Ensuring access to broadband and network services is highly crucial for our communities and constituents. These services assist underserved residents, enabling their progress in the 21st century by facilitating access to modern services and enhancing their competitiveness in the global marketplace. The reliability and significance of these networks and services cannot be overstated as they are fundamental for people to thrive.
However, there exist threats from various actors worldwide that pose significant risks to our networks. These threats range from opportunistic individuals exploiting vulnerabilities to sophisticated attackers with specific political or financial motives. Community networks, due to their smaller size, often lack the robust cybersecurity defenses available to larger or for-profit organizations. Attackers don’t discriminate based on size or resources; every network is a potential target. Therefore, we must respond to threats as effectively as any other network operator.
Cybersecurity can seem overwhelmingly complex, with attackers capable of exploiting any component under our control, including desktops, servers, network equipment, cloud providers, and even our own employees. Understanding how these components interact can be challenging.
Fortunately, there are solutions available, and they can be surprisingly simple. A security framework based on the Center for Internet Security’s “Top 20 Security Controls” can be tailored to address the unique challenges faced by our networks. By implementing this framework, our cybersecurity program can become robust and highly defensible, capable of resisting even the most complex attacks. Each aspect of the framework will be explained in relevance to our operations, along with insights into how attackers might exploit vulnerabilities. Simple yet effective solutions, including low-cost or free options, will be provided to initiate and bolster our security measures.
Collaboration is key in securing our networks and customers. Communities like ours play a critical role in sharing information, ideas, concepts, and technologies. By uniting and sharing insights, we strengthen our collective defense against the diverse range of attackers seeking to cause harm. Actively engaging with peers and sharing knowledge is vital as understanding attackers’ methods is crucial to defending against and defeating their attacks. By implementing robust cybersecurity measures, leveraging available frameworks, and fostering collaboration within our community, we can fortify our networks and protect our constituents effectively against potential threats.
UNDERSTAND HARDWARE ASSETS:
The cornerstone of building and executing a cybersecurity program is comprehensively understanding the hardware assets you aim to safeguard. No matter how much effort we put into protecting our system, it becomes futile if there are servers, laptops, switches, routers, or wireless access points that remain unknown and unsecured. These hardware components are crucial for a network provider, serving as the backbone of operations. Having a thorough grasp of all assets isn’t just essential for delivering services to customers but is equally vital for ensuring these services are provided securely and dependably.
Being able to attach to your network directly is an attacker’s best-case scenario, as it means that the attacker can monitor your activities and freely execute attacks. You will have virtually no visibility or insight into what is happening to your systems and data if unauthorized attachments exist anywhere within your network.
HOW TO AVOID THE THREAT:
For effective management, it’s crucial to categorize your hardware into three distinct classes. These classes include front-office support devices like laptops or desktop computers, servers used for infrastructure, and WAN equipment such as routers, switches, optical shelves, or multiplexers. Each class of equipment comes with its unique security requirements and capabilities. Applying a uniform security approach across all technology assets isn’t practical or effective.
To ensure proper handling, it’s important to have monitoring systems in place that confirm an active inventory for each of these asset types. For instance, tools like Microsoft SCCM can be utilized to consistently scan your office network and maintain a record of detected devices. Monitoring WAN equipment requires a network management solution, to continuously verify the availability of devices within what should be a relatively stable environment.
From a security standpoint, immediate awareness is crucial when any new asset joins your internal IP ranges. It’s essential to keep downstream member IPs and assets entirely separate from the rest of your organization. Having a clear understanding of IP addresses and equipment belonging to and under the authority of the members you serve is imperative. Subscribers should always be allocated dedicated IP space and should never share subnets with their office computers, server equipment, or WAN infrastructure.
UNDERSTANDING SOFTWARE ASSETS:
For a robust cybersecurity program, comprehending and securing your hardware assets is paramount. It’s futile to safeguard an environment if there are unidentified servers, laptops, switches, routers, or access points left unprotected. As a network provider, your hardware is the foundation of your operations. Having a comprehensive understanding of all assets is crucial not only for delivering services to customers but also for ensuring these services are offered securely and reliably.
Attackers aim to infiltrate your devices by running malicious software, intending to access and steal data or information. This software can also function as malware or ransomware, causing severe harm to your organization if it’s allowed to operate and execute. Additionally, attackers exploit vulnerabilities in applications or operating systems to carry out their malicious activities, bypassing typical security measures that would typically detect and stop such dangerous behavior.
HOW TO AVOID THE THREAT:
It’s essential to maintain an up-to-date software inventory for each area of your organization: desktops, servers, and WAN equipment. This inventory should include the names of programs along with their current versions, directly derived from the hardware inventory.
