Every day, as a part of my work at AlienVault, I talk to prospective clients many of whom are trying to put together a security plan for their business. Most of the people I talk to are IT professionals who, like everyone else are learning as they go. During my time in IT and more importantly in the security industry I have seen almost every type of network you could imagine most of them made sense and could be explained why they were built the way they were. Some, not so much. During the last 10 years especially, I have started compiling network drawings and information on the many ways that networks are designed and deployed. The following list of bullet points is what I would recommend to an IT Manager or business leader if they consulted me on how to put together the information technology for their business. Please remember this is a fairly generic list and there are tons of deviations to take into consideration when building a network and then protecting it.
Policies and Procedures
Policies and Procedures are the cornerstones of your IT Governance. This is the What is going to happen and how is going to happen of your security posture and from a larger picture your entire IT infrastructure. Creating a solid policy and procedure document will provide your organization with an IT and Security blueprint for your initial build, maintenance, management and remediation of issues. A solid policy and procedure manual will also prepare the environment to work within any framework and meet any compliance.
Gateway Security is essential to keep the bad guys out. There are a number of popular firewalls on the market that will provide excellent security at the gateway. The needs of the environment will dictate which firewall will work best. For example, a high throughput environment with a large internal IP count might require a Next Generation Firewall that runs only a few services on board and reserves the majority of resources for ingress-egress traffic. On the other hand, an environment that requires a very high level of security but has limited WAN bandwidth may be better suited for a UTM (Unified Threat Management) firewall which runs a number of services onboard and traditionally utilizes significant resources for services like Deep Packet Inspection, Data Loss Prevention, Gateway Anti-Virus, Website Filtering, Email Filtering and other high-end security services.
End Point Security
As the old saying goes… AntiVirus is DEAD!!! Not really. Actually, antivirus is evolving and morphing like your favorite Advanced Persistent Threat Malware. A few years back the Infosec industry started to break new ground on digging deeper into threats and breaches using Threat Intelligence in real-time to actively pursue malware based on heuristic data and as the technology progressed to utilize behavioral analysis based on up-to-date Threat Intelligence. These progressions in the industry gave rise to Endpoint Detection and Response (EDR) which is quickly morphing into a formidable companion to traditional AntiVirus and AntiMalware protection. The very minimum that should be deployed into an environment is a good reputable AntiVirus with AntiMalware capabilities, however, to get a definite head start on any compromises within the environment EDR is highly recommended.
Identity and Access Management/Multi-Factor Authentication
IAM and MFA are two entirely different technologies and for good cause. As so many tech manufacturers are trying to get rid of the password, setting up good IAM services which work as initial authentication and then a reputable Multi-Factor Authentication service that is authenticated separately from the IAM service is essential. IAM services range from Active Directory and LDAP (Lightweight Directory Access Protocol) Cloud LDAP and Authentication services like those provided with AWS IAM services, Microsoft Azure Active Directory services, and Google Directory services. There are tons of IAM services to choose from and the environment will dictate the type of IAM services to utilize. The other part of the equation is Multi-Factor authentication. The industry is full of MFA providers from Google Authenticate to Yubikey and many others. Whether it’s token based, hardware or biometric-based MFA it is important to understand that the second form of authentication needs to be separate from the initial authentication system and it needs to be secure. For example, biometric authentication is very popular, but if it is simply used as a shortcut to enter an insecure password then it is not a secure solution.
Soft tokens that are received through Short Messaging Service (SMS), though very popular do not provide the level of security that is touted. SMS in and of itself is insecure. Traditional SMS messages are sent in clear text and are subject to being intercepted or even having the SMS service broker hacked and the unencrypted messages being stolen and used to hack other larger targets. There have also been instances of “Man in the device” attacks that have been used to steal tokens as they come in from the SMS broker. IAM and MFA is probably the most important aspect of any threat posture because not only does it control ingress authentication from the WAN but it also validates and authenticates internal users requesting access to various resources.
