Regulators want financial institutions to plan for cybersecurity upgrades, both in strategic planning and during the budgeting process. It is difficult sometimes to know how to approach this planning process. How are institutions supposed to know what changes may be needed in the future? Part of the answer may be in guidance last week from US-CERT regarding recommended infrastructure controls.
The controls being recommended by US-CERT are fairly advanced and require thought, time, and money to implement. This week we will take a brief look at these controls and what may be required to implement them:
- Segment and Segregate Networks and Functions: This involves segmenting a network by role and function. The accounting department may be placed on a different network segment than the retail branch network. If a breach occurs, role-based segmentation helps contain the damage to one business area. Implementation is complex, because some systems (email systems, security systems, etc.) will be shared between segments and much thought needs to go into how this connectivity is retained while ensuring the effectiveness of the control. Institutions may find that role-based segmentation requires the purchase of additional infrastructure components and servers.
- Segregate Sensitive Information: Segregating sensitive information requires placing this data on a separate network segment and filtering access to that data from only the devices and users that require it. One of the difficulties encountered when trying to do this is that critical systems that have operated smoothly for years may now need to be changed to access data on another network, which can result in unexpected downtime if not properly planned and tested. Another difficulty is that organizations that attempt to implement both role-based segmentation (see #1 above) and sensitive data segregation will quickly learn that complexity and costs may increase exponentially when adding a new role or data segment.
- Limit Unnecessary Lateral Communications: Limiting lateral communications simply means blocking any unnecessary communication from one workstation to another on the network. This usually requires a firewall on each workstation (this is called a “host-based firewall”) that rejects all but necessary traffic from other workstations or network devices. A full implementation of this control requires active management of the host-based firewalls, which requires an investment in management systems and training.
- Harden Network Devices: Network devices include firewalls, routers, switches, servers and other systems designed to manage and protect networks and data. All of the controls mentioned so far are worthless if an attacker gains access to the devices on which the controls are managed, as the attacker will then be able to change the settings. It is important to make sure that all vulnerabilities are remediated on network devices, and that settings and configurations of these devices are reviewed regularly. Institutions should ensure that these devices are scanned regularly as part of their vulnerability management program. Someone not involved in management of these devices should periodically review their configuration, as even the best administrator can miss a key configuration error. Robust vulnerability management and third party reviews can be costly, so be sure to include discussions of these during planning and budgeting.
- Secure Access to Network Devices: Another layer to protect network devices from attackers is securing access to only those that need it (authentication), and by giving those individuals only the access they need (authorization). Providing secure authentication can be accomplished in many cases by requiring multi-factor authentication to access these devices. Managing authorization properly usually requires implementation of an Authentication, Authorization, and Accounting (“AAA”) server such as Radius. The AAA server acts as a central clearing house for device security, ensuring that only authenticated users with the proper authorization are able to perform a function, and that all actions are logged. Implementing these technologies requires significant planning, effort, and change management, as a mistake can lock administrators out of systems.
- Perform Out-of-Band Management: Out-of-Band (OoB) management refers to the practice of setting up a separate management network for network devices and implementing restrictions that disallow changes from other networks. Implementation of an OoB management network is a valuable control that helps protect network devices if there is an attack on a user network, but this control adds cost and complexity to the network infrastructure.
- Validate Integrity of Hardware and Software: This control involves purchasing from reputable, authorized vendors only, and asks companies to enforce supply chain integrity checks with their vendors. It also asks that new hardware and software be inspected for tampering, and that updates only be downloaded from validated sources. While this is largely not a technical control, it should be considered when discussing vendor management and patch management programs during planning sessions.
If your institution is having difficulty determining which technologies to invest in to best protect against attacks, Bedel Security can help. Please contact us for more information!