For managing the WAN environment, utilize scripting or vendor tools to routinely query routers, switches, and fiber optic gear.
In the server environment, perform daily inventory updates using management systems to ensure an accurate listing of active software, including applications and libraries.
To handle the client desktop environment, employ tools to maintain an inventory of all installed programs on employee workstations.
Once you’ve established that authorized software is running on authorized hardware, implement software restriction policies or tools like AppLocker for Windows-based computers. Restricting which software can operate at the operating system level can prevent malware from executing and spreading, regardless of any newly discovered vulnerabilities being exploited.
CONTINUOUS THREAT AND VULNERABILITY MONITORING:
Every network and computing setup is continuously changing and adapting. Despite efforts to regulate authorized software exclusively on approved hardware, attackers can exploit vulnerabilities in what is still allowed to function. These vulnerabilities are regularly identified and disclosed. As responsible organizations, it’s crucial to stay vigilant, not only being aware of these risks as they emerge but also consistently updating our clients, servers, and WAN equipment to prevent any compromises.
Exploiting weaknesses within active software remains the main and conventional method for attackers to infiltrate networks, leading to significant damage and data breaches. Annually, thousands of vulnerabilities are exposed, with numerous websites detailing not just the nature of these vulnerabilities and their functionalities but also providing simple-to-follow examples and software code. This information can be used to transform seemingly harmless software into a weapon, turning it against its original purpose and compromising the very systems it was meant to protect.
HOW TO AVOID THE THREAT:
The initial step for your organization is to subscribe to vulnerability notifications provided by your vendors, especially those supplying your network equipment. Typically, these subscriptions involve email lists, and all IT or IT security team members must receive these notifications in their mailboxes.
As an additional protective measure, your IT and IT security teams should also subscribe to vulnerability notifications from third-party entities. These organizations continuously monitor new vulnerabilities across various technology manufacturers, covering any gaps that might exist in direct vendor notifications.
Once equipped with this knowledge, conduct monthly vulnerability scans across your entire desktop, server, and infrastructure IP space. Utilize software tools to perform these automated scans, actively assessing systems for any known vulnerabilities or misconfigurations. These scans should be performed using administrator credentials to acquire the most accurate information.
Make vulnerability data accessible to senior leadership for decision-making and risk management purposes.
Ensure that staff members actively review the vulnerability scan results and recommend identified issues to senior leadership. This approach ensures that the responsibility for risk and security is effectively communicated and acknowledged by all relevant parties within the organization.
MONITORED USE OF ADMINISTRATIVE PRIVILEGES:
The use of privileged or administrator-level accounts is the standard method for executing elevated actions in an environment, such as granting access to a file share or configuring router ports on WAN equipment. These special accounts must be meticulously regulated and controlled if we aim to maintain any level of security in the configurations and deployments we implement.
As soon as attackers gain any form of access to your systems, their primary goal is to swiftly locate and acquire administrative-level credentials. Having these credentials grants them straightforward control to disable or eliminate any security measures implemented, such as backups, password security, antivirus software, and monitoring tools across your entire environment. This unrestricted access empowers attackers to manipulate or bypass security controls, potentially causing extensive damage or compromise to your systems.
HOW TO AVOID THE THREAT:
Revoke administrative rights for regular user logins, including local administrative privileges for employees on their workstations, as most tasks don’t require this level of access.
Utilize separate accounts specifically designated for administrative tasks within your active directory domain. These accounts should have distinct credentials solely for performing elevated actions like managing servers, and they should be different from everyday user accounts. IT support staff should execute daily tasks using non-elevated accounts, only using tools like “Run As” or “sudo” when necessary for required functions.
Implement distinct network accounts for administrative access to WAN equipment, avoiding shared logins. Unique logins ensure better control over access as employees join or leave the organization and also enable the tracking of specific work actions to individual users.
Enforce Multi-Factor Authentication (MFA) for all administrative access, whether for workstations, servers, or WAN equipment. MFA adds an extra layer of security, ensuring critical control of infrastructure even if passwords are compromised.
Set up an emergency account with a strong password and alerting systems. During network outages where central authentication might not be available, have a shared group account configured solely for emergency access. The password for this account should be stored securely in a password management system, accessible only with proper authorization. Additionally, configure monitoring systems to immediately flag and send alerts via group email whenever logins occur using this shared emergency account, preventing its casual use.
