Cyberthreats come in many forms and there is no one single solution to risk mitigation. Whilst a great focus is placed on device hardening – and rightly so – less is said about hardening the entire system including the infrastructure. With the help of David Harrison-Brown, Cybersecurity Champion at Tyco Security Products, Benchmark considers the need for network hardening.
When considering cybersecurity, many security installers and system integrators look to end points and edge devices when considering hardening. In many security applications, the core of the system is located in a secure area and is only accessible by known and authorised individuals or – increasingly a risk for many applications with WAN connectivity – unauthorised individuals with on-line access.The reason for this is that less emphasis has been placed on the cybersecurity of edge devices in recent years. However, the growth in cyberattacks against individual devices, and the media reporting of such targets, has emphasised the need for hardening.
Because edge devices are typically sited in insecure areas, they can be physically compromised. It therefore is important that steps are taken to avoid a security end-point becoming an access-point to the network for a cybercriminal. However, with so many edge products being targeted by hackers, the cybersecurity of such devices is also important.
Cybersecurity has to offer end-to-end protection, and therefore any solution will be at risk if only the end-points are protected. As important as device hardening is, without network hardening the system will still be vulnerable.
Think about the system
Network hardening can offer many benefits, even in terms of device hardening. For example, if an endpoint does not have built-in hardening features, external compensating controls such as network routers and firewalls can help to deliver enhanced protection. Network hardening is a recommended practice for systems of all sizes. It is an extensive topic, so it is only possible to cover a few important considerations here.
Creating trust zones and boundaries is important when looking at cybersecurity and network protection. It is good practice to group system components into network segments which share a common level of trust. For example, if a network component is from a third party or serves a different function to the rest of the network, consider separating that component into a different zone of trust. This ensures that devices and system components can be assigned a level of trust which differentiates the potential risks.
When data moves between different trust zones, it crosses a trust boundary. These boundaries can be used to establish security practices based upon the credibility of each zone. For example, they indicate where firewall placement could be beneficial, and it is wise to place firewalls at each trust boundary.
The firewall rules should be configured as ‘deny all’ by default. The installer or integrator can then add explicit permissions for all planned paths and protocols that are required at any given trust boundary.
This is a preferred approach to leaving typical permissions in place and tweaking for any additional permissions required. If it is not a necessary element or a required process, it should be denied permissions.
When using insecure protocols, deep packet inspection (DPI) can help mitigate the security risk. DPI involves filtering that examines the data and sometimes the header of a data packet, looking for defined characteristics such as non-compliance, viruses, malware, etc.. If the data packet is clear is can pass the firewall, or might be rerouted if it is suspicious.
Firewalls with DPI for the protocol in question can limit traffic based on message content. For example, it could be configured to pass data packets with read requests, but not data packets with write requests, through the firewall.
Any form of remote access should be given careful consideration. Encrypted and authenticated communications should be used to ensure that only authorised devices can connect to the network, and that the data cannot be altered or viewed by a third party.
Virtual Private Network (VPN) routers are often used to provide protected remote access. Implementing a requirement for multi-factor authentication of any users connecting remotely is a best practice for cyber security, and is an approach which is gaining popularity among IT managers. Therefore, installers and integrators should look to select VPN routers with two-factor authentication support.
Staying on top of risks
Patching of all devices and services on the network should be a regular element of any ongoing security plan. Cybersecurity threats are very dynamic in nature. New threats and attack vectors are discovered daily and responsible manufacturers are dedicated to ensuring that any vulnerabilities are addressed as swiftly as possible.
It has to be accepted that a fully qualified product may have known vulnerabilities a few days after it leaves the factory. To ensure the most current patches and firmware are updated any deployed devices should, at the very minimum, have all available patches and updates installed at the beginning of the installation process, and again before hand-over to the customer.
During the hand-over process, it is important to provide the customer with a plan for keeping patches up-to-date across the whole system.
Back-up is another vital consideration when deploying a system. The ability to recover quickly from an incident and to minimise downtime is crucial for any security system. Having a defined and robust back-up strategy and continuity plan to assure good back-ups are available and tested must also be considered as a part of the network hardening process.
It is also wise to carry out further hardening after the system is commissioned. Often, less restrictive configurations are used during the commissioning phase to facilitate rapid deployment. It is vital to not forget to reconfigure system components in accordance with project requirements and best practices before handing a system over to the customer for operational duty. This includes removing temporary wireless networks, remote connections, test accounts, etc..
The recommendations in this article are by no means exhaustive or a guarantee that a system will not be compromised. They are commonly employed to reduce the cyber security risk for security systems. These critical systems are intended to protect the building, its occupants and assets. They must not enable the malicious behaviour they are trying to prevent.