Cyber Security Defense: Detailed Guide to Effective Network Segmentation
Many of today’s networks have a flat structure that sets up no barriers between disparate systems. Organizations may wall off SCADA systems from the rest of the network, but they fail to limit unnecessary communication paths between other network nodes. Too often, systems like CCTV, manufacturing control, alarms and building access control live on the perimeter of a network with no limits on internal access. For example, attackers can compromise the workstation that maintains access control functions. They can then disable door keypads, compromise building security, steal data and manipulate power distribution.
In a world that has seen exponential growth in cyber security threats, network segmentation limits an attacker’s movements, protects proprietary information and prevents unauthorized access to sensitive data. The process brings together logical groups of users, applications and assets. It then ensures that these groups don’t interact unnecessarily with one another. The key is to balance segmentation for cyber security with the organization’s need for agility and rapid workflow. It’s a long-term process, and the implementation timetable will differ depending on the size and complexity of the organization.
Security for your business, is it an important fact?
Did you know that in 2010, over 1000 workplace homicides took place in the United States according to the CDC? Did you know that 2% of all sales revenue, on average, is stolen annually by employees?
Did you know that having on-site security reduces your chances of being robbed by 85%?
These are just a few of the reasons why every business, regardless of size, income level, or specialty, needs to focus on protecting their business both physically and electronically.
Workplace Homicide and Assault
Workplace assaults reach in the tens of thousands annually. Each instance opens a company up to a potential lawsuit. These lawsuits can add up to millions of dollars in damages and legal fees for the companies and so investing in some security can be a very smart move.
Strong HR polices aren’t always a deterrent from homicide or assault in the workplace. Having on-site security present can reduce liability in the event of something unfortunate happening. Security can also reduce the chances of an attack occurring at all. When managing a large company and mixing all different types of personalities you should definitely invest in some physical security to protect your employees and the company’s assets.
Theft is a major problem in the workplace. Whether it be physical property stolen or intellectual property stolen it can pose a serious problem. Companies report between 2 and 5 percent of their income has been lost due to theft both within the company and outside. This can be theft of office supplies, computer equipment, or currency by employees. It can also mean theft of merchandise by customers which could be avoided if precautions are taken. With items like security locks from Security Centers in Southern California you can be sure to protect your business from thieves.
A security detail can monitor the entire company to ensure profits are not walking out of the door. The cost to protect against theft is a fraction of the overall cost of theft in a company. A visible security guard can reduce theft by as much as 50% or investing in some anti theft security software can help guard your property from malicious intentions.
Identity theft costs American companies nearly $25 billion per year. Scams pilfer another $2 billion from corporate coffers. While no one can completely prevent all forms of identity theft or scams, having security teams monitoring email traffic for key words or known phishing attempts can dramatically reduce the likelihood that it happens in your company.
Having a computer security expert working to protect your business can save another 3 to 7 percent of anticipated profits annually. Corporate security is not longer about physical security. Computer security is just as important.
Experts expect the rates of computer scams and identity theft to continue. Estimates put total losses at over $50 billion annually by 2020.
Hiring a team of security professionals and security software can help protect your online and physical assets can seem expensive but the price of not acting can be significantly greater if your business is compromised.
7 Steps to Effective Network Segmentation
1. Take an Inventory of Machines
Few organizations know exactly how many machines they own. They also may not know who’s using those machines, and they may not even know where to find what they have. For this reason, taking an exhaustive inventory of every machine is crucial to starting the network segmentation process. These machines may fall into these categories and more:
- Windows and UNIX servers
- Development servers
- Financial servers and workstations
- HR servers
- Security devices
- Other network infrastructure
In particular, pay attention to equipment that’s controlled by system administrators. One compromised system administrator laptop can give an attacker access to a wide range of functions and employee credentials.
2. Decide How to Protect Each Machine
A Windows server in one location may not need the same level of protection as a Windows server in another location. Therefore, after taking a machine inventory, categorize the machines according to the type of protection that each machine requires. Once you know what you have and what it does, then you can make decisions regarding how to protect each asset.
3. Take an Inventory of Personnel Including Which Machines They Can Access
Make a list of every person in the company and which machines they can access including workstations, notebooks and mobile devices. Then, ask yourself whether these people actually need every machine they have. In the previous step, you decided how to protect each machine according to its characteristics and functions. Now, make more decisions about protection by factoring in whether the receptionist or the CEO is using the machine.
4. Create an Initial VLAN to Isolate a Low-Maintenance Group
Instead of trying to tackle a company-wide segmentation, start by creating a virtual LAN (VLAN) for a low-maintenance group of workers. Good choices include the legal department, accounting and human resources. Start by monitoring the group and monitoring all traffic in and out of the servers so you can understand what the group accesses and how workflows actually happen. As you learn to understand your initial group, you can expand your segmentation efforts to other groups.
5. Create a Default Deny Ingress Rule for Each Group
Starting with your pilot group, develop a default deny ingress rule so that other users, machines and applications can’t interact with that segment of the network. Every time you implement a new default deny ingress rule, prepare for some problems. For instance, if the CEO can no longer access a desired financial report, prepare to apologize profusely and to quickly fix the problem.
6. Prepare for New Equipment Needs and Personnel Training
Old equipment may not be able to handle your segmentation. For example, you might have to purchase a new router if the old one can’t implement your new access control list. Also, you’ll have to train personnel to navigate through your segmented network. They should understand why they no longer have access to certain areas.
7. Refine Your Groups Over Time
No matter how much time you spend trying to understand business drivers and workflows, you’re going to make mistakes that people will find disruptive. Refine your group structure and protection strategies as you learn, and give yourself a generous timeline to implement a full network segmentation strategy.