The Threat is Real. Protecting Your Organization.

Target, Home Depot, Office of Personnel Management (OPM), Democrat National Committee (DNC), Yahoo; almost every day we hear about some sort of data breach or network attack. It seems to have become a fact of life on the Internet. However, organizations can take simple measures to strengthen their networks without major network redesigns or exorbitant expenditures.

Target was breached when a subcontractor’s system was compromised and the attacker gained valid login credentials to Target’s vendor portal. With credentials and the ability to login to the Target vendor portal, the attacker had an inside staging point to explore and launch other attacks on the internal network. Not knowing all the details and making an assumption that somehow the attackers compromised the Active Directory system, which seems to be used extensively in the organization. Once compromised the attacker had some sort of access to the rest of the network.

While Target undoubtedly had other levels of security and access controls methods in place, the lack of network “bulkheads” or network segment/security zones made an attacker’s wandering and exploration much easier and allowed the deployment of malware which was able to compromise Target’s POS system. Even though the POS systems did not have direct Internet access once infected they were able to send POS data to a  “dump” server, which the attackers could access and control.

Zero Trust Network Architecture was introduced several years ago by a researcher/analyst, John Kindervag, from Forrester Research. The primary principle of Zero Trust is “Trust nothing, verify everything”. With the network perimeter disappearing and organizations using cloud services, employees working “remotely” instead of within the bastion of the corporate headquarters and business partners accessing the enterprise network systems, the need to change the security model must be changed.

A major component of Zero Trust is classification and segmentation of an enterprise’s data and networks based on the types and criticality of the data and systems on the various parts of that network, creating security zones, which would allow the implementation of security policies to limit and control access, through the deployment of segmentation gateways across a network. Another major component is logging of traffic and events occurring within the various security zones or segments.

If any particular security zone were compromised the “blast radius” could be minimized with the proper logging, monitoring and alerting to the security team of the suspicious network traffic and any suspicious traffic or activity quickly suppressed.

Many organizations “segment” their networks using VLANs and the implementation of security Access Control Lists (ACLs), while this is a step in the right direction, without the ability to inspect, monitor and log all traffic flowing between segments and security zones, this approach provides limited value.

Migrating to Zero Trust Network Architecture and making some relatively simple and straightforward changes to an organization’s network infrastructure and architecture, the overall security of all the systems and most importantly the organization’s data can be protected.  One of the major advantages that even the C-level executives will understand is that your organization will not become a major news headline.

Comments are closed