Public scrutiny of every security breach does a lot for the revenue streams of cyber security companies. It increases public awareness and puts pressure on businesses. But, does it really do anything to address the underlying issue of securing increasingly complex networks?
The expanded attack surface of a modern distributed network or a business undergoing digital transformation forms an atmosphere that's tailor-made for malicious activity. Previous to an attack, hackers consider the complexity of a system. That's because the wider the range of possible targets, the easier it is to find undetected vulnerabilities. It also makes successful penetration more likely, and reduces the risk of being caught to almost zero.
What are the specific issues facing networks?
Security issues aren't just a problem for startups and small businesses, although they are more likely to be targeted due to smaller security budgets and fewer resources. Legacy systems - corporate environments that house multiple databases, geographic locations, and open source components - and enterprises running a mixture of old and new network devices all add to risk.
The fact that networks are increasingly cloud-based and decentralized also widens the attack surface considerably. No longer do companies have one server or ecommerce platform to protect.
Equifax is a case in point. The credit reporting company recently experienced one of the largest data breaches in history. A contributing factor is most certainly the fact that it has 600 - 1,500 separate domains, sub-domains, and perimeters externally facing the internet.
Whomever hacked it may well have just thrown a dart at a network map to choose a way in.
Addressing complex security issues frees companies to move forward freely in an environment that balances risk and innovation with IT strategy.
But, how do we do that?
One solution is to reduce your technology footprint, thus reducing your attack surface. That may be more difficult in an era of global proliferation and IoT, but it isn't impossible.
5 steps toward improving complex network security
Complexity is unavoidable in the 21st century. The goal isn't to regress back to on-premises, centralized systems. It is to manage complexities in a way that doesn't inhibit global expansion or increase risk.
James Tarala outlined the problem in his simulcast for SANS security institute, Implementing and Auditing the Critical Security Controls - In-Depth. Real world attack surfaces will be found somewhere within the relationship between three components: network, software, and human beings.
Examples include:
- Outward-facing servers with open ports
- Service availability within the firewall perimeter
- Vulnerable code that processes XML, incoming data, email, and other office documents
- Social engineering
In order to minimize risk, you have to limit opportunities for malicious activity. Here's how.
1) Eliminate the complexity: This doesn't involve reducing your network or reach. It simply means to get rid of unnecessary complexity within your system regardless of its scope. Even the most intelligently designed networks include elements of redundancy or can be managed badly by untrained or inexperienced personnel.
This can lead to:
- Incomplete or duplicate information
- Obsolete or invalid rules
- Overly permissive policies that allow access to those who don't need it
Performing a security and training audit can limit the possibility of human error that leads to data leaks and breaches. Evaluate current policies periodically to eliminate those that promote network insecurity. A good example would be the growing popularity of a virtual private network (VPN) as a way to guard against DDoS attacks (among other benefits).
Companies and their CISOs would be wise to educate employees about threats associated with not using a VPN or firewall, and subsequently requiring employees to use both when they access the internet through the company network. Or the organization could simply install a VPN on the network router, taking the decision out of the employees’ hands. Virtual private networks need not be enterprise level software; most of the best VPN services today for consumers use the same VPN protocols and cryptographic security, and are fine for small to medium-sized businesses.
When informed about the dangers of unencrypted internet browsing, employees should always connect through the encrypted protection of a VPN without having to remember to turn it on. Symanetec’s 2019 Threat Report shows a trend of SMEs adopting and mandating VPN usage for employees, both in and outside the office. By doing so, they’ve just eliminated a bit of complexity and enhanced security. Rinse and repeat.
2) Visually evaluate your vulnerabilities: Threat detection often involves system scanning and monitoring. What's often left out of the equation is vulnerability visualization. This makes it easier to overlook how an attack can occur.
When you set up a real-world model of methods as well as possible points of entry, you connect the two and create a more comprehensive approach to attack prevention.
Best practices recommend these three methodologies:
- Attack surface modelling that includes network assets, likely targets, potential pathways, and overly permissive policies.
- Attack simulation that demonstrates potential paths and modes of attack.
- Patch simulation to determine which fixes will have a greater impact on security.
3) Maintain control over endpoints: This is a two-part process that involves continual network endpoint monitoring and controlling what endpoints are actually allowed to do. For example, drawing a visual perimeter around network endpoints that ensures security compliance with communication between network components and instituting a protocol that initiates automatically to curb exposure.
4) Segment and separate networks: You wouldn't put all of your investments into the same stock, so why would you keep all of your connections and devices on one network? Segmentation allows you to reduce exploitable assets.
It also drills security controls down to a single machine, partition, or workload, and minimizes the amount of time a hacker is able spend undetected on your network by slowing his or her progress. Think of it as trapping a burglar in a corridor of various locked doors.
5) Prioritize attack surface analytics: The final step is to perform a little network security triage. Performing testing that analyzes configuration assessments, quantitative risk, and traffic flow will provide you with insight into risk levels and help you reduce your overall attack surface regardless of your network size or complexity.
Final thoughts
Complex networks are the new reality. They've erased old perimeters and reinforced the importance of refocusing on network security requirements. The goal of any cyber security professional should be to redefine those perimeters and protect them. Following the steps outlined above should go a long way toward meeting the security challenges of our new, complex networking capabilities.
The use of artificial intelligence and complex, interconnected networks is part of the problem. But, it can also become part of the solution. However, AI doesn't just enhance security. It also contributes to better UI/UX. Improving customer outcomes and satisfaction is the ultimate goal of any enterprise.