The Death of the Trusted Network
Lateral Movement Prohibits Trusted Networks
The concept of a trusted network is largely but not entirely obsolete. The historical thought behind the “Trusted Network” was that it was an operational zone where all computers, users and software could be trusted to have the best interest of the company at heart. So long as the perimeters around this zone were intact, security within this zone could be relaxed. This was because, in theory, no person or device that was less than trustworthy was allowed inside.
Your line of business Server and Software were kept here, as was your payroll data. Your webserver was kept in a separate demilitarized zone that had heightened security because it had regular contact with the Internet. Your guest wifi access was kept in a third security zone. This ensured that vendors and customers visiting the office could have internet access but not the ability to pick at your servers.
Such was the architecture of the “Trusted Network” system, when 80-90% of critical assets were in the office where most of the staff worked. Perimeter security was paramount, but devices and software within the trusted zone were not responsible for the security of the assets or the office. In short, they lived like diplomats within a secure compound. Their only security concern had more to do with trying not to be a victim than participating in defense.
As such, it was very important that the perimeter of the trusted network be well protected. Firewalls were kept up to date and monitored. Web and email content filtration helped prevent unsuspecting users from downloading malware. It was critical that these edge devices, the ones that touched other networks and protected the trusted zone, be kept up to date. They were monitored, patched and secured with the highest priority. In this architecture, a laptop that moved in and out of the trusted zone might need firewall software enabled, but a desktop that never left the office…not so much. A router that bridged two networks or moved traffic to the internet needed to be monitored. The switch that only sat in the trusted zone was often considered less important because by the time hackers reached it “they were already inside the trusted zone.”
Time has not been kind to this architecture. At one time, 80-90% of a company’s technical assets were kept in the office, in the trusted zone. An honest assessment of most organizations today would likely show that has dropped to less than 40%. You can tell that is true with the naked eye. So many people have work from anywhere access, that commercial rental rates are falling. So much data has moved out of the office onto cloud-based processing, that the need for high powered workstations has also dropped in favor of the convenience of laptops and mobile devices.
In this new paradigm, people bring laptops and mobile devices in and out of the office all the time. They access data that is in the office, in the cloud, and at a SaaS provider. In effect there is so much movement of people, devices and data in and out of the office environment that it is impractical to think in terms of having a trusted network at all. To extend our previous metaphor, the number of people and devices that remain exclusively in the compound is so low, and the amount of critical assets that live and travel outside the compound is so high, that it is more accurately described as a public bizarre. And the safest thing to do is to secure all people, devices and assets as if they have no perimeter protection at all. Perimeter defenses around key assets remains a good idea, but it can no longer be a primary tactical or budgetary concern.
As such, all devices should be secured and monitored. And automation should be used to keep them patched and updated. Your team is coming at your data from all directions with a multitude of devices. Each person, device and software package are potential attack vectors for nefarious actors. Lax security on one device threatens any asset that device has access to. So, it is also critical that each datastore is secured.
Understanding Enterprise Assets and Software
Enterprise assets encompass all the digital and physical resources owned by an organization. These include data, hardware, software, networks, and intellectual property. Software, on the other hand, refers to the programs and applications that run on these assets, enabling business operations and processes. Both assets and software are integral to the smooth functioning of an organization and, therefore, must be protected from potential threats.
Key Aspects of Securing Assets
· Device Identity: To the extent possible service access should be limited to authorized devices. Accessing key software and data from anywhere does not mean unlimited access from any device.
· Access Control Lists: Role based access control for devices as well as people. Only finance laptops should have access to finance software. Sensitive systems should not be accessible from public libraries or hotel kiosks.
· Role based Network Segmentation: Where data remains in the central office, dividing a network into smaller segments to contain potential breaches and limit the spread of malware. The fewer services a breached device can access, the less damage it can cause.
· Remote Management Technologies: Security teams should be capable of accessing, defending and remediating threats on all devices at all times, regardless of location.
· Minimums standards: Devices, should have appropriate security and remote management capabilities including company mandated security software. System policies should be implemented and software security patches applied. Devices that do not meet these qualifications should not have access to company assets regardless of the authentication level of the person using them.
· Port Management: A port is a window or path to serving an application or data to a larger environment. The use of unencrypted port relays should be prohibited. Devices that should not be providing services should be blocked by localized security policies. Regularly review and manage open network ports to prevent unauthorized access.
· Device Hardening: Ensuring that only secure and necessary network protocols are used. For example, a server not acting as a print service provider should not have those capabilities installed. Likewise, devices that should not be sharing services should have those capabilities removed and blocked.
· Data Encryption: encryption technology should be deployed to defend against the likelihood a device is lost or stolen. Remote management software should be capable of wiping all data and software from any connected device.
· Data Loss Prevention: Data should be classified and secured based on user machine and location. In less secure environments, levels of access should be reduced to read only or removed. For example, even a laptop that has access to run payroll should not be allowed to do so from the floor of a convention hall in Las Vegas. Likewise, data marked as sensitive should be restricted from general distribution. For instance, an email with unencrypted social security numbers should be blocked from being sent and mgmt. should be notified.
· Versioning and Patching: All devices and software packages should remain as up to date as possible, and current on all security patches. Software versions that are beyond their EOL (End of Life) designations should be updated or replaced.
· Automation: Devices that are not capable of being monitored and updated with remote automation should be excluded from networks that have sensitive data. For example, a smart TV in the lobby should be kept on the guest or other restricted network unless it can be appropriately secured on an ongoing basis.
Implementing Effective Security Measures
Adopting a Risk-Based Approach
A risk-based approach involves identifying and prioritizing potential threats based on their likelihood and impact. Management should hold regular meetings with the security team to keep apprized of new vulnerabilities and tactics that may require shifts in policy to address. This enables organizations to allocate resources effectively and address the most critical vulnerabilities first.
Inventory Management:
Without appropriate management of device inventories, security departments are bound to fail. Role based access controls can help on this front, inasmuch as when unsecured devices exist within an organization, they can be kept from accessing key assets. But only management is truly capable of tracking devices that are purchased. Furthermore, only management should be giving authorization to remove/retire devices from the organization. Therefore, it is important that non-technical management keep an accurate inventory of devices and software purchased as a check and balance on the security team.
By keeping an accurate inventory, management also enhances their ability to budget for necessary purchases due to life cycle maintenance. Gone are the days when it was acceptable to run old software and devices simply because new features weren’t compelling. Organization security alone demands the need for regular upgrades.
Regular Security Audits and Assessments
Conducting regular security audits and assessments helps identify weaknesses and ensure that security measures are up to date. This proactive approach allows organizations to address vulnerabilities before they can be exploited.
Conclusion
It is critical for management to understand that the threat landscape has changed and that spending, and security strategies must change in response. Securing enterprise assets and software is crucial for protecting sensitive data, ensuring business continuity, complying with regulations, and building customer trust. By understanding the evolving cyber threat landscape and implementing effective security measures, non-technical executives can play a vital role in safeguarding their organization's digital infrastructure.