SECURE EQUIPMENT AND CONFIGURATIONS:
Despite the considerable effort invested in maintaining an accurate and sanctioned software inventory, overseeing vulnerabilities on these assets, and controlling legitimate elevated access, our subsequent hurdle is to guarantee the secure configuration and deployment of these systems when they initially join the network. Computer systems possess numerous security settings, many of which require manual activation and ongoing scrutiny to ensure their efficacy. Establishing and maintaining a highly resilient repository of configuration settings is crucial to prevent unintentional vulnerabilities that attackers might exploit to compromise the system. This proactive approach minimizes the possibility of leaving any inadvertent openings for attackers to exploit.
Attackers are actively on the lookout for default usernames, passwords, and credentials while scanning the internet or attempting to navigate through your network. Insecure protocols and unnecessary services that persistently run might not be adequately monitored, offering additional avenues for attackers to maneuver within your system. Moreover, attackers rely on the possibility that strong security configurations might not be consistently applied across your network, hoping for any overlooked areas that could serve as entry points for their infiltration.
HOW TO AVOID THE THREAT:
Establish a sanctioned procedure for constructing all client and server computing machines, outlining a checklist of essential security settings. This process should undergo biannual reviews and be entrusted to the least experienced team member for testing.
In the trusted build process, cross-reference the software used with active vulnerability lists, either through vulnerability scanning tools or notifications from vendors or third parties. This cross-check should occur when vulnerability notifications are received and independently during routine reviews of the build procedure.
Download and securely store authorized software copies for client and server devices in a centralized, secure location, verifying and storing their checksums separately or in a read-only location. Rely exclusively on software and configurations from trusted sources within your build process.
In the realm of a robust cybersecurity program, it’s crucial to acknowledge that while preventing attacks is valuable, the ability to detect them is an essential foundation. Establishing comprehensive logging and instrumentation across your entire computing environment is imperative. These measures enable your staff to track and understand the actions occurring within the system, providing critical insights into potential threats or suspicious activities.
To attackers, being detected or having their actions logged represents a significant threat. Understanding the logging and monitoring systems in place becomes a top priority for them because erasing logs enables them to operate undetected for extended periods. This invisibility allows attackers to inflict significantly more harm and losses upon your organization.
HOW TO AVOID THE THREAT:
Record and preserve all authentication events across the organization, whether occurring on desktops, servers, or WAN equipment. It’s crucial to track when user accounts access any devices and perform actions that could impact your system.
Utilize a central logging host to retain copies of all generated log data. While devices should retain local copies of log entries, transmitting logs to a separate server ensures an additional backup in case attackers compromise and delete local log entries from any single piece of equipment. The central logging host must also have enhanced security measures to protect against direct attacks.
Ensure enough disk space to retain a minimum of 120 days’ worth of log data. Attackers often remain dormant within organizations for extended periods before launching their actual attack. Being able to reconstruct events in the event of an attack is essential for understanding the breach’s scope and identifying compromised data.
Set up email alerts for the use of emergency accounts. Instantly notify all IT staff when shared accounts or other privileged access not attributed to a specific individual is utilized. Shared accounts are prime targets for attackers, so actively broadcasting whenever these accounts are accessed not only encourages employees to use their accounts but also alerts the team if an attacker attempts to use them.
EMAIL AND WEB BROWSER PROTECTION:
Web browsing and email usage constitute the most frequent online activities among employees. Consequently, these serve as the primary pathways through which attackers aim to gain their initial access or launch attacks within an environment. For an extended period, over 90% of cyber attacks have originated from employees interacting with malicious phishing emails. It’s crucial to prioritize the protection of employees while using these fundamental and widely used services. By ensuring their security in these areas, we significantly diminish the chance of attackers bypassing other security measures and inflicting harm on our systems.
Even if an organization believes it’s secure due to a firewall that seemingly “blocks everything,” cyber attackers have strategies to entice victims—specifically, employees—to come to them. This involves sending emails containing malicious URLs or attachments that can easily bypass a “block everything” firewall by persuading the victim to initiate the attack. Web browsers and email clients, despite being commonly used, are susceptible to vulnerabilities and are often exploited as the most effective means to circumvent stronger security measures.
HOW TO AVOID THE THREAT:
Mandate the use of a limited number of web browsers, typically one or two, that cover all necessary job functions. Popular choices like Firefox and Chrome are widely used, but some web applications specifically require Internet Explorer or Edge. Ensure your chosen supported browsers receive regular software updates pushed out through your software management system.
Establish a policy regarding browser add-ons or extensions and actively monitor which plug-ins employees use. As part of your software inventory process, identify necessary browser add-ons for work purposes. Restrict the use of any unapproved add-ons or extensions, as these can serve as easy entry points for attackers to bypass security measures and execute code within these extensively used internet applications.
Enhance the security of your email system with products capable of URL rewriting and scanning attachments. Cloud-based email services like Office 365 or Gmail offer features that thoroughly inspect both email attachments and embedded web links. For other systems, consider employing third-party solutions such as Proofpoint to conduct these critical security checks.
