© 2017 kg hawes – partners in technology | (866) …...a ddos attack is a common accompaniment of...

Network Security – The Necessity for Auditing

© 2017 KG Hawes – Partners in Technology | (866) 687-9006 | www.kghawes.com

1



2

ABSTRACT:

“In 60% of cases, attackers are able to compromise an organization within minutes.” (1)

A computer network is essential to nearly every aspect of a business’ daily operations. The network stores all necessary data, facilitates employee tasks, and acts as an access point for customers and clients. It is difficult to imagine what a computer-free workplace would look like but every year many businesses find out as an unintended side effect of a network security breach. Faulty network security can open a business up to attacks capable of disabling its entire digital infrastructure. Unfortunately, many companies mistakenly believe network security falls squarely on their IT departments, failing to recognize the role of the organization as a whole. The simple act of regular network security auditing could save businesses across the United States billions of dollars every year. This paper will address the basics of network security, highlight areas for concern, potential consequences for inaction, and key steps towards prevention.



3

Contents ABSTRACT: .........................................................................................................................................2

Network Security Basics .....................................................................................................................4

Overview of a Network ............................................................................................................................. 4

Points of Vulnerability ............................................................................................................................... 5

Threats ..............................................................................................................................................6

Users ......................................................................................................................................................... 6

Power Supply Failure ................................................................................................................................ 6

Viruses and Trojans ................................................................................................................................... 7

Distributed Denial of Service .................................................................................................................... 7

Unauthorized Access ................................................................................................................................. 7

4 Myths Impeding Businesses from Taking Action ...............................................................................9

“If It Ain’t Broke, Don’t Fix It” ................................................................................................................... 9

“We Have a Guy for That” ....................................................................................................................... 10

“We Can’t Afford Top of the Line Security” ............................................................................................ 10

“This Is An IT Issue… We can’t devote more staff to that.” .................................................................... 11

Prevention ....................................................................................................................................... 12

Regular Auditing Reveals Weaknesses ................................................................................................... 12

Developing a Strategy ............................................................................................................................. 12

Implementing Policies ............................................................................................................................. 13

Finding a Partner ..................................................................................................................................... 13

Conclusion ....................................................................................................................................... 14

Afterword ........................................................................................................................................ 15

Sources ............................................................................................................................................ 16



4

Network Security Basics

If network security is not at the forefront of your business concerns, it should be. It doesn’t just play a crucial part in daily operations but is also a critical component of compliance and legality. Statistically, 69% of businesses would classify the information stored on their network as “sensitive or critical” (2). The kind of confidential information the average business accumulates ranges from private consumer and financial data to vital intellectual property. While monetary costs for compliance and litigation resulting from breaches in consumer information can be estimated, the loss derived from the leak of crucial information to competitors, such as product design, business practices, and client contracts, cannot. For this reason, it is essential businesses make network security more than just an area of concern – Network security must become a central priority. The first step to assessing your company’s risk is to understand the composition of a network.

Overview of a Network

Your computer network is what facilitates the exchange of information between devices. The network communicates both internally, within your organization, and externally, with outside systems. A network uses its own operating system. Operating systems manage the network’s input and output, processing, memory, and support its applications. Network operating systems are what allow for concurrent users, shared data storage, printers and application hosting.



5

Points of Vulnerability

The central security features of a network are accessibility, authentication, encryption, access control, and application privilege. Each security feature represents a vulnerability, or potential entry point. Network access can be divided into three primary areas of concern; internal, external, and the cross-border.

• Internal: Internal areas of concern are related to staff access. Authentication practices are designed to permit access to sensitive information on a need-to-know basis. Controlling user permissions and restricting network access can help prevent internal breaches whether malicious or unintentional.

• External: Network access control and encryption processes are intended to shield the network from unauthorized external users. Application privileges limit the capabilities of applications so they don’t become unintended access points.

• Cross-Border: A combination of these security efforts manages the transfer of information between internal and external forces. Threats posed by a vendor’s access/connectivity must be taken seriously. For instance, in Target’s 2013 landmark Christmas breach, the threat was traced back to network credentials that were stolen from a third-party vendor (3).



6

Threats

There are a number of common ways network security is breached. Most businesses are aware of the risks that cybercrime poses in the form of hacking attacks and malware. However many businesses fail to recognize what may be the most obvious vulnerabilities to their network: those which often happen by chance, are unintentional, and have nothing to do with the malicious intent of an outsider. Recognizing the primary threats to your network is an integral first step to protecting your business.

