by Perry Lynch
3:30 min read
Firewalls, routers, and switches play a critical role in network security. How well they succeed depends on the level of attention administrators pay to their configuration. CIS Control #11 addresses the need to configure network devices carefully and avoid mistakes that could let intruders in.
Remember that it's not just the network perimeter that needs protection! Every switch and access point in the network needs to stay secure. It may take some initial effort to do this but keeping them secure is not too difficult as long as there are procedures in place and they are followed routinely. Software automation can also be used to keep the task manageable.
Most of the measures described in this control can be summarized as always providing accountability for the configuration and maintenance of network devices. It should always be possible for administrators to find out what the device configurations are, what has been changed, by whom, and why. This should be managed as part of a change/configuration management process that is used throughout the enterprise.
Configure all devices securely
Although every network device needs individualized configuration, there is a known pattern to the configuration process, and the default setup in most systems is geared more towards convenience than security. A strong configuration changes the administrative account name, implements two-factor authentication, and disables all unnecessary services. In particular, all command-line access should be via SSH V2, with Telnet disabled. Administrative access to the devices should only be permitted from within the network environment; access from the Internet should be disabled prior to implementation.
A configuration management process should be established and used to record secure configurations for each device. Along with keeping track of the standard secure configuration, this enables network administrators to run periodic comparisons of the current state against the recorded standard to ensure consistency of configs and allow audits against the change management process. Automation tools are valuable for checking all network devices regularly and reporting any discrepancies.
Sometimes it's necessary to make exceptions for specific business purposes, such as allowing a port which isn't normally open. The first step in doing this should be a risk assessment, weighing the loss of security against the need to get something done. When the need for it is over, administrators should revoke it. These temporary changes should be tracked in an open service desk or change management ticket to ensure they are returned to normal and not forgotten.
Keep patches up to date
It may seem obvious that all network devices should have the latest security patches, but the practice can be complicated: patching a router or firewall usually requires at least a little downtime, and there's a risk that it won't come back up properly. Updated devices will also need testing afterwards to make sure their functionality hasn't changed.
Every patch which becomes available should be evaluated for its importance and its impact on the network. It may be safe to skip over one which just improves performance, but a patch which includes serious vulnerability fixes needs to be installed as quickly as is consistent with good management and your organization’s policies.
Automated testing will let the IT department know quickly if there are any problems with the patch. If there are, they can work on fixing the problem or fail over to another device.
Limit administrative access
The control recommends isolating administrative access from normal network usage as much as possible. Ideally, just one machine should handle all administrative tasks. This system should function primarily as a console, with limited domain rights and with Internet access restricted to select vendor support sites if at all possible.
The goal is to limit the opportunities to compromise the admin system. If the only way to change the device settings is from one specific system or subnet, unauthorized attempts will be very difficult to accomplish. Using just one machine also simplifies logging and accountability.
The network ought to be segmented so that other machines can't access the administrative computer. A VLAN within the business network will let the administrative machine communicate with the network devices but not have any direct connection with the business portion of the network. Another approach is to have a separate network interface controller for the admin machine.
by Dwayne Stewart
3:45 min read or Audio
In the event of a security breach of your network, it is likely that the attackers have altered or destroyed important data and security configurations. The tenth CIS control, data recovery capabilities, addresses the importance of backing-up system data and properly protecting those back-ups. By doing so, you ensure the ability of your organization to recover lost or tampered-with data.
Every minute your network is down is productivity lost. Administrators must ensure up-to-date and functioning restoration data has been properly protected using physical safeguards and data encryption - both at rest and in transit. Failure to establish a reliable and secure data recovery solution could mean the difference between a smooth return to standard operations and scrambling to rebuild systems for days, or weeks--just to get back to where you were before the data loss. No one wants that.
A step-by-step breakdown of the proper controls to ensure you can recover your data:
Ensure Regular Automated Backups
A fundamental component in the implementation of an efficient backup process is automation. Humans are prone to err. Beyond mental lapses, we are susceptible to illnesses and mobility-limiting natural disasters to list a small subset of possible contingencies.
