Improve Your Network Security Posture

In the contemporary enterprise, the responsibilities of executives in finance, legal, IT and, most importantly, those with a special duty of care and loyalty to the best interests of shareholders, the so-called “fiduciaries” of a publicly traded corporation, have become quite blurred. The threats to a corporation’s security are changing so quickly that it is difficult to determine what steps are required to ensure that a company is both secure and legally compliant.

Even a corporation that has a mature security program, including several levels of security, strictly enforced policies and regularly scheduled audits, still faces a number of potential threats that can either bring down the network or increase security risks and create legal liabilities. It is important to remember the delta between the loss of business value as a result of an attack versus the savings from taking all imaginable precautions.

The Gramm-Leach-Bliley Act (GLBA), for example, compels corporations to conduct risk assessments that identify “reasonably foreseeable internal and external risks” while monitoring the efficacy of IT systems’ agility in “detecting, preventing and responding to attacks, intrusions or other [vulnerabilities].”

The following five areas are some of the most important risk factors companies must address to maintain compliance and a security-hardened risk posture:

Risk 1. Constant change in the nature of attacks and windows of vulnerability from mash-ups and other Web 2.0 apps. Every component or device (hardware/software) deployed is not scrutinized in three key areas before becoming part of your infrastructure circumference.

Augmentation: Can the device work transparently to provide an additional feature without radical changes in the current network architecture? Can the device functionality be virtualized without exposing interfaces to attack? Is data from disparate devices captured, aggregated and analyzed for event correlation defenses?

Ease of use: Every device takes time to learn, but the cost of additional training mitigates the savings incurred by the additional functionality the device is perceived to bring to your environment. In other words, does the complexity and redundancy of devices increase human latency and the possibility for error that hackers and social engineers can subsequently exploit?

Flexibility: Implement modularity in terms of what services can be placed on the network to mirror the nature of the latest threat, as well as the ability to do so quickly by simply activating incremental features and functionality on demand.

Risk 2. Weak links in the security value chain and business process activity monitors.

Departmental edges: Departmental edges are vulnerable to users in other departments, especially if the network segmentation strategy calls for deploying a router at the edge internally between executive departments and the Internet, and other primary subnet domains.

Hoteling areas: Temporary naked access to internal networks is generally a forgotten area that presents a security loophole for remote employees who have recently plugged in to lodging or Wi-Fi broadband networks.

Extranets: Giving partners, contractors and remote users access to extranets can infect a network within minutes or create denial of service via a blended spam/e-mail/virus attack. This is especially acute among smaller, mid-market firms that act as suppliers to large, public enterprises.

Remote locations: Tunnels for VPN communications can get overly extended and become difficult to manage. Conventional remote access servers cannot protect against incoming attacks caused by business users coming from other websites and infecting the network.

Automated policy enforcement/monitoring: Instituting automated abilities can help restrict a user from gaining access until a policy is enforced, such as what is possible by deploying GRC (governance, risk, compliance) automated controls in the network.

Risk 3. Incomplete cost-benefit analysis.

Areas of loss: Formulas to calculate losses are built on models that often do not include cost of lost IP, market value of lost or stolen information, cost of fixing an unsecured area after an attack, productivity losses, costs of becoming a greater insurance risk, and loss of brand equity and corporate reputation.

Risk 4. Areas where corporations are not court-proof secure.

Due diligence: Under Securities and Exchange Commission regulations, due diligence is closely akin to the legal responsibility of the Duty of Care and Duty of Loyalty standards to which the boards of directors, officers, CEOs and CFOs are held in the corporate charter. Corporations must create defensible audit trails that include logging of IP, malicious attacks and unauthorized access to another IP address.

Third-party locations (extranets): Third-party responsibility has been a hotly contested area especially for Web-hosted services that provide online applications. Tort law cases have indicated a duty to provide security for a company’s remote employee and contractor use to avoid downstream liability. Existing case law establishes that, in order to prevent lawsuits for insider espionage, a company must meet secured operations standards, which include setting corporate and network policies, even for contractors and short-term employees.

Hardened VPN services: Generic VPNs may not protect against an attempted hack into an encrypted tunnel, or worse, the propagation of an agent that plants a time-released intrusion on the network. One way to harden VPN communications is to establish trusted zones that are securely enabled by multiple layers of security from unified threat management appliances that combine firewall/VPN functionality with intrusion prevention and threat intelligence services.

Risk 5. There are limited layers of security for electronic correspondence between fiduciaries.

Higher standards clearly exist for fiduciaries. Bill Cook, one of the foremost experts in cybersecurity who prosecuted the first case under the often-overlooked Computer and Fraud Abuse Act of 1986, says the courts are specific about the steps fiduciaries must take to avoid being considered reckless and potentially liable to criminal prosecution. This includes the recognition that something as simple as an e-mail from a fiduciary to another employee is held to a higher standard of protection than an e-mail sent from an individual who is not considered a fiduciary. Furthermore, any content that is transmitted from a fiduciary through the corporate network and other IT resources can be held to a higher standard than content from any employee without equivalent responsibilities.

What to Do

First, mandate privileged network security zones, using technologies that can block, log and create an audit trail for blended attacks and internally spawned threats. By quarantining a department, you will mitigate outbreaks and potential losses on your network due to theft, spam, viruses and blended intrusions. This is a common practice in physical security—so too should it be for virtual security in the network.

Second, provide layered security for your employees working remotely, as well as extranet security for third parties. They often represent the greatest threat of bringing down a network or stealing confidential information by exploiting the limitations in most flat networks from edge-based remote access servers. These servers generally lack application intelligence to perform contextual inspection of data packets.

Third, create redoubted layers of secured access specific to the officers and senior managers in the company. Take responsibility for all data that passes from their computers and other digital communications devices—at corporate headquarters, home or any remote location. All information coming from or going to the fiduciary’s various means of communication is highly privileged, so security controls should be pervasive where the business and network architectures converge.

Fourth, look closely at the court rulings as a guide to mitigate escalating cyberinsurance costs. One possible formula to justify a reduction in cyberinsurance costs is SC= p(x)L + wx:

• p=probability of cyberloss
• x=precaution level
• L=loss from cyberattack
• w=precaution cost (per $ of unit)

As precaution rises, the chance of cyberloss decreases.

Fifth, implement corporate security policies that protect audit trails for IP going into and leaving company networks, as well as appliances that log and correlate events of malicious exploits while establishing an enterprise architecture strategy to embed security intelligence throughout the fabric of the network.

Corporations rely on a combination of speed and accuracy to make financial information of a material nature publicly available. This requires greater emphasis on reviewing your organization’s overall security risk management plan and devising a holistic compliance scheme that is resilient enough to adapt before the next sophisticated attack occurs.