Users

Believe it or not, the users of a network are responsible for the majority of security issues that arise. This is commonly referred to as the “Human Factor.” Users can inflict damage on a network in a number of ways; many can be attributed to simple mistakes or plain ignorance. Visiting untrusted sites on the internet, falling for phishing scams by downloading malicious software, and introducing broadband sucking applications or games to a network are all very common. Users accidently adjusting security controls while messing around with their computer’s settings, thinking they can “fix” a problem themselves without going through the IT department, and installing unverified updates or “solutions” are other typical scenarios. These seemingly harmless activities can not only breach a network’s security but sometimes wipe out critical information or render a system inoperable.

Power Supply Failure

The potential for power failure is not often considered when businesses are analyzing threats; however, it is a serious concern. Your computer network is reliant on a file server. The file server acts as a hub for everything that is shared among network users. In short, it manages the storage and retrieval of all the files or databases that employees use on the network. It also often includes access controls or user permissions to serve as some kind of security for those files. Because of the constant flux of information on a file server, it

utilizes temporary storage in a cache; this allows commonly accessed files to be retrieved faster. Some file servers only cache “read” data, but many cache “write” data as well, meaning new files or changes made to files are also temporarily housed in the cache. When the power is abruptly cut to a file server everything in the cache is lost. Imagine the amount of new information that could be sitting in a cache on your business network at any given time.



7

Viruses and Trojans

Viruses and Trojans are malware designed to spread through network contact. Viruses can take a number of forms and are often hidden in files so that the user is completely unaware of its existence.

Trojans, however, are designed to look like a useful application and are often downloaded and installed intentionally. These kinds of malware can be used to steal information or disable functioning. Many viruses today are designed to automatically send themselves to all the contacts in an infected user’s email. You can imagine how effective this strategy would be on a business network. We all recognize what happens when one person in the office gets sick; soon the entire office is infected. It’s no different with our office computers.

Distributed Denial of Service

Distributed Denial of Service (DDoS) refers to attacks where the user’s access is disrupted or temporarily disabled. This is typically achieved by overloading the computer with so many requests, that it cannot process anything. Your business’ network access can be disrupted the same way. DDoS is a common strategy when an attacker wishes to temporarily disable a business and can be introduced to a network through various forms of malware. DDoS can also occur accidently if a network is not configured properly. Users can unintentionally flood a component of a system thus overwhelming it and halting its functionality. A DDoS attack is a common accompaniment of ransomware. In these attacks the criminal demands payment of a ransom to return functioning to normal, though they often cannot be trusted to restore service.

Unauthorized Access

Perhaps the most obvious threat to your network security is access by an unauthorized user. This is after all the ultimate goal of hackers and criminals. Damage can be inflicted in an infinite number of ways by a person with access to your network. Information can be stolen or deleted, malware can be introduced, or processes disabled. The only limit is the attacker’s own creativity. Protecting your network from unauthorized access is the primary focus of most security measures. A network should utilize a combination of firewalls, software, and authentication protocols to best achieve this. Regular updates, patches, and certificates can help prevent points of vulnerability also.



8

(Information Source: ‘2015 Information Security Breaches Survey’.) (4)



9

4 Myths Impeding Businesses from Taking Action

Failure on the part of supervisors and staff to recognize network security as a priority for business operations is the biggest factor in unattended vulnerabilities. Unfortunately it only takes one oversight to create an opportunity for cybercrime that could result in a temporary halt in business production or worse, a complete shutdown. There are many common beliefs that prevent businesses from taking the most basic of steps to protect themselves. We discuss them below.

“If It Ain’t Broke, Don’t Fix It”

Many businesses use equipment that was either obtained as a part of an acquisition or that has been in place since its start up. When a business is formed with existing computer systems and networks in place, it is commonly assumed they will last forever. Businesses often don’t include technology upgrades in their annual budgets adopting the “If it ain’t broke, don’t fix it” attitude, only making modifications or upgrades when absolutely necessary. This is a huge mistake. With the quickly evolving sophistication of technology come more sophisticated threats. The use of “legacy” networks, and networks that your business has inherited, can pose a serious problem for security. The term “legacy network” applies specifically to any old style of communication protocols. Communication protocols dictate the processes a network uses to exchange data with other systems.