Mobile Protection, Remote Access, and Virtual Private Networks
Mobile devices are more popular than ever, especially as millennials become more prevalent in the workplace. This creates an especially unique situation for infosec pros who are tasked with securing modern environments. The options for securing these environments is also growing on an almost daily basis. From Mobile Device Management to wireless networks that prevent devices from connecting to the network unless they pass authentication and a scan to ensure the mobile device meets the preset requirements such as not allowing 3rd party downloads outside of the prescribed manufacturers store, ensuring anti-virus and antimalware is install and up to date and lastly ensuring the mobile operating systems is updated to the prescribed revision range. Something else to note more and more AV/AM and EDR manufacturers are making versions of their solutions to accommodate most mobile operating systems.
Remote access and Virtual Private Networking to the environment has always been a tricky topic. Anytime an employee wants or is required to connect to the environment for work purposes most IT professionals pop a couple of Tylenol because they know a headache is coming. Not all VPN is created equally. Simple VPN connections can be made with a firewall or gateway router (even the cheap ones) with a simple handshake and a GRE tunnel to all the remote endpoints to pass traffic through the open VPN ports and into the environment. This is a minimal security solution and HIGHLY not recommended for a security-intensive environment.
The better solution would be to set up a better VPN concentrator or Gateway Firewall that can handle VPN tunnels. Set up IPSec connections. This is a bit more work because you have to load a security certificate on the gateway concentrator and on the IPSEC software installed on the remote endpoint. However, the extra work is essential in creating a secure handshake and connection between the two devices. IPSec Connections are great, they can be created with very fast speed and provide more security than a GRE connection.
However, the IPSec connection running with AES256 and higher encryption over TLS are the most secure connections. It uses the most modern security type, an extremely high level of encryption and requires a static RSA certificate to be installed on both endpoints. The same goes for Static VPNs or Site to Site VPNs. The IPSec Connection will create secure AES256bit or higher encryption for the SSL Tunnel as well as encrypting the payload with secure AES256bit or higher encryption while in transit over the VPN connection.
Wireless Network Security
The wireless network industry has matured significantly over the last 10 to 15 years. In the old days you set up and access point with a WEP security code and everything was great. Easy to deploy, easy to connect to and fast. Man those were the days. Then, in 2001, 3 researchers working at Berkeley produced a paper named “(In)Security of the WEP algorithm“. They found the following flaws in WEP:
- Passive attacks to decrypt traffic based on statistical analysis.
- Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
- Active attacks to decrypt traffic, based on tricking the access point.
- A dictionary-building attack that, after analysis of about a day’s worth of traffic, allows real-time automated decryption of all traffic.
- Furthermore, there are currently attack vectors on the TKIP. There are two attacks known against TKIP:
- Beck-Tews attack
- Ohigashi-Morii attack (which is an improvement on the Beck-Tews attack)
Both of these attacks only could decrypt small portions of data, compromising confidentiality. What they can’t give you is access to the network. To give you an idea of how much data can be recovered, a single ARP frame would take around 14-17 minutes to get the plain text. Getting useful information with this type of attack is very improbable (but not impossible) considering the rate of recovery. The only attack known, besides flaws in the firmware of some routers, is brute-forcing the WPA key. Generally, the key is generated as follows:
Key = PBKDF2(HMAC−SHA1,passphrase, ssid, 4096, 256)
The algorithm takes the type of HMAC to be used, the passphrase, the ssid as salt, the number of iterations the password will be hashed and the final length of the generated hash. Considering this algorithm is meant to prevent hashed passwords from being broken it can take a huge amount of time. The only reasonable attack would be to use a dictionary attack (hence it is important to use long passwords containing characters, numbers, and letters).
Also, note that you need to change your SSID to something very random. Rainbow tables have been generated for the top 1000 used SSIDs. Which can reduce attack time significantly?
WPA also supports AES (which can be used instead of RC4). While AES is more secure than RC4 the biggest problem of WPA is still present, namely, the integrity check is still done using TKIP-MIC.
Other things to consider when deploying a network system are things like:
- Ease of Management
- Centralized or Cloud-Based Management
- How the Rogue AP detection works. Does it go after non-system-based AP’s as rogue or does the system utilize logic to decide which AP’s are rogue and which AP’s may be legally active depending on activity, SSID names and perhaps MAC addresses? ***Please note there are FCC regulations against Rogue AP Detection and Destruction***
- Every manufacturer has their own unique functionality around Rogue AP Detection and many other security functions it is advised that the purchaser and IT Dept definitely perform due diligence before making a decision.
