Ransomware. It's a very hot topic in today's current affairs and with cyberattacks on the rise, network security is the number one issue on IT Exec's minds. In this 3 part blog series, we will present the three types of network vulnerabilities: Hardware, Software, and Humans. With each type, we will discuss what makes a network vulnerable, how it can be breached, how to prevent it, and what to do if a data breach occurs.
Part 1. Hardware
Let's breakdown the different categories of hardware and how they can be subject to vulnerabilities.
The physical devices that connect to your network come in many form factors and they each carry their own risks. In the early days of IT the types of devices were limited. Servers, routers, computers, printers, fax machines (are they still around?), and firewalls were all installed and managed by IT. In the modern network IT has relinquished a lot of control and management with the onset of IoT devices and BYODs (bring your own devices) programs. Smart phones, tablets, and laptops brought from home have opened new vectors of attack to the enterprise network.
USB drives can be scattered in the parking lot with autoloading malware on them. Wireless and IoT devices present their own problems. Smart thermostats, smart door locks, baby video monitors and anything else that connects to a network are now becoming top targets. Though convenient, many do not have the strictest securities in place - making them super vulnerable to hackers.
It should go without saying, but if any devices are left physically unprotected at a business - meaning doors aren't locked or hardware is left unsupervised, it's very easy for someone to gain access to the physical network. Unlocked computers and KVM consoles to servers give malicious actors pre-authenticated access to applications and resources throughout the network.
Because it is such a simple thing, physical security systems are often overlooked. No one expects the next cyber attack they deal with to be a physical break in. However, a quick search on YouTube and you can watch hours of footage showing physical pen-testers taking advantage of this mindset repeatedly.
Physical assets must be secured against theft and unauthenticated access. Physical networks must be secured against unauthorized usage.
The basic premise is simple: Lock it up all the time.
Physical security systems that accomplish this can be incredibly complex. But taking basic precautions doesn't mean you have to utilize a complicated system. A simple setup might look something like this:
- Auto-locking metal doors with keyed or keyless access.
- Security cameras around the perimeter and critical interior of the building.
- Separately keyed locks on critical infrastructure areas. (switch closets, server rooms, etc.)
- Group policies that enforce auto-locking of screens.
- MAC authentication to the network. (Port Security)
- Removable device security. (Don't let USB drives on your network)
Of course if you want to get more complex and ensure that only the right people are getting access there is some really cutting edge tech out there!
Biometrics are quickly being adopted for hardware and physical security at the enterprise level, and there are a lot of options out there. Many smart devices, including laptops and phones, already have this type of security in-place so many users already have experience in utilizing them. There are some that have their hesitations about biometrics - privacy, integration issues and cost, but it looks like it could be a standard for small device authentication in the future.
Hardware security keys in conjunction with passphrase authentication are a favorite among security experts. Pair a person's credentials with a physical object that has to be there for authentication to happen and you increase the difficulty of compromising a machine exponentially.
Questions to ask yourself and your team:
- Can someone come into an empty office and gain unsupervised access?
- Can anyone plugin and utilize a USB drive?
- Can anyone plugin to a network port and gain access to the network?
- Are computers locked automatically?
- Can the people that have access to open the front door get access to the servers and switches?
Getting a good idea of the physical threat is step one to hardware security, so do a walkthrough of your business and determine where you need to improve.
How do you know your network has been breached?
At first, it might be difficult to detect. A hack might seem chaotic to you as the victim, but to the perpetrator it is a very methodical and purposeful plan. Typically, when a network is breached, threat actors have spent a considerable amount of time researching the network they are attempting to access. Reconnaissance and scanning are done before the first attempt at access.
Once the threat actors have gained access they will quietly observe the network to learn info, patterns, and behavior. Over time they begin to move into actively scanning the network and attempting to gain access to systems via privilege escalation and vulnerabilities. Once access is gained, they may begin locking legitimate users out in order to maintain their access and prevent the business from fighting back.
