As a former network administrator and IT Manager, I’ve spent most of my IT career defending networks from the bad guys along with keeping the daily IT ship afloat. Take that and add a couple projects and helpdesk tickets and you’ve got yourself a never ending to-do list. It’s not an easy job to say the least, and sometimes you can’t help but wonder if you and your team have the all bases covered on the security front.
About a year ago, I began a new position as Director of Network Security for HORNE Cyber. Moving from an IT administration/engineer role into an offensive security role has allowed me to reflect and appreciate the importance of many of the things I was told or read, and can now bear witness based on direct experience:
- A hardened perimeter defense is only part of the solution.
- NEVER underestimate the persistence of an attacker.
- There are some VERY sophisticated attackers out there.
- Attacks can move very slow and often go undetected by intrusion detection systems.
- You must educate your users.
- You can’t do it all, partner with security experts for help.
If you or someone on your team are in the day-to-day operations of IT, and also the person responsible for security, there’s just not enough hours in the day to properly monitor, investigate and take effective action on possible threats. It’s easy to get a sense of comfort from a well thought out network perimeter defense. Your organization has invested in and deployed firewalls, intrusion detection and prevention, SPAM filter, anti-virus, and a patch management system deploying patches weekly. A good security posture must be implemented in layers so that one layer is not dependent on the other. These are required and I highly encourage all of them, but there’s more.
So here are a few of the questions to ask yourself or your team honestly and openly:
- Do we have an accurate IT asset inventory? – Develop an inventory process. You can’t manage what you don’t measure.
- Can we detect irregularities in our network traffic? – Benchmark data utilization on your network so you can see irregularities. Use thresholds and set alerts, be in the know.
- Do we effectively track our public ip address ranges and audit the corporate firewall access lists?
- Are we deploying default configurations on devices? IoT devices can be a foot hold for an attacker.
- WOULD WE EVEN KNOW IF AN ATTACKER WAS IN OUR NETWORK?
- Have we had a REAL advanced penetration test against our network, not a vulnerability scan?
Of all the tools I’ve used over the years to monitor and prevent attacks, the one thing that sticks out to me the most is situational awareness. You or the team you employ must know your environment from the core to the edge and all things in between. Two of the fastest ways to gain this awareness are to conduct a full inventory and have an advanced penetration test performed against your network infrastructure. If a device is connected, can connect, or will connect to the network it needs to be accounted for and reviewed. Nothing can replace having a team of expert’s comb through your infrastructure to identify your real vulnerabilities.