Utilize a DNS security service to perform real-time assessments against potentially malicious URLs whenever an employee accesses them. This application-agnostic service prevents communication with known malicious or unidentified internet domains, regardless of the application the employee is using. Services like Cloudflare and Cisco Umbrella offer both free and paid options to manage this crucial security control.
In essence, attackers aim to infiltrate your computer systems with unauthorized programs or code, known collectively as “malware,” to extort, hack, or cause significant damage. While malware can manifest in various forms, the fundamental point is that it needs to execute and operate within your computing environment. Leveraging various features within your operating systems allows you to restrict and thwart the operation of such harmful software.
Attackers possess a diverse array of hacking tools aimed at exploiting vulnerabilities, stealing passwords, deleting data, and executing other malicious actions. These malware tools are often repackaged and altered to bypass standard antivirus defenses. However, while the malware’s appearance may change, the actions it undertakes cannot be concealed. These actions are typically what security measures use to detect and halt the execution of the malware when it runs.
HOW TO AVOID THE THREAT:
Employ operating system (OS)-level protections designed to counter malware execution. Modern OSs offer features like address space layout randomization (ASLR) and data execution prevention (DEP) that serve as valuable safeguards against common vulnerabilities. Activating these features typically carries no negative consequences and acts as a crucial defense if unknown malware attempts to run on your computer systems.
Utilize antivirus or antimalware software on all desktop systems. At the least, activate the inbuilt Windows Defender module in Microsoft Windows and configure it for real-time analysis and periodic file scans. If you prefer a different product, enable that instead.
Implement advanced Endpoint Detection and Response (EDR) products on server systems. For critical server assets, enable an EDR product. These tools offer advanced monitoring and features, enabling quick tracking of security events in case of attempted hacks or breaches.
Regardless of the endpoint protection solutions used, regularly monitor their administration consoles for the detection of any malicious software within your organization. Often, attackers attempt to run malware that’s effectively blocked. Actively monitoring antivirus consoles allows you to observe these attacks and respond promptly before attackers modify their malware to bypass your antivirus systems.
CONTROL NETWORK PORTS, PROTOCOLS AND SERVICES:
To establish a secure and well-defended organization, it’s crucial to minimize the avenues through which attackers can access our systems via the network. A key strategy involves restricting the range of active services, particularly those that are set to listen by default on our server and WAN (Wide Area Network) equipment. By limiting these services, we can effectively prevent attackers from initiating, shifting, or intensifying their attacks. This proactive approach helps thwart unauthorized access and enhances network security.
Attackers conduct reconnaissance, either through direct or indirect means, to gain insights into an organization’s services and applications. This reconnaissance helps them understand the business operations and pinpoint potential vulnerabilities or weaknesses in the services. By doing so, attackers aim to identify immediate opportunities to exploit these services for their benefit.
HOW TO AVOID THE THREAT:
Utilize Access Control Lists (ACLs) on WAN equipment to exclusively allow administrative access from trusted segments within your organization. Any inbound SSH or HTTPS connections from external sources beyond your network engineers’ IP ranges should be rejected. Additionally, implement filtering across all interfaces to minimize the risks associated with IP address spoofing.
Disable BGP (Border Gateway Protocol) on untrusted interfaces and enforce authentication for any BGP or routing protocol peerings. These peerings should mandate secure and authenticated channels. When possible, configure both MD5 authentication and TTL Hop Security for BGP peers to ensure continuous validation of route exchanges with trusted partners.
Eliminate or restrict the use of insecure protocols like telnet and limit remote administration protocols such as SSH, WMI, or Remote Desktop to originate solely from trusted internal networks.
Regularly check protocols for outdated or unsupported versions of SMB, SSL, and TLS, and deactivate or remove them to enhance security measures.
In the realm of providing essential services, there’s nothing more crucial than ensuring our continuous capability to restore services during a substantial outage. Effective responsiveness following a security incident is vital as it guarantees our ability to sustain operations and continue delivering services to our customers. Being prepared to react and restore services post-incident is paramount for business continuity and maintaining customer satisfaction.
Attackers aim to disrupt your systems, intentionally or unintentionally, during their attacks. For advanced attackers, deploying ransomware involves not just encrypting data but also finding and eliminating critical data backups. Their objective is to coerce the victim into paying for decrypting their data instead of easily restoring it from backups. Even if proper backups are in place, attackers might attempt to sabotage the backup infrastructure itself to obstruct successful data restoration, ensuring control remains solely in their hands.
