IT Security and Network Security Strategy are closely related, one would undeniably fall short in the absence of the other. National Security Agency (NSA) showed concerns that the organisation has not been able to respond to a Zero-Day event in over two years. The concerns clearly demonstrate a widening gap between exploitable vulnerabilities and the ability of businesses to cope with them. NSA identifies three basic functions that together form the foundations of a good IT security system. We at CSG Technologies has identified four additional steps that, when combined with NSA’s three steps, create a solid foundation upon which a comprehensive security system can be built.
Zero-day assaults occur when an attacker exploits a vulnerability that the target of the attack was not previously aware existed – and for which there is, consequently, no pre-existing fix or patch. They are much harder to respond to than assaults on known weaknesses and are so-called because there is no time – ‘zero days’ – between the vulnerability’s discovery and its exploitation by hostile actors.
Some of the most notorious attacks that utilized zero-day exploits include:
Stuxnet Worm: In this attack which targeted Iran's uranium enrichment plant at Natanz, a virus/worm reportedly developed by the United States and Israel exploited multiple zero-day vulnerabilities to spread and gain privileged access on systems. Stuxnet was unintentionally released in the wild when one of the engineers at an infected facility connected his work laptop to his home network. Over 15 Iranian facilities were attacked and infiltrated by the Stuxnet worm, which caused substantial damage to Iran’s nuclear program.
Aurora: In 2010, Chinese threat actors used a zero-day vulnerability in Microsoft’s Internet Explorer to hack into Google, Adobe and over a dozen other companies. The criminals were targeting Google’s source code in the hopes of discovering additional zero-day exploits.
RSA hack: In this infamous 2011 attack, cyber criminals exploited a zero-day vulnerability in Adobe’s Flash player to launch a spear-phishing campaign targeting RSA employees. The attackers stole information pertaining to the company’s SecurID two-factor authentication products.
It is evident, that most attacks can be prevented by taking simple, yet continuous measures. This fact is cemented by the NSA cybersecurity chief who claims that 90% of incidents dealt with by his unit are caused by human error, while 93% could have been prevented if best-practice measures had been followed.
In this article, we discuss how enterprises can develop a habit of reviewing their IT security system by following steps which include network segmentation, multifactor authentication and security education.
NSA’s security steps
Step 1 – Multifactor Authentication
Enterprise should implement multifactor authentication such as two-factor authentication (2FA) as against using basic password protection. 2FA relies on two variables, one of which users know – i.e. the password and the other which they own – a physical device such as a mobile. Other mechanisms rely on factors like biometrics.
Step 2 – Role-Based Access Control
Implementing role-based access control restricts a user’s access only to those resources which are required by the user to fulfil his functions, or role, in the company. For example, an HR employee won't need access to accounting functions. By limiting access, a compromised employee account will be restricted from functions and data that are outside the needs of that role.
Step 3 – Allowlist Applications
Enterprise networks are generally open, with the only filtering function performed is o deny certain connections. Allowlisting flips this paradigm by allowing only specified connections and data flows that are required for the application functionality; all other connectivity is blocked. The objective is to reduce the opportunities for a security breach to spread laterally across an organization.
Teams should configure the filtering systems to record, or log, failed attempts to establish connections. Think of these alerts as trip lines that tip teams off to compromised accounts or systems. Regular monitoring and reporting can help manage the deluge of events from the filtering systems.
CSG Technologies’ Additional Security Steps
Step 4 – Patching and Workarounds
Teams must be diligent in patching and installing workarounds against known vulnerabilities. As noted in NSA's presentation, zero-day attacks rarely occur, and the majority of cybersecurity breaches are due to unpatched systems. Regular updates must be applied to applications, server operating systems and network infrastructure. Teams will need processes and people to track updates and configuration management systems to facilitate the updates.
Step 5 – Network Segmentation
The goal of network segmentation is to prevent the horizontal spread of automated malware between business functions. Dividing the network into functional segments with limited access between segments. For example, facilities infrastructure networks have no reason to access business functions, like HR or accounting. Teams should use application allowlists (see step 3 above) for any access between business segments.
Step 6 – System Backups
he most common intrusion has become ransomware, and a successful widespread attack can severely strain a business. System backups can eliminate much of the risk from a successful attack but only if the backups themselves cannot also be compromised. Teams must carefully design their backup strategies to stay safe because attackers are known to monitor IT systems for weeks before triggering the encryption of an organization's data.
Natural disasters can be just as disruptive as a ransomware attack. Jacksonville, Florida if often subject to named tropical storms that are known to cause significant damages to businesses and their infrastructure. Backups should be stored where they will not be subject to the same event that affected the operating systems. It is imperative to research how businesses handled and recovered from natural disasters to learn what worked and what did not.
Step 7 – Employee Security Education
The final security step is to educate employees. Use anti-phishing campaigns to train employees on the types of emails that facilitate intrusions or fraud. A common attack is to entice employees to click on malware-infected jokes, pictures or videos within emails. Phishing emails convince employees, typically in accounting functions, to make fraudulent financial transfers. Certain employee roles may need additional job-specific training.
Human error is the most common source of an attack. An added benefit of this training is that employees become better prepared to avoid such attacks in their personal lives.
Making it All Work
A good balance of people, process, technology and tools is characteristic of a strong IT system. While the above seven steps focus on people and processes, CSG Technologies’ expertise lies in technology and tools. A partnership between business and managed service providers like CSG Technologies can form the foundations for a robust IT security infrastructure.