If you don't have a way to detect a breach it may take time for visible problems to reveal themselves. And the longer a threat actor has access, the more damage can be done to your business.
Fortunately, there are many different ways to detect unauthorized recon, scanning, and access to the network.
The more important of these is SIEM or Security Information and Event Management. There are many software packages that can take events and logs from myriad sources and bring them into a centralized system for analysis and detection. They enable a sys admin to know when someone that is not authorized is attempting to gain access and give them a chance to proactively react.
Once a threat actor has gained access, technologies like EDR, application whitelisting, and networking monitoring can offer a chance to block the vulnerability or access attempt while it is happening.
However, these are generally reactive in nature. Meaning a vulnerability has been identified and the attack has already begun. This might be too late.
How to prevent physical network vulnerabilities
Firewalls are the first line of defense in a network. They setup the perimeter and allow or deny access based on rules the business sets. Their primary purpose is to restrict access to only what needs to be accessed. Most of these devices run software and need to be kept up to the latest code to prevent them from being exploited and supplying access to the entire network. For extremely critical infrastructure hardware firewalls do exist and can provide a really secure solution to preventing access.
Publicly facing applications and services that are allowed to be accessed through the firewalls must be kept up to date and constantly monitored for unauthorized access. Next gen firewalls, also known as web application firewalls (WAFs), can be effective in mitigating attacks to these vectors however, the applications themselves should be updated and managed as well. At the end of the day, good firewalls don't excuse bad code or poor vulnerability management.
Wireless and IoT devices are important to protect but are often overlooked. With Wi-Fi, avoid default configs and widely used passwords. For example, passwords posted on a coffee shop wall to a Wi-Fi network with default settings is an easy mark target for hackers. IoT devices should be bought from reputable vendors and then segregated into a subnet with restricted access to the network and no access to the internet.
BYOD programs for employees are becoming more common and IT departments need to set boundaries and standards. Though employees may work more efficiently on the device of their choice, the IT department needs to manage them to protect the network.
MDM solutions such as Microsoft Intune can provide a method for IT to maintain controls on these devices while still giving a user the liberty to utilize the device of their choice.
What to do if your network is hacked?
Unfortunately, it's not a matter of if, but when. At the point a breach is recognized, it's important to take swift action to mitigate the threat. Below are the steps to take to recover from a data breach in the network:
- Secure the area. If a physical breach has happened, secure the area and immediately change access protocols including key-codes, and keys. Restrict access to essential personnel only.
- Secure the network and isolate the breach. Disconnect any potential methods of access from a threat actor. Unplug the internet cable or switch uplink, but do not turn machines off until forensic experts have had an opportunity to examine the machines. If only a portion of the network has been breached, ensure it is isolated from known good areas.
- Contact your Cybersecurity Insurer. Insurance companies have exact protocols of how to proceed during/after a security breach and you could lose money and leverage if you don't contact them right away.
- Don't go searching on the internet for anti-malware or forensics tools as these could be potential traps for you to download additional malware. Trust products you know and that are familiar.
- If possible, replace affected machines with known good images from backup or a disaster recovery product. Run A/V or EDR on all assets whether known clean or not.
- It is incredibly important to change ALL passwords and authentication methods. Even the one that breaks applications when you change it.
- Do not destroy evidence. Treat affected devices like a crime scene, because that is what they are.
- Once the infrastructure is restored and confirmed clean, fix vulnerabilities in software and firmware.
Conclusion
Keeping network hardware secure can be a daunting task. It's important to note that the main defense you can take is to have a vulnerability program and patch often. With so many devices to keep secure, it's also vital to have a Network Asset Inventory document. Having a living document that shows every piece of hardware, who has access to it, how old it is, etc. leaves little room for hardware security vulnerabilities.
If you need help getting started with a vulnerability program, download this Network Security eBook as a free resource which includes an asset inventory template. If you wish to speak with a network engineer for further assistance, contact us at sales@n3t.com and we'd be happy to connect you with one of our certified Net3 Sales Engineers.