HOW TO AVOID THE THREAT:
Maintain daily configuration backups for all WAN devices in your network. Leverage the scriptable nature or remote command capabilities of these devices to create daily snapshots of trusted configurations. Some equipment allows the proactive sending of configuration snapshots to a backup server upon committing changes. Ensure these backups are stored in at least two locations, with one offline to mitigate the risk of ransomware attacks.
Regularly back up critical server infrastructure, including DNS servers, RADIUS/TACACS+, NetFlow, or network monitoring systems. These backups can be system-level or focus on configuration and application files for these essential services. Regularly test restoration procedures for these services annually to ensure timely recovery.
Establish a centralized location, such as a shared network drive or a cloud service like Dropbox, for employees to store crucial data like contracts, design documents, invoices, and strategic plans. Independently back up this data to an offline location daily to ensure business continuity in case of system failure or ransomware attacks.
Ensure management understands and approves the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) aligned with your backup strategies and resources. RTO indicates the maximum allowable downtime for a service, addressed by enhancing redundancy in equipment, processes, and services. RPO determines acceptable data loss in case of system failure, typically mitigated by more frequent and comprehensive backups stored in diverse locations. Organizational leadership must be clear on these timelines to guide backup strategies and decision-making.
SECURE NETWORK DEVICES:
Your network infrastructure serves as the fundamental pathway for delivering services to your customers. However, compared to managed workstations and servers, network equipment often lacks robust security features. This vulnerability is compounded by the fact that an attacker gaining access to your network backbone could potentially obtain unrestricted access to your customers’ raw traffic. Such access provides attackers with a strong foothold in your organization, making it challenging, if not impossible, to completely rectify in the event of a security breach. Therefore, effectively managing and controlling access to these critical network assets is an immensely significant undertaking for security purposes.
For attackers, networks serve as crucial entry points that grant access to their primary objectives. When they successfully compromise a switch or router, it allows them to redirect traffic, pilfer credentials, extract data, and establish a stealthy presence for an extended duration. These network components often lack the same level of protection against malware or malicious code as other areas within an organization, making them ideal for remaining undetected and launching subsequent attacks. Exploiting these vulnerabilities enables attackers to operate covertly, either targeting your organization again or launching attacks against other entities.
HOW TO AVOID THE THREAT:
Initially, ensure the elimination of default passwords across WAN devices and network infrastructure. This involves changing both privileged and unprivileged user accounts, along with any SNMP communities utilized for remote monitoring. As network devices are deployed, assume attackers might attempt common password attacks at any time.
Next, remove unnecessary services, daemons, and routing protocols running on WAN equipment, limiting them to the essential components required for continuous operation. Be vigilant in reducing any protocols or services across different layers of the networking stack that broadcast superfluous information about your network, such as Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP). For occasional services like FTP or TFTP, keep them disabled administratively until explicitly needed.
Implement a stringent Access Control List (ACL) for inbound traffic directed at WAN devices. These network devices should enforce an ACL or similar methods to strictly control management traffic reaching the device, allowing access only from segments trusted by your network engineering and operations staff.
If feasible, confine access to an independent Virtual Routing and Forwarding (VRF) network to augment isolation and prevent unwanted traffic from attempting to reach your network core. This setup adds an extra layer of defense by segregating customer revenue traffic from internal management traffic, enabling the utilization of advanced firewall protections against traffic targeting your network infrastructure.
Establishing robust security boundaries is critical for safeguarding both your organization and the entities you serve, such as members and subscribers. These boundaries play a pivotal role in creating distinct security perimeters and implementing suitable security measures. They aid in identifying and isolating assets, allowing for a focused approach to deploying security controls. By concentrating efforts on these strategic points, which may serve as chokepoints, organizations can potentially optimize the cost-effectiveness and efficiency of their security measures in deterring and repelling attackers.
Attackers continuously strive to escalate their access levels within an organization by exploiting common entry points or boundaries. One of the crucial gateways is the primary internet firewall of an organization. This firewall is usually where critical technical controls such as deep-packet inspection, antivirus, and malware detection are enforced. If these firewalls are configured incorrectly or allow traffic in an undesired manner, attackers might circumvent these vital security systems. This could lead to attackers gaining unauthorized access and establishing a foothold within the trusted internal areas of the organization.
HOW TO AVOID THE THREAT:
Deploy network-based firewalls to protect both your client desktop environment and server processing environment separately. These distinct areas within your network operate with varying levels of trust, and establishing and maintaining these trust boundaries is vital in thwarting attacker movements and gaining insights into inter-device communications within your organization.
Establish standardized and authorized methods for external parties like vendors or support personnel to access your infrastructure. While granting access to external entities is sometimes necessary, standardizing and minimizing such access is crucial to prevent inadvertent unauthorized access.
