This is another in an ongoing series about #InvisibleOpSec: things we can all do to improve business efficiency, security, and privacy through the lens of resilience with little or no cost and minimal effort.
Of all the questions I get asked about how to improve security for clients, from “what new security service/appliance/blah-blah-blah should I buy” I almost always answer these questions the same way: what do you have in place now that you might not be getting the most out of?
I often advise clients to learn more about what they already have. In most cases, the average SMB office already has many tools that can help them on their way to better security, they just need some guidance along the way. These suggestions are part of a defense-in-depth approach to strategy, which helps you get more out of the security features of devices you already have.
Here are some of my top recommendations for achieving a more hardened office network or Local Area Network (LAN):
How to configure a router:
- Disable unneeded services:
- Network Time Protocol (NTP)
- Remote Procedure Calls (RPC)
- rsh-type commands
- When in doubt refer to NIST, CERT, NSA, SANS + vendors.
- Use current algorithms + key lengths for all uses of encryption.
- Minimize single-points-of-failure (High-Availability).
- Enforce least-privilege-required access levels.
In a nutshell, harden the default configuration. Too many shops deploy hardware too quickly with little or no understanding of it and its capabilities. In many cases where we’re called after something happens, a closer look at core infrastructure often reveals misconfigurations that could have prevented an attack in the first place.
Additional thought: develop a formal, written Security Architecture Handbook and make it readily accessible to technical staff for use during incident response.
How to properly configure a firewall:
- Verify Operations, Administration, Maintenance + Provisioning (OAM&P) communications use trusted paths.
- Egress filtering is almost always overlooked.
- Use proxies: Nothing should communicate directly with the internet.
- Configure Intrusion Detection Systems (IDSs) properly.
- Use remote, centralized syslog servers + analysis.
We used to think about defense and prevention as a castle with a moat and a tower and a drawbridge. Perimeter-based security. We can’t think like that, anymore. Threats are coming into our environments (via our mobile devices, for example) and exfiltrating or sending information out from the inside.
We can no longer think about security on a network to network basis. It’s about identity now.: individuals and individual devices. Identity access management warrants its own, dedicated presentation here because it’s a huge part of designing solutions effectively.
How to properly configure a switch:
- Harden access control before deployment:
- Remove default accounts + change passwords.
- Set limits on failed authentication attempts.
- Configure session inactivity timers.
- Connect access control functionality to Authentication, Authorization, and Accounting (AAA ie RADIUS) server.
- Network segmentation (VLAN schema).
- Treat each domain as hostile to MGMT VLANs.
- Use security features built into OAM&P protocols (SNMP, SOAP, etc.).
Again, many of these overlap across core network devices. Anything that touches a management VLAN, for example, should follow some consistent criteria that includes these good practices.
Good practices for WiFi (WLANs):
- Network segmentation.
- Media Access Control (MAC) address filtering.
- Audit for rogue Wireless Access Points (WAPs).
- Shape + control signal boundaries.
- Centralized logging (even for APs).
- Always use a trusted Virtual Private Network (VPN).
- Be aware of Domain Name Service (DNS) leakage.
- Educate others about the risks.
By now, you’re hopefully thinking many of these good practices overlap. Network segmentation is worth repeating because it’s a key strategy for minimizing the effects of a potential malware infestation and/or data breach.
Hiding SSIDs aren’t a bad idea, either, as many experts say it adds an extra step for automated discovery by bad guys but I don’t consider it a bona fide step that has any significant value, at least not compared to some other tactics and strategies.
MAC Address Translation (MAT) can also be debated to be useless because MAC addresses can be spoofed but it does create a lot more work for someone and they’re not going to bother unless compelled by some reason to make it worth their while. A good defense-in-depth strategy is about raising the cost for a potential attacker to the point where they give up and find another target that’s easier for them to take advantage of.
What’s important to know about configuring IoT devices and infrastructure?
- Security practices + ways of thinking aren’t the same.
- Management solutions should offer automation to gain visibility.
- Follow a proactive assessment of vulnerabilities + risks.
- Be mindful of segmentation in choosing hardware.
- Test systems regularly.
- Design onboarding processes to ensure new devices meet criteria.
- Understand legal + compliance issues (HIPAA, etc.).
- Work with vendors on security enhancements + patches.
If you’re only reacting to attacks, you’re already behind.
At any given time, you should have access to a snapshot of risks and be able to gauge vulnerabilities for all IIoT devices, not just in response to a threat.
What’s happening at the edge is changing how we think almost daily. M2M traffic isn’t like anything we’ve dealt with before. Changing how we think is our greatest tool to succeed in securing complex IoT environments.
What about email? Are there ways to make it more secure?
- Email is our most valuable asset.
- >95% of people are not using encryption.
- Use SPF records, DKIM and DMARC to minimize targeted phishing attacks.
- Empower people with awareness training.
It’s ironic our email accounts are more valuable than our bank accounts because they are linked to those plus health information, etc. Email accounts hold the keys to the castle of our most private and valuable information.
If you’re not going to use encrypted communication methods, at the very least configure DMARC. PGP is too complex and until tools become more friendly for the average bear, this may be the best way to tighten things up at least behind the scenes.