The Weakest Link
Many of the organizations who have been attacked utilize comprehensive security technologies. Yet attackers have found a way to penetrate these defenses. This tells us that existing defenses aren’t working and security is being compromised by its weakest link—users in the enterprise.
1.
The Human Factor - Via a variety of bad behaviors like weak passwords, negligence of management applications (RDP, Telnet, SSH), and social media oversharing, employees can compromise data center security without meaning to do so. There is no doubt this human factor in security is a challenge and needs to start with comprehensive and clearly understood security and privacy policies. While end-user education and awareness is important, it is insufficient given the uphill nature of that battle. The solution is to balance this with network security best practices: Do not trust, always verify – All users should always be authenticated, and provided least privilege access. In the data center, adopt a positive enforcement model. Positive enforcement means that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed. This means safely enabling user access to specific applications or sub-application functions while inspecting all content for threats. Management applications like RDP, Telnet and SSH should be limited only to IT administrators.
2.
Network segmentation –
Network segmentation even in flat layer two networks like Ethernet Fabric architectures is critical. Properly segmenting the user to a segment of the data center helps in various ways. It helps to limit the scope of compliance, limit access to vulnerable servers in the network and limit exfiltration of data if you are compromised. Of course, to do this effectively, you need to have visibility of users, applications and content in every segment.
3.
Tackle unknown threats – While addressing known threats is well-understood, addressing targeted, unknown threats is a tougher challenge because they are unlikely to hit
honeypots in the wild that can provide comprehensive analysis of the malware and its behavior. Most targeted attacks originate from executable files downloaded onto an end-user device. Therefore, inspecting unknown files in the network in a virtual sandbox is a key strategy adopted by security vendors to weed out targeted, unknown malware. What is critical to complement this inspection is the ability to deliver malware signatures and inline enforcement for any malware that is found.
4.
Inspect unknown traffic – In a data center, the amount of unknown traffic should be a very small percentage of all traffic. The ability to categorize and inspect unknowns to determine whether they are threats is a critical part of the data center security strategy.
5.
Monitoring and logs - Finally, the monitoring of access by users to key applications in the data center is important to provide valuable information of user activity. It also helps detect critical policy violations and security holes.
Some of these best practices are in fact advocated by Forrester Research’s John Kindervag in his Zero Trust Network architecture, and being adopted by many enterprises worldwide. In summary, while end-users and employees in an organization may form the weakest link when it comes to unknowingly opening up businesses to damaging attacks, the strategy to address this may be to look beyond the users, and complement user awareness and training with network security best practices.
Read more...