Today TCP/IP protocols are the most widely used. The TCP/IP protocol method breaks information up into “packets” to be distributed across the network. This provides a number of opportunities for security measures to be applied, such as encryption or authentication processes, making transmission more secure. To provide an explanation of TCP/IP protocol functions, imagine the information you need to send is like a puzzle; this protocol would send your puzzle across the network piece by piece only revealing the final “picture” once it was reassembled at its intended destination. The TCP/IP method is also compatible with all operating systems making it incredibly reliable. If your business is relying on a legacy network, it is subject to serious limitations in not just security but also functionality. Old networks tend to be hardware

and vendor centric. This means running the network is often more expensive than it needs to be and incompatible with newer applications. Outdated networks also have limited abilities because they were not designed to accommodate the amount of use common today. The combination of these factors means they cannot be fully utilized, slowing speeds for users, and in turn business processes. The failure in modification ability and compatibility with newer applications means the network is twice as vulnerable to security threats. Modern firewalls or virus detecting applications cannot be applied to outdated applications, and legacy network settings cannot be programmed to today’s standards leaving the business vulnerable.



10

“We Have a Guy for That”

Many businesses assume network security can be handled solely by their “IT guy.” The truth is that while your IT personnel may be fantastic at their jobs, they probably have a number of other pressing matters consuming their time. Network security is a large undertaking that requires more than troubleshooting. IT directors spend a lot of their time putting out fires not looking for them. Another factor to consider is the “forest for the trees” concept. IT directors are often so hyper focused on the intricate details of your operating systems that they can overlook larger, sometimes more obvious, problems.

“We Can’t Afford Top of the Line Security”

The cost of network security can be intimidating and turn many businesses off from taking the necessary steps towards adequate protection. Perhaps what should be taken into consideration is that while network security services and software have price tags attached to them, breaches in security do not. The cost that a business can accrue from a security breach or network failure can be debilitating. Gartner recently estimated the average cost for “down-time” due to computer failures for businesses at $42K an hour, ten times that if the business was in the financial sector (5). The cost of recovery from a breach in confidential consumer data averages over $7 million per incident and according to a report by the Ponemon Institute is continually on the rise (5). These numbers of course don’t account for the costs of damage done to a business’ brand and reputation when major breaches occur. These costs are immeasurable. Statistically, 68% of money lost as the result of a cyber related attack is unrecoverable (6). If you consider these factors businesses can’t afford NOT to have top of the line security. Average total organizational costs of a data breach are represented in the graph below:

(Source: Ponemon Institute/IBM)(5)



11

“This Is An IT Issue… We can’t devote more staff to that.”

As previously mentioned, many companies rely on the IT department to handle all aspects of their network security. Small IT departments lack the manpower to handle the demands of larger business networks. But the responsibility of network security shouldn’t rest on the shoulders of IT departments alone. Businesses should make educating their entire staff about the seriousness of network security a priority. Employees should understand how their own behaviors put the business at risk. Businesses need to develop a security strategy and implement effective security policies if they are going to minimize their risk. The reality is network security is everyone’s problem.

46% of IT professionals say the security skills in their organization can’t hack it. (7)



12

Prevention

Protecting your business’ network security may be easier than you think. There are four simple steps any business can take today that will make great strides towards safeguarding their network.

Regular Auditing Reveals Weaknesses

The only way to prevent a potential catastrophe is to know where your business is at risk and the best way to find out where it is at risk is to conduct an audit. A professional audit will provide you with details about vulnerabilities in your system. Audits not only address the network itself but also network devices. Scanning for potential points of entry such as open ports, identifying risky applications or running services, which could be exploited by attackers, and testing the strength of current security protocols, such as encryption methods or passwords, should all be included in a typical audit. Network audits are the best way to get a detailed report about the current state of your security so that you can begin to manage your risks.

Developing a Strategy

Once you have an impression of the state of your network security, you can begin to develop a strategy. A security strategy should include the education of staff and implementation of best practice policies. Strategies can be tailored to the specific needs of your business. Examples may include the implementation of multilayer security protocols around confidential data, installing a private server, or the subcontracting of a third-party security service. A regular audit schedule should be developed to ensure that security efforts are working and no new threats have developed. Regular auditing can also play a part in compliance, both by helping access the business’ risk of violations and to provide information to regulators concerning compliance efforts. An effective strategy will evolve with new technology and the needs of business operations.



13

Implementing Policies

Implementing strict security policies is essential. Typical policies include standard password requirements, approved outside device usage, prohibited internet use, and procedures for accessing sensitive materials. Policies can be designed around specific processes and even individual departments. Businesses which have security policies in place are more likely to avoid compliance fines and litigation related to security breaches.

