What if someone is writing a report, and then decides to bring it home to finish it up?  What if that report contains intellectual property?  To avoid these potential disasters, it is important to have proper controls in place.  You should have a secure method of accessing corporate data remotely, and there should be policies and procedures in place to ensure that users are forced to use this to access data.  We have outlined some topics to consider below:

SSL VPN/Remote Desktop Solution (not to be confused with Remote Desktop (RDP) for Windows)

Step one, you must have a secure solution in place to access corporate data remotely.  Ideally, all users with remote access privilege should be using an encrypted VPN connection, period.  If possible, some sort of remote desktop solution should be employed that provides an interface for accessing internal network resources.

Corporate Devices

If you don’t use a remote desktop solution then you should mandate that only corporate devices are allowed to access the internal networks. When employees use personally owned devices for work, they tend to use them however they want. This creates an unneeded vulnerability for your company. Corporate owned devices can help alleviate this gap in security. It will give your IT department increased accountability without taking away the employees productivity.


Step two, you must have policies in place to enforce the usage of your secure remote access solution.  Tell users what they can and can’t do, and set expectations so that if they do not follow company policy there could be repercussions.

Administrative Access

Admins should not use privileged accounts for remote access.  It is best practice for admins to have two domain accounts, one with privileged access, and a standard user account that does not have any elevated privileges.  The account with administrative access should only be used when administrative duties are required, and should never be used for remote access into your corporate network.

Network Traffic Control

In addition, you need to have tools in place to control the traffic on your network. The resources on your network are not only available at your organizations physical location, but when you add remote access capabilities, it adds an additional increase in the amount of traffic that moves around the network. Look at it like a highway, a highway is made to allow a steady flow of cars to move about from location to location with ease. At any point, there could be a heavy flow of cars that causes the highway to become congested. Depending on the situation, this backup will spread if the cars cannot leave as fast as they are approaching. This is the same for you organization’s network. If you do not have the correct tools or policies and procedures in place to control your network traffic, it could greatly deteriorate the speed of your network. This, in return, could decrease business continuity/productivity?

Application Control

Another essential tool when utilizing remote access is application control. Your network is a combination of different ways to communicate including email, instant messaging, and point to point applications. As more applications are introduced to your network, the number of risks by malicious software also increase. This is why it is very important to have a solid application control policy and assure that it is implemented throughout your organization.

Research>The Hitlist

The Hitlist: BYOD

“Bring Your Own Device” or BYOD is becoming an ever increasing topic among CIOs and other executives.  We are not here to argue the merits of BYOD, but we do want to mention a few key topics to think about if you consider implementing it.

1. Policy

The first thing an organization should have before implementing BYOD are policies that govern it.  They should cover topics such as: What is acceptable use, what types of devices can be used, what should I do if my device is lost or stolen, is MDM required, etc.

2. Corporate MDM (Mobile Device Management)

If personal devices will be on your corporate network, you must know where they are have some degree of control over them.  Most MDM solutions will enable you to require specific security features, lock or wipe lost/stolen devices, and require or prevent specific types of software from being installed.  Enterprise level MDM is a must.

3. Screen Lock Password

All mobile devices should be required to have a screen lock with a minimum of 5 alphanumeric characters in the passcode.  Anything less than 5 characters can quickly and easily be hacked.  This feature can be enforced through most MDM solutions.

4. Device Encryption

Again, this is another control which can be enforced through a MDM solution, and is a must have.  All mobile devices should be encrypted, without exception, ideally using a corporate encryption management system.  This is a straight forward way to reduce the impact of a lost or stolen device.

5. Jailbroken/Rooted Devices

No jailbroken or rooted devices should be allowed on your network, bottom line.  Even though these hacked devices can have many enticing features, they can also bypass many of the built-in security features on the devices.  This is another control which can be enforced though most mobile device management solutions.

6. Regular Updates

For mobile devices, you are at the mercy of the carriers for the latest updates, unfortunately.  For laptops and desktops, however, you have much more control.  As a matter of policy and enforcement, all devices should be running the latest updates available.

