Techs Gone Wild

If your network isn’t secure, it isn’t secure.

Chili Cheese Charlie

We all have those clients (or maybe the company we work for) that want to get easy wins or want to grab the low-hanging fruit when it comes to cyber security. And that is a great initial strategy to secure your network; find the deficiencies, patch what you can, then move on to the next the challenge. Unfortunately, that is where many outfits stop their efforts. They don’t realize the cyber security landscape is an ever evolving landscape that has way too many idioms and buzz words.

Let’s be clear.

Computer networks are built with equipment that takes research, way beyond what 99% of us know, to manufacture. Sure, we can plug in the cables, program the CLI, update the OS; but really, how many of us can adequately describe all the parts inside of a computer? Inside of a switch? Inside of router? How many of us can intelligently describe the difference between CAT5, CAT5e, or CAT6 cables?

We, as a community of people trying to help our company WIN must realize and accept that there are people smarter than the best of us that can do just that.

So how do you explain to your boss, who is 78 years old and can’t remember his password that security is important to the success and survival of their business? We have to be willing to openly admit that for all of the training, certificates, experience, schooling, degrees, conferences attended, and hours of work and dedication that you put in to yourself as a security professional, there are hundreds and thousands of people who put in just as much effort to bypass every single layer of mitigation and protection their company has in place.

That for every automated system and AI based protection you add to your protection stack, there are employees who will complain that they can’t install WinZip or play their favorite Facebook game. For every security enabled device you place on your network, there are teams of ethical and unethical professionals attempting to get past your defenses. That, while your business is built on hard work and dedication, there are teams of people working together building their efforts on hard work and dedication to build their business.

And their business? Money.

And every device; from a dumb hub, to a switch, to an IOT device, to your servers, workstations, surveillance cameras, cell phones, tablets, PBX system, VoIP system, automated systems, CAM devices – anything that lives on your network AND EVERYTHING that lives on your network is a potential target.

So how do we get 100% secure? You don’t. You can’t. It is a mindset that you have to adopt. You have to be willing to realize that your efforts are never done and you are always going to be chasing that 100%.

Every day.

So how do you compete? How do you protect and defend your company and your company’s assets from people who are so dedicated to taking from you? You, the person reading this blog post on some random website, have to know and understand that every day is a project. Every day is a task. Every day there is something you can do to better protect your network. This is a war and you have to triage what gets done today to best position yourself to win today and prepared to fight tomorrow.

Know your adversaries. If you are connected to the Internet, they are connected to you. What you do is not as important as how they can use your equipment to help them. Can your PCs be used as bot-nets to deliver emails or perform DDoS attacks? Maybe you have a security camera that can be used to host malware. Perhaps you bought a cute fish feeder that is attached to your WIFI that is covertly looking for targets on your network. A majority of attacks against your network are AI driven and autonomous.

Know what you have to protect. Think of it this way, what would hurt your company if it was gone. Is it your CRM data? Is it your accounting software? Is it research papers? Databases? CAD drawings? Photoshop files? HR data? Determine what is important with the help of your team and prioritize what is most important.

Prepare to defend. Think of your network as a fortress or a battlefield. In such scenarios, where are the most important assets kept? Is the enemy allowed to get to such assets without resistance? Build your network the same way. Protect your most critical assets behind layers of defense. Endpoint protection, firewalls, IDS/IPS, and the like. Prevent unauthorized access via mandatory MFA and strict policies. Then take the time to test your own defenses. Invest time in doing so. Who can get in? What can they do? How bad would it be if somebody else got that information?

Educate your employees. Humans are, and always will be, the weakest link in defending your network. The adversaries you are defending from know this and prey on human nature to gain access in ways that technology would not normally allow. Every employee in your organization has been considered; from the CEO to the janitor, and attack methods have been designed to take advantage of their role. There is a wealth of free and third party resources out there available to help train and test your employees from attack.

Report on yourself. See where your shortcoming are. Determine where your defenses can be improved. Determine what mitigation strategies can be applied to protect your company and your network from attack. Know, and communicate, that some of these strategies may affect your end users. Have relationships with them. Learn what their needs and choke points are. Understand that if you create choke points, they’ll figure out a way around them – which is a way to get around your defenses.

Lastly – don’t give up and always keep moving forward. You might hit 100% today and be back at 50% tomorrow. That is the nature of the battle.

While no specifics are provided on how to protect your network, it is important to know that there are products, procedures, best practices, tools and resources to assist you in your battle with every aspect of your defense. Provide as many layers as you can and that make financial sense to your business. Be willing to shut down a sales person who can’t show you how their product works or provide references. Every dollar counts and it doesn’t make sense to buy a dead coyote to pull your sled.