For periodic external access requirements, implement proactive measures such as hosting screen-sharing sessions monitored by internal staff. This approach ensures control over the access timeframe and method to internal assets, allowing termination of access when necessary.
Avoid persistent “allow all” firewall rules and instead craft specific rules delineating source and destination addresses, ports, and protocols. If feasible, consider time-based restrictions on inbound access through your boundary firewall.
Mandate the use of a VPN with multifactor authentication (MFA) for any authorized inward access to your network components. MFA adds an extra layer of security by verifying the legitimacy of access attempts, reducing the risk of attackers using stolen credentials. Additionally, segregate network engineering staff accounts and grant them access only to the necessary functions for monitoring and configuring your network infrastructure and backbone.
Safeguarding your institutional and organizational data constitutes a critical aspect of your information security strategy. It’s essential to prioritize the security of information belonging to customers, suppliers, and key partners, employing measures to thwart unauthorized access, disclosure, or tampering with this sensitive data. Implementing various strategies not only aims to prevent the unauthorized exfiltration of data but also involves engineering detection mechanisms. These mechanisms are designed to detect and potentially prevent data leaks if an attacker manages to breach our network security defenses.
Attackers aim to locate and pilfer valuable and significant information that holds importance or value for potential exploitation. This could encompass various critical assets such as financial records, contractual details, network blueprints, and strategic plans, all considered highly valuable or sensitive data. The process of locating and obtaining this specific information can be intricate and conspicuous, providing defenders with ample opportunity to detect such activity.
HOW TO AVOID THE THREAT:
Implement BitLocker encryption on all desktop devices within the organization. The loss or theft of laptops or desktops can pose a substantial risk, especially if these devices contain personally identifiable information (PII). Ensuring that the storage on all organizational devices is fully encrypted while at rest, helps mitigate significant liabilities.
Monitor NetFlow data for any unusual outbound data flows originating from the corporate environment. While you might not have direct control over the data transmission to and from your downstream subscribers, it’s essential to stay vigilant about activities originating from internal servers or desktops. Unusual or large data flows, especially occurring at unexpected times, could signify either a significant data exfiltration or abnormal reconnaissance scans using substantial network resources. Utilizing free software like open-source flow-tools packages can serve as a centralized repository for NetFlow data, obtained by routers within the network.
Deploy a honeypot internally to detect potential threats. Establishing a network-based honeypot within a trusted internal network can act as a proactive measure against potential attackers. Configure the honeypot to alert or send notifications to the IT team whenever unauthorized attempts are made to access it. Various free honeypot solutions such as Cowrie, which simulates an SSH server, or Dionaea, which replicates multiple network services, can be downloaded and installed for this purpose.
In the realm of cybersecurity, an important principle is recognizing that individuals have varying requirements regarding access to different data classifications or types. It’s crucial to customize and limit their access levels strictly to what’s necessary for their roles. This approach ensures that every person has the minimum essential access required to perform their specific responsibilities.
By limiting access rights precisely to those necessary for specific tasks, you effectively reduce the number of potential targets for attackers. This strategy prevents adversaries from easily obtaining what they seek by narrowing down the pool of individuals or systems they can exploit.
After gaining initial access to an organization, attackers often strategize to identify specific users or systems with access to the desired data or resources. For instance, they might target the CFO to obtain sensitive bank account information or the CTO to gain privileged access to the network backbone. However, realizing that these high-level individuals are usually safeguarded by multiple security layers, cunning attackers may opt to compromise other individuals within the organization. Their aim is to exploit these secondary targets, hoping that they might unwittingly possess access to the protected resources or systems the attackers seek.
HOW TO AVOID THE THREAT:
Make sure to establish appropriate Active Directory groups for the segregation of data within network drives or shared folders. These groups should align with different business functions, each provided with dedicated data shares, and strictly enforced permissions to maintain data confidentiality. Regularly review group memberships every three months to prevent any unauthorized access resulting from role changes or accumulated access over time. It’s common for employees to retain unnecessary access even after changing roles, which poses a risk since long-term employees might have access to more data than required, leaving an opening for potential attackers.
Conduct audits of all applications, including cloud or third-party ones, at least annually to verify that group access is correctly assigned. This applies to various computer systems such as ERP, GIS, databases, network management tools, telephony systems, and other infrastructure supporting the organization. Assign a data owner or responsible party for every shared folder or application housing organizational data. Folders without designated owners pose considerable risks as employees tend to assume that the responsibility lies with someone else. By assigning clear ownership to teams or individuals for each file folder, share, or application, accountability is established, ensuring proper data management and reducing ambiguity regarding data handling and access.