7. Separate Business and Personal Data

Ideally, you should put all corporate data into a separate container on mobile devices (also known as containerization).  Many times this is not practical from a user experience perspective.  Many containerization applications do not have all of the features that users want or need.  Without containerization, it is much more difficult to track corporate data.  How this is accomplished is something that should be addressed.

8. Know Where Your Data Resides

If you don’t know where your data is, how can you protect it?  Make sure data you thought was secure, doesn’t walk out of your walls on a mobile device.

9. Data Loss Prevention

DLP allows an organization to track its data and to prevent it from leaving its walls.  This first requires know where your data is, who can access it, how it can be accessed, and having control over the devices on your network.

BYOD is not something that should start over night.  This should be well thought out and considered and weighed against the risk and benefit.  Compliance, Remote Access, Network Security, Wireless Configuration and many other facets of the enterprise should be considered before allowing users to bring their own devices.

Research>The Hitlist

The Hitlist: What Can I Do to Prepare For An Audit?

areas that may be covered in an audit

Assign an audit lead internally – yearly internal audit checks, point of contact

Plan a portion of your budget for audit remediation

Make sure to document policies, procedures, and reports.  keep them in a central location for auditing

follow standard security practices daily (link to some other hit list articles)

understand the legal and compliance ramifications of an audit



Research>The Hitlist

The Hitlist: Perimeter Network Security Part 2

Part 1 of our “Perimeter Network Security” Hitlist covered the virtual considerations one must consider when securing their network.  Now, we will cover the things one should consider when securing the physical side of their network.

Physical Considerations:

Even though the virtual perimeter is the most obvious and most likely to be attacked, the physical perimeter can provide just as much access to resources inside of your network.

1. Wireless

There was some debate as to whether to include WiFi in the “physical security” section of this post, however, the fact remains that someone must physically be on site (or very close to it) in order to hack into your WiFi network, and it provides another gateway directly into your network.  Some things to think of when planning a new WiFi network, or attempting to secure your existing network are the actual corporate needs for wireless access, the type of encryption/authentication to use, the range, and whether or not to broadcast the SSID.  We recently wrote a separate piece in this series about securing your corporate wireless network which you can check out for more detailed info.

2. Key Card Access

All entrances and secure locations in the corporate office should be secured by electronic key card access that provides a log of all entries and exits.  When a physical security breach occurs, it is important to be able to trace who was in your building, how they got in, and for how long they stayed.  We have seen a number of places that will log when people enter the building or secure location, however they do not track when they leave, this can leave unanswered questions, and large gaps in time if an investigation is ever needed.

3. Cameras

All entrances and other secure locations should also be protected by video surveillance, using cameras with a great enough resolution so that faces can be recognized.  Cameras not only offer additional proof, should a breach occur, but they can also act as a deterrent against breaches from occurring in the first place.  People are much less likely to attempt to do any misdeeds if they know they are being watched.

4. Compliance Requirements

Many compliance standards may require additional controls.  Organizations which are held to compliance requirement standards must be aware of exactly what they need to do in order meet those standards.  These compliance requirements have to be considered when securing your network.


Users nowadays are being granted more freedom within networks, and there is an increasing trend among corporations which allow their users to bring their own devices to work (phones, tablets, laptops).   This, of course, lends itself to several more attack vectors.  BYOD should really only be considered if and when the organization is able to maintain control over the devices that are brought into the corporate network through mobile device management, or other similar solutions.  If users are not willing to install this extra security software and put up with the extra scrutiny they will receive by bringing their personal devices onto your network, then they should not be allowed to do so.

6. Penetration Testing

Similar to vulnerability assessments, penetration testing not only provide a measure of your vulnerabilities, but actually tests those measurements, both physically and virtually.  This allows an organization to determine if their controls and processes are actually working.  Without the appropriate testing, how can you really be sure if your security measures will be enough to prevent breeches from happening?

In conclusion, there are many considerations when securing the perimeter corporate network; we just covered a few.  One must think about:  what data needs the most protection, where is that data located, how much would it cost if we lost the data, what solutions can be put in place quickly with minimal impact and reduced cost?  Sometimes it requires someone looking from the outside in to see the forest for the trees.