Finding a Partner

“82% of companies with high performing security practices collaborate with others to deepen their knowledge of security and threat trends.” (8)

You can’t rely on your “IT guy” alone, businesses should find a reliable partner for their security needs. Outside security professionals simply have more in their prevention arsenal than the average business. Hiring a trusted service provider can save your company money in a number of ways; from eliminating the need for increased IT staff, to saving resources wasted hunting for issues and experimenting with subpar solutions. A professional can also aid in the creation of effective strategies and policies. Services can be affordable and scalable, meaning they can be adjusted around the business’ needs and budget.



14

Conclusion

Threats to your business’ network security are threats to the entire business. Security breaches cost businesses millions of dollars annually and can often be prevented in a few simple steps. The only way to mitigate the risks to your business is to identify areas of weakness in your network. Regular auditing is the only guaranteed way to know the state of your security in order to appropriately address issues for prevention. Network security should be a top priority for any business.



15

Afterword

KG Hawes offers a variety of services to help small businesses with their network security needs specializing in security and compliance Network Audits designed to uncover all existing and potential threats to security. No Network is ever 100% secure, yet regular, annual Network Audits that assess and evaluate everything that goes on in your Network, can greatly reduce the threats to your system. KG Hawes also helps entities create and implement policies in line with HIPAA, PCI. Our pre-assessment audit includes an inventory of your existing system’s security and a vulnerability analysis. We take pride in offering affordable solutions and will apply the cost of your pre-assessment to any full audit services you request from us. KG Hawes builds lasting relationships with our client’s through exceptional service, which is why we offer our client’s customized solutions and 24-hour support.

Network Audit Identifies potential vulnerabilities within the physical network, connected servers and network devices, including: Running Services: Any service that is running on a network device can be used to attack a system. A solid network security audit will help to identify all services and turn off any unnecessary ones. Open Ports: A network security audit will help to identify all open ports on network devices. All unneeded ports should be closed to eliminate the possibility of being used to attack a network device. Open Shares: Any open share can be exploited and should not be used unless there is some essential business purpose for it. Passwords: Assessments/audits will evaluate the enterprise password policy and ensure that passwords used on the network devices meet the business password policy of password strength, frequent change, and other requirements. User Accounts: During an audit, it must be determined which user accounts are no longer being used so that they can be removed or disabled. Unused user accounts allow for someone inside or outside the network to attack and take over the account or may be an indication of an already successful attack of the network. Unapproved Devices: Unapproved or unknown devices such as iPods, Smart Phones and Wireless Access Points installed on your network must be detected in an audit. Any or all of these, as well as other devices, can be used to attack the network or steal data off the network. Applications: The type of applications being used on a system should be identified during this process. If any dangerous applications are found running on a system, they should be removed. A network security audit would also look for software programs that run automatically because they can be an indicator of a malware infection.



16

Sources

1) Version. (2015) 2015 Data Breach Investigations Report (Rep.). Retrieved November 9, 2017, from Verizon Enterprise Solutions website: https://iapp.org/media/pdf/resource_center/Verizon_data-breach-investigation-report-2015.pdf

2) Poole, O. (2012). Network Security. Hoboken: Taylor & Francis. 3) Target Hackers Broke in via HVAC Company Retrieved November 9, 2017, from Krebson

Security website:https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

4) Eddolls, M. (2016). Making cybercrime prevention the highest priority. Network Security, 2016(8), 5-8.

5) Dixit, S. (2016). Holding the fort: A business case for testing security. Network Security, 2016(6), 16-18.)

6) Stevens, M. (2016, July 21). 28 Data Breach Statistics That Will Inspire You (To Protect Yourself). Retrieved November 06, 2017, from https://www.bitsighttech.com/blog/data-breach-statistics

7) Vijayan, J. (2017, April 07). The 38 security statistics that matter most. Retrieved November 06, 2017, from https://techbeacon.com/38-cybersecurity-stats-matter-most

8) PWC. (2014, June). US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US State of Cybercrime Survey (Rep.). Retrieved November 9, 2017, from Global Initiative website: http://globalinitiative.net/wp-content/uploads/2017/01/pwc-us-cybercrime-rising-risks-reduced-readiness-key-findings-from-the-2014-us-state-of-cybercrime-survey-june-2014.pdf Font Credit for Cover Page: “Points of Vulnerability” Reused with permission from Jecko Development Font / Type: Ozone / Contact: [email protected]

https://techbeacon.com/38-cybersecurity-stats-matter-most

© 2017 kg hawes – partners in technology | (866) …...a ddos attack is a common accompaniment of...

Documents