The widespread use of Wi-Fi networks has become increasingly common, allowing devices like laptops, tablets, and personal gadgets to access an organization’s internal resources or enjoy faster data connections than cellular networks. However, leveraging organizational Wi-Fi comes with the challenge of controlling and ensuring that only authorized devices connect to the network. Wi-Fi signals can easily extend beyond intended areas, penetrating walls and reaching public spaces. Managing this access is crucial to upholding network security and preventing unauthorized access.
Cyber attackers have recognized the significance of wireless networks as a potential gateway into organizations, offering a way to circumvent conventional security measures like firewalls and intrusion detection systems. In various notable incidents, attackers breached networks and pilfered sensitive data while stationed in nearby parking lots, highlighting the vulnerability of such networks. Network providers are not immune to these threats, and unsecured Wi-Fi networks pose a substantial risk by potentially granting attackers access to member data and enabling them to navigate through the entire infrastructure backbone.
HOW TO AVOID THE THREAT:
Utilize WPA2-Enterprise as the standard for Wi-Fi access across your network. Employ the most robust protocol available in your wireless access points to ensure heightened security. It’s advisable to steer clear of unencrypted “open” networks, outdated WEP or WPA encryption, and WPA2-PSK, which relies on a shared common password vulnerable to widespread access.
Set up a separate “guest” Wi-Fi network for non-managed devices. Both guests and employees often require Wi-Fi access for personal devices. Establishing a dedicated guest SSID allows network access while ensuring separation from your backbone by directing guest clients to a separate VLAN or an independent third-party provider unaffected by your primary routing operations.
Regularly scan your premises for unauthorized access points. Employees might inadvertently install unauthorized Wi-Fi access points to address inadequate network access for personal devices. Periodically conduct an office sweep, employing tools to detect any available wireless networks within your office or neighboring public spaces to prevent unauthorized access points from compromising your trusted infrastructure.
The computer and system accounts attributed to your employees wield considerable control over your organization’s vital systems. Managing the utilization and oversight of these credentials is imperative to guarantee their exclusive use within sanctioned and authorized contexts. Particularly crucial are the groups or accounts that possess access privileges to your network’s core infrastructure or hold significant authority as “domain administrators” within a Windows Active Directory. These accounts, along with any others carrying sensitive permissions, necessitate vigilant monitoring and stringent protection measures to avert potential catastrophic harm to your organization.
As attackers strive to increase their level of access and command over various sectors of your organization and infrastructure, a key tactic involves identifying and exploiting usernames and passwords that hold substantial access rights to your computers, servers, and network core. These critical credentials or associated security tokens can sometimes be extracted or “scraped” from memory on employee computers, especially when frequently used. Reducing the frequency of their use significantly diminishes the likelihood of a successful attack.
HOW TO AVOID THE THREAT:
Establish a consistent procedure for adding and removing user accounts within your organization. This protocol should ensure that access is promptly granted or revoked as employees join, leave, or change roles within the company. It’s crucial to maintain adherence to the principle of “least privilege,” limiting access rights to only what is necessary for each individual’s role. Collaboration between HR and IT departments is essential to create and implement a well-documented process that can be easily followed.
Utilize separate accounts specifically designated for administrative tasks. Even though many employees may have elevated access privileges within your network or active directory, these accounts should not be utilized for regular daily activities like browsing the web or checking emails. Given the susceptibility of these activities to phishing attacks, these accounts should be configured with minimal rights to thwart potential attacks.
When employees require access to critical infrastructure, encourage the use of tools like “sudo” or “Run As” to temporarily elevate their access rights only for the duration necessary to perform their tasks.
Implement email alerts for the use of shared administrative accounts. Configure logging and auditing systems to send alerts via email to your IT or network engineering team whenever shared accounts with administrative privileges are accessed. This ensures that any use of these shared accounts is duly monitored and verified, distinguishing legitimate access by authorized personnel from unauthorized attempts.
SECURITY AWARENESS AND TRAINING:
Although technical security measures are robustly set up across your network, servers, and workstations, they can all be rendered ineffective by a single human error made by your employees. These errors often stem from phishing attempts via email, malicious websites, or text messages, exploiting the emotions and natural tendencies of your staff. Surprisingly, more than 90% of successful hacking incidents, even the high-profile ones highlighted in media reports, originate from these social engineering tactics. Therefore, providing comprehensive training to employees to recognize and report such attacks is essential for maintaining a strong and effective cybersecurity program.