Research>The Hitlist

The Hitlist: Perimeter Network Security Part 1

To “completely” secure an enterprise network is a very complex, and often, nearly impossible task.  There are several different factors that come into play that must be considered and weighed: business requirements, stakeholders, network configuration, compliance requirements, etc.  We have told a number of our clients that, in most situations, if someone really wants to get into a network, they will, and you can’t stop them.  However, you can prepare yourself to better recognize, and respond to attacks.  This list is designed to offer a list of basic  key points of entry into a network, both virtual and physical, one should consider.

Virtual Considerations:

The virtual perimeter of an organization often requires the most regular attention.

1. Enterprise Firewall

You should use nothing less than an enterprise class firewall.  There are a number of well-known vendors that you can consider, but any firewalls securing a corporate environment should be enterprise class and not a small business or consumer class; you should not skimp on spending when it comes to your primary perimeter security device.  Enterprise class devices cost what they do for a reason, and are built to protect more robust networks.  They offer the performance needed, as well as the feature sets, and the configurability that an enterprise will need to secure their network.  The firewall acts as the front gate to your network.


An intrusion detection/prevention system (IDS/IPS) is a very important piece to network security, both internally and externally.  An intrusion detection system lets you know if something is happening, but can’t do anything about it.  An intrusion prevention system allows automatic prevention measures to be taken if a threat signature is detected.  These devices should be deployed behind the external firewall, in-line with network traffic, in a DMZ.  If the firewall is the front gate, an IDS/IPS acts as the security guards for the gate which can detect and prevent malicious visitors from intruding on your network.

3. Close Unnecessary Ports

We assess many networks where there are many unused, and unnecessary ports left open on the network.   A review of all externally opened ports and services should be conducted and only those necessary for business should be allowed to be opened.  So, if you have your gate, and guards at the gate, if you leave unnecessary ports open on your external network, that would be like having a side entrance on your guarded gate that you just leave unlocked.

4. Use Secure Protocols

Unsecured protocols such as FTP and HTTP should not be used unless there is no other alternative.  All published web applications, with the exceptions of content only websites, should be secured using HTTPS.  In general I would recommend hosting the company website outside of the corporate network as it often allows unnecessary vulnerabilities.  Also, file transfers should only be made using secure methods such as SSH, FTPS or SFTP.  Insecure protocols could be thought of as being like weak locks on your door.  So, even though there might be a lock there, it will not take much to bypass it.

5. Vulnerability Scanning

This is necessary to measure your efforts at protecting your network.  If you do not test your network for vulnerabilities, how will you know whether they exist or not?  Vulnerability Assessments provide a way to scan all externally facing IPs and web applications in your network, and measure the effectiveness of the defenses you have in place.

6. Logging

As we previously mentioned, if someone really wants to get into your network, and has the resources and motivation, they probably will.  Without logging, you may never know that it happened.  Centralized Logging with an enterprise class SIEM solution provides correlation between events and logs. This allows you to quickly and effectively review logs and determine if/when an attack has occurred.

7. Social Engineering

This is often one avenue that people forget to consider when securing their network.  Even if you think you have done everything possible to button up your network by purchasing and implementing thousands of dollars of network security hardware/software, your users can still be the weakest point of failure.  Social engineering comes in many forms, including phishing emails, malware, phone calls, and more.  The types that we most commonly see are phishing and phone calls.  End users should be trained to spot phishing emails and recognize suspicious phone calls in order to reduce the amount of information that freely given out to potential attackers.

8. Remote Access

Remote access is one of the easiest ways to breach a network if it is not properly secured.  Several home users do not have a firewall, and many don’t even have antivirus, and if they are using their home computer to connect to your corporate network, their home devices can easily be compromised and provide direct access into your network.  Consider only allowing firm owned or secured devices to connect to the corporate network remotely, and only with an enterprise class VPN solution.  An alternative could also be to use a virtual desktop solution to provide remote access, this would prevent opening any services to the outside except for HTTPS.

