In May 2021, the White House released an executive order to improve national cybersecurity. It came on the heels of increased cyberattacks on public and private entities throughout 2020; per the FBI’s 2020 Internet Crimes Report, these attacks accounted for losses over $4.1 billion nationally. Protecting your organization’s network and data is crucial. Regardless of size, industry, or business activity, your organization needs to implement certain basic network security best practices to minimize the likelihood and potential impact of cybercrime.
Fundamental Network Security Best Practices Checklist
Cyberattacks are constantly evolving. Adequate cybersecurity infrastructure must be flexible and scalable, ready to adapt to changing threats at a moment’s notice. To that effect, there are four essential network security architecture best practices cyberdefense systems should utilize:
- Protecting all physical elements of cybersecurity architecture
- Safeguarding all network components
- Segmenting system components to better quarantine threats
- Implementing strict access and behavior control measures
Beyond these fundamentals, there are also advanced methods your team should consider, ideally with the help of a managed security services provider (MSSP).
#1: Safeguard all Physical Equipment
One of the most fundamental considerations for network security involves the physical components that support wireless and other communications between connected devices and systems. Physical components of network architecture include any endpoints and the connections between them:
- Endpoints – Include computers, laptops, mobile devices, servers, modems, and terminals
- Connections – Wiring and ports used to connect the above physically (as opposed to digital network connections)
At the most basic level, physical security for these and any other related assets begins with safe procurement and installation. It then includes regular maintenance, such as installing all updates and patches to software and hardware as soon as they are available. Patch management is one way to ensure equipment is secured throughout its lifespan. Device-level encryption and remote wiping also physically safeguard endpoints.
For comprehensive physical security, hardware must be accounted for at the end of its lifespan, with data deletion as a minimum step for secure disposal.
Broadening the scope for security purposes, physical safeguards must also include proximal safeguards. Organizations need to monitor and tightly control all entry into and the use of spaces housing physical network components. Physical barriers are a starting point for this, and all access should be logged.
#2: Secure Virtual Network Components
Wireless networks offer convenience and ease of access, but they also come with several vulnerabilities distinct to wireless connections, such as the potential for interception or intrusion.
To mitigate these and other threats, wireless networks must have safeguards to ensure:
- External access control – Only those users authorized to access a network, or contents stored or transmitted on it, may be allowed to do so. External access controls primarily relate to authentication (i.e., identity verification), and measures such as password complexity requirements and multifactor authentication provide a solid foundation from which to build.
- More sophisticated access control measures include configurable policies (e.g., date and time, IP addresses)
- Access controls should also seamlessly integrate with physical security measures (e.g., assigning unique ID cards for security scanners).
- Data encryption – All data transmitted or stored on wireless networks must be encrypted so that, if it is intercepted or inappropriately accessed, the information cannot be read by any cybercriminals who come to possess it.
- Organizations implementing encryption must also adopt secure cryptographic key management processes to protect data fully.
Another consideration when protecting wireless networks is the Service Set Identifier (SSID), a unique 32-character name for wireless access points. The SSID can be easily changed, and it should be. SSID changes should occur initially to avoid using the vendor-default configurations and then at regular intervals to best prevent cyberattacks from successfully breaching your environment.
#3: Segment and Quarantine Components
Protecting sensitive information can be achieved through physical and virtual strategies. But the most crucial consideration for either is to separate physical and virtual network components that do not require connections or direct access to each other. This practice prevents threats from easily migrating between network areas and better facilitates quarantine efforts upon their discovery.
Physical separation typically begins with physical barriers between networks (see #1, above). However, it also includes using separate routers and infrastructure for different networks with varying data sensitivities and user bases. You must ensure they can’t and don’t interact.
Virtual separation is one way to achieve the same ends without needing additional hardware. For example, suppose a single physical device is used to host multiple networks or segments thereof. In that case, secure operation requires de-facto barriers, such as Virtual Local Area Networks (VLANs) or Virtual Routing and Forwarding (VRF), to ensure that no activity or data from one network “spills into” another.
Especially crucial for compliance efforts, environment segmentation can better protect sensitive data, such as credit card information subject to the PCI DSS and protected health information subject to HIPAA.
#4: Limit, Monitor, and Control Internal Network Access
As mentioned in best practice #2, access control is crucial to overall network security. But external and internal access controls differ. External controls (e.g., authentication processes) are analogous to a digital “passport check” prior to entering a network. In contrast, internal controls (e.g., user permissions) govern what that digital passport entitles you to access.
One comprehensive solution is an identity and access management (IAM) implementation, ideally integrated into other risk and incident management suites. Sophisticated IAM solutions commonly govern user activity according to role- or attribute-based access controls (RBAC, ABAC). User sessions should be closely monitored and suspended immediately if any inappropriate or irregular activity is detected. Detecting suspicious activity should then trigger incident response protocols.
Another crucial element of effective access control is baseline architecture implementation. Your organization must be protected by at least one firewall configuration, if not several layers of web filters. For example, the CISCO Umbrella system functions alongside firewalls (“under” in your technology stack), looking specifically for threats designed to bypass a first or second layer of protection. This tool, or other similar solutions, can help ensure that attackers don’t gain access through malware.
Network Security Best Practices NIST Recommends
Organizations building out network security infrastructure should consult resources available from the National Institute of Standards and Technology (NIST). Its page on Securing Network Connections lists several helpful guides to the top risks it recommends safeguarding against, including one especially beneficial resource co-developed by the Cybersecurity and Infrastructure Agency (CISA).
Security Tip 18-001, Securing Network Infrastructure Devices, recommends:
- Segmenting and segregating networks and their functions
- Limiting all unnecessary lateral network communications
- Hardening network devices through updates and patches
- Securing all access to network infrastructure devices
- Performing out-of-band (OoB) network management
- Validating the integrity of hardware and software
This list corresponds roughly with our top four best practices above. However, it skews more toward concerns of smaller businesses or those with smaller and less developed networks.
Other Network Security Considerations for Compliance
Growing organizations should also cross-reference applicable regulations to ensure that all network security considerations align and comply with applicable regulatory requirements. For example, consider the following network security requirements that are widely applicable:
- PCI-DSS Requirements – If your organization accepts credit card payments, or processes cardholder data (CHD), you likely need to comply with the Payment Card Industry (PCI) Data Security Standards (DSS). The first two of the 12 Requirements focus explicitly on the goal of building and maintaining secure networks and systems:
- Requirement 1: Install firewall configurations to protect CHD
- Requirement 2: Replace all vendor-supplied default settings
- HIPAA Requirements – If your organization is directly involved in healthcare, it is likely a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also applies to Business Associates of these entities. If you qualify as one, you’ll need to ensure that networks properly safeguard protected health information (PHI) per the Privacy Rule and Security Rule to avoid Enforcement Rule penalties.
The best way to account for these requirements is by working closely with a managed security services provider (MSSP) who offers compliance advisory services—like RSI Security.
Professional Network Security Program Advisory
The most effective network security best practices include safeguarding your physical network architecture, securing virtual infrastructure, segmenting network components when possible, and controlling network access (external and internal). Additionally, there are other requirements you may need to account for, depending on your risk environment and applicable regulations.
To get started with a consultation, contact RSI Security today.