The most susceptible element within any organization is often its own employees. In certain scenarios, when external firewalls and intrusion detection systems are effectively shielding against direct internet-based attacks, electronic assaults targeting employees become the primary option for attackers. These attacks can manifest in the form of thousands of highly convincing yet deceitful phishing emails sent per minute. Even if a fraction, perhaps less than 1%, of these attempts are successful, it can be advantageous for the attackers and hazardous for the targeted organization.
HOW TO AVOID THE THREAT:
Regularly train your employees in cybersecurity practices to instill awareness and proper protocols. Educate them through monthly sessions, newsletters, team meetings, or email updates to cover cybersecurity topics and encourage identification and reporting of potential cyber threats.
Conduct simulated email phishing exercises to reinforce training. Regularly exposing employees to realistic attack scenarios through tools ensures continual learning and helps identify vulnerable areas for improvement. Keeping these exercises positive maintains morale and engagement.
Provide feedback on educational outcomes. Communicate successes and failures in training to both employees and management. Acknowledge employees’ efforts in identifying threats or mentoring others in secure practices. This ongoing feedback loop sustains engagement and commitment to maintaining a secure network over the long term.
Network providers create specialized software and programs for our operational needs, such as collecting billing data or monitoring network devices in NOC. It’s crucial to ensure that the custom code developed is free from vulnerabilities or hidden entry points that could inadvertently harm our systems or compromise our security.
Your applications act as gateways to your data and infrastructure. Inexperienced development teams can inadvertently create vulnerabilities that attackers exploit. These vulnerabilities, such as data disclosure through error pages, directory traversal, file inclusion, and failure to sanitize input or prevent SQL injection, can allow attackers to access unauthorized data, reveal your data structure, or execute their code on your systems.
HOW TO AVOID THE THREAT:
Mistakes in software coding often occur due to developers’ lack of understanding regarding potential misuse or vulnerabilities in software or web applications. Train and equip your development team with resources to code securely, emphasizing a security-oriented mindset. Additionally, establish a code review process where another developer evaluates the code to ensure compliance with your coding security standards.
Utilize a password manager to store and manage credentials used by your applications. This tool enables the controlled retrieval of credentials, tokens, or passwords through an interactive API, facilitating regular password cycling for service accounts without disrupting essential applications.
Avoid storing passwords or credentials within code repositories such as GitHub or Bitbucket. Dynamic passwords should solely exist in local files and never be committed to version-controlled repositories, as this could lead to permanent exposure of sensitive information.
Before deploying applications into production, conduct thorough vulnerability scans as part of your quality assurance process. These scans help identify and rectify potential vulnerabilities, ensuring that critical errors are mitigated before applications go live.
Despite robust network security measures, the inevitable identification of a potential hack or breach requires a well-defined incident response plan. Apart from having reliable channels to report suspected security incidents, the critical aspect is establishing structured policies for swift and efficient incident triaging. Attackers often operate covertly within organizations for approximately 180 days before detection, underscoring the importance of a proactive detection and response strategy. A strong plan not only facilitates quick identification and containment of threats but also mitigates the potential risks and losses associated with an attack.
Attackers are aware that their actions will eventually be detected within an organization. In the absence of a robust incident response capability, attackers can prolong their presence within a network, gaining invaluable time to access sensitive data, compromise more systems, and accomplish their objectives without prompt intervention or containment.
HOW TO AVOID THE THREAT:
Develop an incident response plan that delineates the roles and responsibilities of individuals involved. This plan need not be overly complex but should outline the general steps to be taken in response to cybersecurity incidents of varying magnitudes. Designate personnel responsible for receiving and evaluating security incidents, and establish different levels of severity for incidents, ensuring that resources and priorities are tailored to the incident’s scale, whether it’s minor, like a phishing attempt, or a major breach involving substantial data loss.
Make the incident response plan easily accessible to all relevant employees within your organization who might have a role in managing an incident or disaster. Ensure that the plan exists in both digital and hard-copy formats, readily available to primary and secondary support staff listed within the plan. Given the unpredictable nature of security incidents, having the plan accessible via multiple platforms, including cloud-based storage, ensures swift responsiveness regardless of the incident’s nature.
Regularly update the plan annually or when significant infrastructure changes occur. Your technical and leadership teams should dedicate time annually to review and update the plan to reflect any alterations in technology, staffing, or policies. An outdated plan that refers to obsolete technology or nonexistent personnel can hinder an effective response to a cybersecurity incident, potentially exacerbating losses.
Conduct tabletop exercises annually to test the plan against realistic scenarios. Once the incident response plan is updated with the latest procedures and information, leadership should simulate potential attacks or incidents to verify that the plan adequately addresses various situations. These exercises might involve scenarios like ransomware attacks on financial systems or infrastructure damage due to unforeseen events, allowing teams to refine responses and procedures accordingly.