Numerous applications are available that can streamline the backup process and achieve data redundancy. Maintaining a redundant set of up-to-date backups at an off-site facility is essential and can help ensure data recovery in most situations. A useful rule-of-thumb is 3-2-1:
Perform Complete System Backups
It is important that a comprehensive backup strategy be implemented. This should allow for the speedy recovery of data, whether it be a few specific files, or an entire server. One useful technique for scheduling system back-ups is the Grandparent-Parent-Child system:
Test Data on Backup Media
All the automation in the world won't save you if your backups are corrupted. The integrity of both your backup system and the system images themselves must be tested regularly.
CIS Control #10 states, "Once per quarter (or whenever new backup equipment is purchased), a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment."
Variations of the Grandparent system explained above can also be easily adapted to work here.
Backups could be directed to various locations, such as network-attached storage, removable media, or a cloud-based datastore. The size and budget of your department will directly affect what approaches are feasible for you. It is important to ensure that onsite backup data is not directly accessible by other hosts on the network. Direct access to backup data should be limited to the backup utility used to perform backup and restore activities. Ideally, archived data should be stored offsite and offline with physical safeguards.
The biggest mistake you can make is assuming your organization will not be targeted. Do not assume that because you are not handling government secrets it is alright to leave the removable media holding your backups sitting on your desk. Physical security measures for media containing backup data must be enforced as rigorously as those pertaining to the network. It is also important to ensure that backup data destined for off-site storage is encrypted when saved to removable media.
Ensure Backups Have At Least One Non-Continuously Addressable Destination
More explicitly, CIS control #10 specifically urges that "...all backups have at least one backup destination that is not continuously addressable through operating system calls."
The operating method of hackers is, after gaining a foothold in the system, to enumerate the systems present in your network, slowly mapping its architecture and attempting to escalate privileges across multiple points.
Because of this, it is unsafe to assume that any backup data accessible through your network is ultimately safe. As mentioned in the 3-2-1 method, and explicitly urged in CIS Control #10, at least one back-up should be located offline and preferably offsite.
The most important ideas to remember when designing your backup systems are
Addressing each of the above items will help to ensure the safety and recoverability of your network systems and company data.
by Andrea Lee Taylor
1:45 min read or Audio
Every once in a while in the annals of cybersecurity there is news that isn’t a warning about the newest breach or the release of the latest patch. In this case the news is good for Maryland buyers of cybersecurity.
The General Assembly of Maryland, on April 9th, passed the Cybersecurity Investment Incentive Tax Credit Bill (SB 228). It provides for “…authorizing certain buyers of certain technology to claim a credit against the State income tax for certain costs; providing that the credit may not exceed certain amounts under certain circumstances; requiring the Secretary of Commerce to approve each application that qualifies for a credit…For any taxable year, the credit allowed…may not exceed $50,000 for each qualified buyer.” (LegiScan)
The cyber incentive bill is unique in its agency and platform. Simply restated, it provides for a credit for buyers of cybersecurity services and products from Maryland companies. “This is a first-in-the-nation legislation and we’re looking forward to some really great successes,” said Senator Guy Guzzone (D), primary sponsor of the bill. Cosponsoring were Senators Adelaide Eckardt (R), George Edwards and Andrew Serafini (R).
Cybersecurity it this century’s absolute fact of life. For any business, coupled with the necessity for security are the budget parameters available to fund a flexible, strategic cyber plan. Any financial assistance in obtaining services or products is a welcome support and boost to doing business.
Qualified buyers may claim a credit on their state income tax up to 50% of the cost of the technology or service purchased from qualified sellers. As a qualified seller, we are excited to be able to share in this opportunity.
“Our focus has been strictly cybersecurity for over 16 years now and this legislation is a first and is a great help to businesses. Anchor looks forward to putting our experience to use helping small businesses improve their security posture,” said Anchor Technologies’ CEO, Peter Dietrich.
