Make your users change their passwords every three months. Require at least eight alphanumeric characters with at least one letter capitalized and one special character — not an exclamation point because everybody does that now. Change all of your default passwords in the same way. Change all of your default usernames, as well. Lock your building and your server rooms. Never use WEP on your WiFi. Secure it with WPA2 CCMP encryption. And please run updates and patches as soon as possible after they are released.
These are all basic hygiene requirements that the general public is probably familiar with. But there’s a lot more out there you need to get set up to maintain a good security posture. This is a good review for anyone and a must-read for a business just trying to wrap its mind around a cybersecurity strategy, especially small businesses who make up 43% of data breaches according to Verizon’s 2019 Data Breach Investigations Report.
Creating a Risk Management Framework
Much good information can be had by reviewing the National Institute of Standards and Technology (NIST) Special Publication 800-37, which specifies how to go about creating a Risk Management Framework (RMF), especially for federal information systems. However, the information contained in NIST SP 800-37 is highly relevant for the public sector, as well. The purpose of creating your own RMF is to provide an overarching view of your security posture, which will provide you with the ability to monitor and respond to security threats in real-time. Creating your RMF will allow you to mitigate risk, saving cost and increasing efficiency.
The NIST RMF process contains six steps. The first step is Security Categorization. This involves categorizing the information system along with the information that is “processed, stored, and transmitted by that system based on impact analysis.” Categories include things like types of architectures and processes and whether the system is wholly internal or partly shared with another responsible company.
The second step is security control selection. In this step during the design phase, the security professional responsible for implementing controls decides on what kind of controls will be used based on the categories of information that will be handled. Certain types of information, like Protected Health Information (PHI), are subject to specific government regulations that prescribe the level of security required to ensure data is protected. For PHI this could mean securing both data in transit and data at rest, for example.
The third step is security control implementation. This is how you will structure and activate those controls selected in the previous step.
The fourth step is security control assessment. At this stage, it is important to determine the efficacy of the controls and how well they are mitigating risk according to your RMF.
The fifth step is Information System Authorization. This step involves all the information from the risk assessment and the security posture to discern whether the system is secure enough to operate at an acceptable level of risk.
The sixth step is security control monitoring. This is the continuous process of always assessing your organization’s security controls and whether they are enough to mitigate risk to acceptable levels. Monitoring also involves reporting any changes in risk to someone who can do something about it.
Figure 1: The RMF Framework — NIST SP 800-37 illustrates the six steps required for appropriate risk mitigation levels.
Let’s look at some specific controls a good RMF would indicate to help ensure the security and privacy of sensitive systems and information. NIST 800 SP-53 is the definitive source on categories and controls, but here we will address some of the obvious issues, as well as a few of the not-so-obvious.
One of the most basic requirements in security is to disable anything you’re not using. There are two kinds of ports: the ports your computer uses to send and receive information and that can be administered by a Firewall (virtual ports) and the physical ports on switches, routers, and in your wall (jacks). Both kinds of ports must be meticulously managed to prevent unauthorized access to protected systems and information.
On your personal Firewall shut down any virtual ports, not in use like Telnet’s Port 23, which only provides insecure remote access. You can also block both inbound and outbound communication to and from any application you choose. Finally, block IP Addresses you know to be from malicious entities. Configure your organization’s Firewall in the same way, limiting the number of ports an attacker can use to get into your network.
Switches also have inherent network protection — usually. Most switches today implement Spanning Tree Protocol or Rapid Spanning Tree Protocol. These protocols prevent loops in the network. The problem with information loops is that they continue to pass information around and around to the point that it not only renders the switch useless but can also bring your network to its knees. So you should absolutely make certain your switches are configured to implement this.
A Flood Guard can be employed that prevents Flood Attacks by limiting the amount of memory the switch uses for remembering the MAC address of devices connected to any given port. If this were not the case, the switch’s memory would become overwhelmed during a Flood Attack, and the switch would fail to open back to the insecure state of behaving like a hub.
Switches are employed for security over the old fashioned hubs. This is because hackers cannot use protocol analyzers to intercept unicast traffic on your network. Again, switches that connect to your internal network should be under lock and key because even if you block traffic or disable unused ports, there is usually a monitoring port that is very useful in troubleshooting your network. That monitoring port is a major vulnerability.
Physical ports have to be protected, as well. Limiting the number of MAC addresses on any given port prevents Flood Attacks. A better practice is to designate a single MAC address per port as it is usually the case that only one device is connected to the network on each port.
