Much of what we’re going to share here is in response to the WannaCry attack this year. For those of you who don’t know, WannaCry is the largest, full-blown, global ransomware attack that struck companies both large and small on May 12, 2017.
Before we go on, these are some Common Security Terms you should understand:
Terms from our last webinar:
- Zero-day exploit
- Perimeter defense
- Endpoint protection
- Incident of Compromise
Some new terms:
- Private VLAN
- Server Message Block (SMB)
- Network Admission Control (NAC)
- 802.1x (dot 1x)
WannaCry is considered a worm, as it scans the network for other hosts with the EternalBlue exploit (that uses the SMB v1 protocol), and then installs a copy of itself on the new host. Microsoft released a patch to plug it March 14, 2017. Those who had the patch, and who had disabled SMBv1 weren’t infected. In May of 2017 more than one million Internet-connected devices were exposed.
Kaspersky found that the bulk of infections were on machines running Windows 7 or Windows Server 2008 (not WinXP).
Lessons Learned from WannaCry
- Having a reliable data backup trumps ransomware.
- Most malware is thwarted with timely patching of operating systems and applications.
- A signature-based antimalware or cloud security service can react quickly to contain outbreaks.
- You should disable unnecessary and outdated “legacy” services and features on workstations and servers.
- It’s important to use “default deny” and “whitelisting” on firewall rules.
- Segmenting systems from one another blocks or slows worm propagation.
Let’s Begin—You Must First Identify Your Risk.
You must know what your high-value systems, services, and data are. You can determine this from compliance audits, disaster Recover planning or data security planning. Then you must run regular vulnerability scans against your internal network. It will help you find things you may not know are there, such as applications others put on your network. Look for systems that aren’t in your inventory or Internet of Thing (IoT) devices. You must know the “lay of the land” before you can build your protection.
Network Segmentation Explained
Network Segmentation separates systems by types of users, services, equipment, compliance requirements and more. It’s like limiting compartments in a cruise ship so the entire boat doesn’t get filled with water and sink. There are different types of segmentation:
- Segmenting simple topologies, to complex identity-driven, rule-based environments
- Segmenting clients from servers
- Segment public-facing services with a DMZ
- Micro-segmenting clients from each other
- Group-based tagging of network traffic based on security groups
Without Network Segmentation, you may just have a firewall or router with one egress/ingress point.
With Client/Server Segmentation (the most basic form of segmentation) each group has 2 egress/ingress control points with a firewall and a switch VLAN which is more secure.
With DMZ (demilitarized) Segmentation (a best practice) each group has 3 egress/ingress control points, a firewall, a switch VLAN and another interface on a firewall.
The Ultimate form of Network Segmentation is called Client Micro-Segmentation. This is where each group has many egress/ingress control points. It’s too complex to use just hardware for this. You also need software to manage it. This is where PCs are not allowed to “talk” to one another. This is the best way to protect your hardware and software.
An IT Security Expert will build you a Policy Matrix that exemplifies your Network Segmentation. It’s like a map that provides a visual of your segmentation plan.
Software Defined Segmentation
Software Defined Segmentation provides for:
- Access Control Lists (ACL)
- Private VLANS
- Context-Aware Secure Segmentation
- Software Defined Networking (SDN)
The level of difficulty is from 1 to 4—4 being the most difficult to breach.
After Our Segmentation is Complete
- Visibility into what’s going on inside your network (NETFLOW)
- Verification that everything is segmented (CISCO STEALTHWATCH)
- Monitoring of your network perimeter for covert communications (CISCO FIREPOWER NGFW)
- A regularly verified security posture with authenticated vulnerability scans (TENABLE NESSES)
And, after segmentation you also need to:
- Remember to patch Microsoft and third-party applications.
- Consider using a unique local administrative or root password on every machine.
- Address backups, and especially replication of backups offsite.
- Have an Incident Response (IR) Plan ready to go that defines how to contain eradicate, recover, and follow up from an incident.
We can help!
Leverage LA Networks’ Experience With:
- Firewall or Network Assessments
- Patch Management Solutions
- Network Visibility Solutions
- Vulnerability Scanning
- Endpoint Protection
- Backup Management Services
- Perimeter Intrusion Protection Services
- Security Planning and Assistance
Thwart the Next Ransomware Attack.
Contact LA Networks to try one of our Free Offers:
- Cisco Firepower Threat Assessment
- Cisco Umbrella Evaluation
- LA Networks Lunch-n-Learn
- Cisco ISE Demo