The virtual perimeter of a network is constantly changing on a number of fronts.  Often, not by way of attack surface, but by way of tactics. In Part 2 we cover the physical considerations for securing the perimeter of a corporate network.

Research>The Hitlist

The Hitlist: Information Classification

Research>The Hitlist

The Hitlist: HIPAA Compliance

Research>The Hitlist

The Hitlist: Corporate WiFi

Many organizations are faced with the decision to implement or to forgo corporate WiFi. There are a number of considers to think about when contemplating this and many are business and security related and not merely technical in nature. Here are some things to consider:

1. Is it necessary?

The first question to ask yourself is whether or not WiFi is necessary, and you must also realize that there are different levels of what is “actually” necessary.  If the CEO says that it is necessary to implement WiFi, you must consider the business reason for why it is needed. Would it be used for guest access, internal access, only in conference rooms, or so that tablets can easily access documents?  If its the latter, then there are other far reaching things to consider regarding compliance (see our first post in this series).  Think long and hard about whether WiFi is really necessary, and whether or not the infrastructure, policies and procedures, and executive buy-in are in place to support a well secured corporate WiFi infrastructure.

2. Hardware

At this point we assume that WiFi is, indeed, necessary.  Now, when deciding on what hardware to use, you should use nothing less than enterprise class hardware, end of story.  A home network class access point, such as Linksys or D-Link should not be relied upon to protect your corporate network. If you can’t do it right, don’t do it at all.

3. Strong Encryption/Authentication

The encryption should be nothing less than WPA2-Enterprise with 802.1x (LDAP/RADIUS authentication).  Another option is certificate based authentication so that only devices with corporately issued certificates can connect.  If guest access is available, it should have nothing less than WPA2 and one time passwords issued at a splash screen.  These passwords should be directly issues by corporate resources, and not in the form of handouts or posted fliers around the office, and available to your next door tenants.

4. Guest WiFi

If guest WiFi is required, it should not be public as stated above, it should be protected by WPA2 and require one time passwords for access.  Under no circumstance should guest WiFi provide any access to internal network resources.  Ideally, there would be a physical separation from internal resources, but a strong logical separation can work as well.

5. Range

Configure the power output on the access point antennas so that the signal does not extend far outside of your physical location.  There is no reason to broadcast any more than is necessary to provide useful coverage, and you should definitely not be broadcasting your WiFi to anyone outside of your corporation.

6. SSID (Network Name) broadcast

There are differing opinions on this, even among my colleagues.  I will cover both lines of thought.  If SSID is not broadcast, it helps keep random, non-technical people from attempting to connect to the network, but a well trained individual can easily get around this.  If an SSID is not broadcast, the devices connecting to it are set to automatically connect so that they do not have to be configured every time.  This opens those devices up to a rather simple man in the middle attack.  So not broadcasting an SSID can offer some obfuscation, but it does not offer any real additional security benefit for the organization.  On the other side, if the SSID is broadcast, it’s there for the world to see, and it does not mean the devices won’t automatically connect (though this can be managed through policy).  This is a discussion that should be thoroughly investigated for a particular company.  My opinion on this is that the SSID should be broadcast because there should be other security measures already in place.


Personal devices should not be allowed to connect to the internal network.  The only exception that I would consider are devices managed through a mobile device management (MDM) system.  Even then, I am hesitant to recommend this because of the lack of malware and monitoring on personal devices.

8. Corporate Policy

On the flip side of the previous item, corporate devices should not be allowed to connect to the guest WiFi at all, but especially when connected to the physical internal network.  This it the equivalent of leaving a window open.

In conclusion, WiFi adds additional attack vectors to a network, it requires additional management from the existing physical LAN, and there a number of factors that are difficult to manage regarding access, authentication and enforcement.  If the business does not require it, and it is only a nice to have for convenience; I would consider long and hard whether or not the benefits outweigh the detriments to network security.

Research>The Hitlist

The Hitlist: Logging

Research>The Hitlist

The Hitlist: Forensics