Cybersecurity is a necessity. A plan for what to implement and when keeps businesses on track in protecting their important data. Knowing one does not having to worry about whether the company’s data is as secure as possible allows owners to concentrate their efforts of conducting and growing a business. Thank you to the state legislators for helping to empower small business in Maryland.
by Marian Bodunrin
4:00 min read or Audio
Transmitting and receiving data via network ports is a necessary evil. Because your network process uses a specific port to communicate to another port there is no avoiding the inherent risk. The most perilous services on a network are the ones you don't know are running. Default system installations often activate services with little or no useful purpose and often go unnoticed. "Shadow IT" operations may start up unauthorized, poorly secured services.
There are 65,535 TCP ports and 65,535 UDP ports. Some of them are more vulnerable than others. For example, TCP port 21 connects FTP servers to the internet but have several vulnerabilities, such as cleartext authentication, which make it easy for an attacker with a packet sniffer to view usernames and passwords. Telnet on TCP port 23 sends data in cleartext which makes it vulnerable to attackers listening in to intercept user’s credentials, and man-in-the-middle attacks. Also, the busiest ports are the easiest for attackers to infiltrate. TCP port 80 for HTTP supports web traffic. Attacks on web clients that use port 80 include SQL injections, cross-site request forgeries, cross-site scripting and buffer overruns.
A well-run, secure network does not expose any service without a reason. The issue arises if no one notices the services that are running, no one may be monitoring them or keeping them up to date. CIS Control #9 addresses the Limitation and Control of Network Ports, Protocols and Services, and gives specific recommendations for avoiding the risk of unmanaged services and ports.
System administrators need an established baseline of what ports and services are supposed to be running on each machine. In addition, they need to run regular, automated port scans. Simple, free software is available that will do the job. The scan should note any differences from the baseline and notify the administrators.
The first time a scan is run, it's likely IT administrators will discover previously unaccounted for or undesirable services, possibly due to oversight. These services should be tracked and disabled upon discovery. Most importantly, perform a periodic performance of port scans on a regular basis to determine which services are listening on the network, which ports are open, and to identify the version of the protocol and service listening on each open port. All such efforts will further reduce the attack vector.
Every software installation carries some risk. It could open up unmanaged ports by default, just because they might be useful in certain cases.
When installing new software, the best practice is to identify any added services and configure it to run only the ones that have value for business operation. Running a port scan before and after installation will verify if any others were added--and all legitimate services should be securely configured.
For an organization to adequately mitigate risks, a layered perimeter of defenses such as application-aware firewalls, network access controls (NAC), intrusion detection/prevention systems should be deployed to avert unauthorized access. “Defense in depth” is the watchword of a good security setup.
Use of endpoint firewalls, removal of all unnecessary services and segmenting critical services across systems, and applying patches as soon as they become available, will reduce your organization’s risk exposure. For instance, a network scan can identify all servers which are visible from the internet--if any don't need to be visible, moving them to an internal VLAN will keep them safe. If they run any unauthorized services that aren't caught, at least they won't be directly reachable from outside.
Running multiple critical services on the same machine is an invitation to trouble. If the same machine runs DHCP, SMTP and HTTP, an attacker that breaches one could jump to the others. Each of those services should have its own virtual or physical machine, with just the ports needed to run it.
It's easy enough to install multiple virtual machines on one computer. That way, each port's services have their own operating system, root file directory, and network settings. If one of them gets compromised, the problem is more likely to stay localized long enough to identify it and fix it.
Minimize to Maximize
Just as building management needs to know every door through which people can enter and how that door is secured against sneaking in undetected, so IT management needs to know every port and service which the servers expose. If they're there for a reason, they should be managed and secured. If there's no reason for them, they could be an unguarded back door to the network, which should be shut and locked. Though it is impossible to eradicate all risk, exposure can be greatly minimized when appropriate controls are put in place to deter an attacker. Implementing CSC #9 will further mature the cybersecurity posture of your organization and a continuous monitoring tool deployed to serve as an ongoing exercise will contribute to the effort of reducing risk and maximizing cybersecurity.