- Other things to look at are authentication types, 802.1x, Active Directory, LDAP, AAA services are some of the more popular authentication types.
- Lastly, it may be very important to ensure that the system employs a Guest WiFi authentication system. This will prevent or at least deter spoofing of the guest network as well as giving the WiFi owner an opportunity to collect information on every asset that connects to the guest wifi. This is great for marketing and accountability purposes.
Back up and Disaster Recovery
Backup and Disaster Recovery Services are essential to an organizations incident planning to stay up and running in the event of a major catastrophe. BDR consists of back and recovery of key IT systems and planning for the continuance of operations in the event that the organization encounters catastrophic events that cause the corporate or remote locations to become inoperable, destroyed or infected with destructive malware such as ransomware. There is an entire industry build around just back up and disaster recovery operations. It has been said about the growth of the industry as “this ain’t your Daddy’s old tape drive anymore”. When choosing a BDR service you absolutely need to ensure that they will meet the organizations needs 100%. Ensure that they provide a Service Level Agreement of a minimum of 99.999% reliability. They should have a plan to return your data expeditiously and lastly, they BDR firm must have a training and test plan to ensure the first-time data is recovered for your environment is not during the catastrophe.
Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. The acronym SIEM is pronounced “sim” with a silent e.
A good SIEM system will provide the security team with detailed network and asset visibility, aggregation and parsing of all log files within the environment and the ability to organize and search the log files in an organized way. In order to perform forensics functions in the event of an environment compromise. An exceptional system will provide all of the above-listed functions as well as a Threat Intelligence feed from a reputable threat intelligence community. The ability to correlate log files against the Threat Intelligence feed to identify real-time threats within the environment.
There are many SIEM manufacturers on the market today and each one has its own unique features and functions. No SIEM is a one size fits all type of system. Some provide very granular functions but require a very high level of technical skills to deploy, setup, tune and maintain. Others may be much easier to set up, maintain and provide lots of features but may not be as granular. In any case, great care should be taken when performing due diligence as the price point on most SIEM systems is pretty expensive depending on a number of variables. SIEM systems are required for almost every major compliance in the United States and many other countries as well. A SIEM could be the most powerful security tool in your arsenal and should make security analysis and remediation easier and faster, not difficult and more cumbersome.
Every website in the security industry has several articles about the shortage of good technical talent for the security industry.
Organizations now recognize that investment in security is a necessity. Yet with a current estimated 350,000 open cybersecurity positions in the US, and a predicted global shortfall of 3.5 million cybersecurity jobs by 2021 — according to Cybersecurity Ventures — the industry clearly has a massive problem regarding supply and demand.
As the old saying goes “it is better to hire attitude and train than to hire training and suffer the attitude”. If you want your environment to run optimally, then you have to train your people to make it do so. On top of having education, competent employees and technical professionals, it also gives the organization an opportunity to offer an incentive to its staff that offers a return to both the employee and the organization. It is a smart move all the way around.
End User Security Awareness Training
Last but definitely not least. If you ask any security professional, IT person and most managers what the weakest link in any environment is and their answer will be a resounding “The End Users”. So how do you fix that? 90% of all end users want to do the right thing but they just don’t know how. Most people as a whole do not come with the built-in skepticism to doubt everything and look for proof. Therefore you have 100s of thousands of breaches each year simply because an unknowing end user clicked on a link that downloaded a virus, malware or botnet. Of course, the rest is history. Train your end users and it will make your life easier.
While this is not a definitive or granular list of steps to take to deploy a very safe environment, it will definitely put you on the road to creating a secure environment that will enable the organizations IT and security staff to be proactive and shorten remediation times on almost any issue that they encounter.
IT is hard. Secure IT is even harder.
I want to help make it a little easier. Please feel free to reach out to me via twitter @tonydegonia or via LinkedIn at http://linkedin.com/in/tonydegonia. I would love to hear from you.