How to leverage networks to boost security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://gcn.com/articles/2015/07/29/networks-as-security.aspx

The breach at the Office of Personnel Management has put security top of
mind for nearly every government IT manager.

Many agencies are already practicing excellent cyber hygiene; others are
still in implementation phases. Regardless of where you are in the process,
it is critical to understand that security is not a one-product solution,
and it requires constant attention. Having a solid security posture
requires a broad range of products, processes and procedures.

Networks, for example, are a critical piece of the security picture;
agencies must identify and react to vulnerabilities and threats in real
time. By optimizing network performance, you can implement automated,
proactive security strategies that will increase network stability and have
a profound impact on the efficiency and effectiveness of the overall
security of the agency.

How can agencies leverage their networks to enhance security? Below are
several practices you can begin to implement today, as well as some areas
of caution.

Standardization. Standardizing network infrastructure is an
often-overlooked method of enhancing network performance and security.

Start by reviewing all network devices and ensure consistency across the
board. Next, make sure you’ve got multiple, well-defined networks. Greater
segmentation will provide two benefits: greater security, as access will
not necessarily be granted across each unique segment, and greater ability
to standardize, as segments can mimic one another to provide enhanced
control.

Standardization also allows you to bring new team members up to speed
quickly on specifications and provides tighter control when rolling out new
implementations and designs. And, finally, standardization reduces
configuration errors and automates deployment.

Change management. Good change management practices go a long way toward
enhanced security. For example, change management software – specifically,
software that requires a minimum of two unique approvals before changes can
be implemented – prevents unauthorized changes at any time of day or night,
including 2:00 a.m. when an intruder might assume nobody is watching.

In addition, make sure you fully understand the effect changes will have
across the infrastructure before granting approval. Analyze and understand,
for example, the consequences on the network as a whole in terms of
capacity, performance, risk, cost and more.

Configuration database. Once infrastructure is standardized and sound
change-management practices are in place, it’s important to have a
configuration database for backups, disaster recovery, etc. If you have a
device failure, being able to recover quickly can be critical; implementing
a software setup that can do this automatically can dramatically reduce
security risks.

Another security advantage of a configuration database is the ability to
scan for security-policy compliance. With all configurations in one
location, that otherwise cumbersome task can be far less time consuming and
far more efficient.

Compliance awareness. Compliance is one of any agency’s primary security
concerns – and trying to comply with security technical information guides
from the Defense Information Systems Agency, the Federal Information
Security Management Act and more can be a complicated business.

That said, increased awareness and, in turn, increased security does not
have to be difficult. Consider using a tool that automates vulnerability
scanning and FISMA/DISA STIG compliance assessments. Even better? A tool
that also automatically sends alerts of new risks by tying into the
National Institute of Standards and Technology vulnerability database, then
checking that information against your own configuration database.

Areas of caution

Most security holes are related to inattention to infrastructure. In other
words, inaction can be a dangerous choice. Some examples are:

Old inventory. Older network devices inherently have outdated security.
Update as often as possible to ensure the newest security features are in
place. In fact, invest in a solution that will inventory network devices
and include end-of-life and end-of-support information. This also helps
forecast costs for new devices before they quit or become a security
liability.

Not patching. Patching and patch management is critical to security. Plus,
the cost of getting a new software version is often higher than the cost of
patching. Choose an automated patching tool to be sure you’re staying on
top of this important task.

Unrestricted bring-your-own-device policies. Some agencies have broad BYOD
rules, some do not. Having no rules or having rules so strict that workers
will try to circumvent them both invite breaches. The solution? Allow BYOD,
but with restrictions.  Separate the unsecure mobile devices on the network
and closely monitor bandwidth usage so you can make changes on the fly as
necessary.

While there is an increasing focus on enhancing agencies’ security posture,
there is no quick-and-easy solution. That said, tuning network security
through best practices will not only enhance performance, but will also go
a long way toward reducing risks and vulnerabilities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!