Implementing cutting-edge technology solutions is not the only way to combat cyber threats. Seemingly mundane administrative tasks such as network infrastructure hardening could yield greater results in terms of risk reduction.
I ran a remediation project for a major blue chip company, which successfully removed over 8,000 unused firewall rules.
Such projects can be complex and require a rigorous process to be designed to ensure that no active rules are removed. For example, a period of monitoring and subsequent hypercare ensured that only a few rules were reverted back to production after being indicated as “unused”. Proactive stakeholder engagement was key in completing the work ahead of schedule and under budget.
As a result, the project improved network security by eliminating the chance an attacker can exploit a weak unused firewall rule. Moreover, the number of rules on the firewalls was cut by half, which made it easier and cheaper to monitor and manage.
Image courtesy renjith krishnan / FreeDigitalPhotos.net
There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.
The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):
They also highlight the risks of wireless connectivity of physical security systems
Similar information exchange centres were established in Japan and Spain,
For the introduction to Industrial Control Systems Security see my previous blogs (Part I, Part II, Part II) or ICS Security Library
A company experienced a significant data breach from a malicious source which led to the loss of strategically sensitive information. I was called in to manage a security remediation project. Given that data at rest is a critical asset, remediating and hardening the company’s business critical databases was a key component of this program.
The client designed a solution for database security but was struggling to implement it and gain the required stakeholder buy-in. Furthermore, the client’s business critical landscape was highly dispersed – with application management spread across multiple business units based out of a number of countries and database management was overseen by third-party IT vendor.
I was a part of the project management team, which was established to coordinate multiple stakeholders in order to implement the end-to-end solution for database security consisting of monitoring, reporting and remediation of business critical databases.
I identified that the most significant obstacle was business application owner understanding of the system, the processes, and the benefits of implementation. I initially engaged in extensive stakeholder communication and business change management to ensure the required buy-in.
I drove the progress of system implementation through stakeholder management, delivery management, information gathering and providing technical expertise and management reporting. I worked within the client’s project management methodology whilst leveraging my experience and expertise in project management to ensure timely delivery.
As a result, the business critical databases in scope were brought into the known state of compliance, drastically reducing the attack surface. Moreover, awareness of the importance of application security and secure behaviours to support databases was raised significantly.
I embedded the processes to implement the system into the client’s run and maintain activities, ensuring that future changes to their business critical landscape do not introduce new database vulnerabilities. I also developed an asset inventory for business critical databases which improved upon any previous client efforts.
Image courtesy ddpavumba / FreeDigitalPhotos.net
Let’s see how some security controls might affect human behaviour in a company.
- Restricting software installation on computers is in line with one of the main principles of information security – the principle of least privilege. That way a security manager can make sure that employees in his company don’t install unnecessary programs which may contain vulnerabilities. Such vulnerabilities can be exploited by a potential attacker. There are instances, however, when a user may require a piece of software to perform his productive tasks. Failure to install it quickly and easily may result in unnecessary delays.
- Restricting access to file sharing websites helps to make sure that a company is not in violation of the data privacy regulation and users don’t store sensitive information in the insecure locations. However, it is important for a company to provide an easy-to-use, secure alternative to enable the business.
- Restricting access to CD/DVD and USB flash drives. Personal USB flash drives can be a source of malware which users can introduce to the corporate network. Restricting access to CD/DVD and USB flash drives not only helps to prevent this threat, but also limits the possibility of sensitive data leaks. It is important to understand the core business processes in a company to make a decision on restricting the access. Sometimes drawbacks of such a policy may overshadow all possible benefits.
- Regular full antivirus checks help to make sure that employees’ workstations are free from malware. However, the process of scanning a computer for viruses may take up a lot of resources and slow down the machine with the possible impact on productivity,
- Awareness training can be a powerful measure to protect against a wide range of security threats, including social engineering (e.g. phishing). However, research shows that blanket awareness campaigns are ineffective and a better approach is needed to address this issue.
Image courtesy of renjith krishnan/ FreeDigitalPhotos.net