An organization’s sensitive and mission-critical information hangs in the balance every day. Security breaches can happen on mobile devices, such as smartphones or notebooks; on USB drives or CD-ROMs; riding as an attachment to an e-mail message; or via a misconfigured web server. To prevent data breaches, organizations much take a 360-degree look at how sensitive data is stored, retrieved and — most important — controlled. When IT managers look at the network part of the puzzle, they should consider these tips to help contain breaches:
Firewalls shouldn’t have an “outgoing allow any” policy, but that’s how many of them end up being configured, especially after years of adjusting, tweaking and dealing with web applications running on nonstandard ports. Services such as Simple Message Transfer Protocol and Domain Name System, for example, should be blocked outbound from sensitive networks or redirected to official organizational SMTP and DNS servers. There’s no reason for any device to talk directly to the Internet using those protocols, other than specific systems with the roles of mail server and DNS server.
Networks that have proxy servers should certainly block outbound HTTP and HTTPS, except from the proxy servers.
Alerting IT staff on every firewall rule violation could cripple a help desk, but a few especially significant misbehaviors can be early warning signs of a breach. Let’s say that outbound SMTP traffic from users is blocked, but now a PC on the network is trying to send SMTP directly to the Internet. Wouldn’t you want to know about it? Users trying to do SMTP, Secure Shell and File Transfer Protocol (outbound) are good choices to monitor.
When it comes to URL filtering, an alert for every blocked site would be a waste of time, but investigating blocked malware and known hacking destinations is often fruitful. A programmer or network manager storing text on Pastebin.com is normal, but if it’s someone in the human resources or finance department, they may have an infected PC — or be up to no good.
Firewalls are not the bandwidth-blocking, budget-busting products of yesteryear. Today’s firewalls are cost-effective devices that can safely segment organizational networks without causing performance problems. Using firewalls to segment networks provides both control and visibility that can block internal users from browsing parts of the network that should be off-limits.
Most attackers try to leverage weak points in organizational networks, using tools such as phishing attacks. Blocking compromised PCs — or hostile internal users — from wandering around the network looking for poorly protected data is easy when the network is segmented using internal firewalls.
An easy way to identify potential locations for network barriers is by looking at an organizational chart. Networks should be segmented much the same as organizations are segmented, under different executives or departments. Finance and administration shouldn’t mix unimpeded with marketing or e-commerce applications. Research and development or engineering tasks should be separated from education and applications.
Poorly written and inadequately secured web applications are the path of least resistance for anyone looking to crack into organizational networks from the outside. Application programmers and application managers, whether in-house, outsourced or from a third-party software house, are the weakest security link in most organizations. Tools such as intrusion prevention systems and web application firewalls aren’t magic bullets that can solve the accumulated problems of decades of bad design, but they help reduce risk.
Heavy-duty intrusion prevention systems require a significant continuing investment, keeping devices tuned and managing alerts. Organizations with high breach potential should already have IPS technology in place. For areas of the network with less sensitive data, simply turning on the built-in IPS that comes with all unified threat management firewalls is a cost-effective and risk-reducing alternative.