Physically disabling any connections in the wall jacks that are not in use will keep a casual hacker from simply plugging into your system. Disabling switch ports will do the same, as well as locking down your MDF and IDFs from casual passersby. This prevents unused physical ports from becoming an easy point of access to your system.
A Router is able to control inbound and outbound traffic in a way that is very similar to a Firewall. An Access Control List (ACL) is made up of the rules that control the traffic. Router ACLs can filter based on basic information found in a data packet like IP address, protocols, and virtual ports.
Using IP address rules a router can block anything from a single computer to an entire domain. However, it is most prudent in businesses with multiple subnets to physically separate network traffic between them when possible. For example, your Sales team might be on one subnet while your Accounting team might be on another.
For obvious reasons Sales should never have access to the sensitive information kept there. Isolating the Accounting team to its own subnet that cannot be accessed by Sales adds a necessary layer of protection based on a need-to-know policy. Need-to-know is part of the principle of least privilege where access to systems and information is only granted to the people and machines that need access to do their jobs.
Protocols like ICMP are often employed in Denial of Service attacks. Most companies own an Intrusion Prevention System (IPS) that responds dynamically when a DOS attack is detected by blocking ICMP. At the router level, you can keep this from ever happening by blocking all ICMP traffic. You can also configure the Router to allow all encrypted traffic by allowing IPsec ESP.
A Router blocks ports the same way a Firewall does. It can block incoming traffic on a port but allow outgoing traffic on the same port. You can also configure the Router to block both incoming and outgoing traffic on any given port.
The Benefits of a Layer 3 Switch
Whereas routers group computers into subnets based on the physical location of nodes in a building, Switches do this based on port location. You can create several VLANs on a single Layer 3 Switch. This allows you to break up different kinds of traffic in a single location, like the first floor, into multiple segments such as VoIP and traditional data. It also allows you to combine computers that are in disparate locations into one VLAN so they can communicate and participate in group projects.
Wireless Access Points
You probably already know this, but it’s worth repeating. Change the default admin username on your WAP and the default password. Disable the SSID broadcast so a hacker would have to do their homework to get at the name of your network. This is security through obscurity, but it’s a good first-line defense. However, someone with a Wireless Protocol Analyzer could easily detect the name from a probe request.
MAC filtering is also weak because a packet sniffer can easily detect legitimate MAC addresses connecting with the network, and a MAC address is easy to change or spoof. You can see that neither of these precautions does much good. However, limiting the range and direction of the signal is mandatory. Your wireless network should not extend beyond the walls of your building unless your people need coverage in the parking lot for some reason. If you’re using a triple-A server, like a TACACS+ server, then good for you. Use EAP-TLS for the most secure enterprise configuration.
Layered security is a must if you are going to defend your systems and information against the many and varied types of malware out there. The best defense involves this kind of defense-in-depth strategy, starting with mail filters and antivirus software on the mail server. You should also make sure every computer allowed into your network has antivirus software installed. This is obvious but sometimes overlooked.
Most networks have implemented a Firewall or Unified Threat Management (UTM) solution. By far the biggest vulnerability when it comes to protecting against malware is the human operators of their machines who often let the malware in through the front door. Teaching users to not click on email attachments or even open emails from someone they don’t know is critical and necessary.
Your Weakest Link
One of the best and cheapest tactics you should employ in your organization is User Education. Social Engineering attacks and Phishing scams exploit the human tendency to go along with what someone else says. People want to please other people. People also listen to persons of authority. So, when a social engineer calls on the phone pretending to be a user who forgot a password, the tendency is to help before you think.
Or when the social engineer pretends to be a superior and demands you give them information in preparation for an important meeting, the tendency is to be frightened into compliance. You might think these examples are ridiculous, but sadly, people really do fall for this kind of stuff. It is well worth your time and effort to have clearly defined systems and information user policies and train your people not to deviate from these procedures.
The psychological tactics used to exploit people usually fall into one or more of seven categories. They are Authority, Intimidation, Consensus, Scarcity, Urgency, Familiarity, and Trust. It is important to teach users what these tactics are and to watch for them the way you teach a six-year-old to brush their teeth after every meal.
The first category of controls in NIST SP 800-53 is Risk Assessment. You might not think of it as a control, but it’s where everyone has to start. A Risk Assessment isn’t a one-and-done thing either. You should always be monitoring your controls as prescribed in your RMF. It is key that you develop a Risk Assessment Policy and Procedures to go along with it. The Risk Assessment must address the “purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.”
It’s important you know exactly what your vulnerabilities are and what degree of security you need for each one. Experienced companies like RSI Security are well-practiced in Risk Assessments and issues of compliance. If you don’t have a plan, you will be exploited. It is just a matter of time.