Operations
12/22/2016
10:30 AM
Jon Kim
Jon Kim
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Network Security: An Ounce Of Prevention Is Worth A Pound Of Reaction

For humans ailments, prevention might begin with an allergist. In security, it's the network engineer.

Imagine you're at a seafood restaurant. One look at the menu, and you know exactly what you want: lobster. Your food arrives, you clean your plate, and then proceed to pull out your EpiPen because you also happen to have a life-threatening shellfish allergy.

Sound improbable? Let's hope so. Chances are, you'd bypass the lobster in favor of the significantly less lethal cod. Preventing damage, after all, is almost always better than reacting to it. Sure, you still need the EpiPen. After all, no matter how diligently you avoid it, sometimes shellfish happens. Just don't invite it to the table.

Now, think of your network — including how you protect it.

Much like an EpiPen for food allergies, you need security capabilities in remediating attacks. But once a breach occurs, your ability to mitigate damage is limited by how quickly you detect and respond to it. Just ask Sony, which experienced one of the most massive breaches of the 21st century, costing an estimated $35 million.  

Truly securing our networks requires practicing preventive medicine. That means diagnosing potential vulnerabilities and integrating pre-emptive measures into our IT infrastructure. Reactive measures alone won't suffice.

For humans, prevention might begin with an allergist. In security, it's the network engineer. No one is better positioned to assess network health risks or to determine the best configurations to prevent attacks. But first, we need to shift our perceptions about engineers' roles in security from the start.

Prevention as a Cyberthreat Cure
While network engineers do care about security, it's not their primary focus. Their perception of security originates from colleagues who focus specifically on security, and thus might be unaware of how network designs and configurations themselves affect security. 

A network engineer's work is judged by the network's functionality, performance, and reliability. Consequently, security measures are often implemented after deployment — with firewalls or VPNs, for instance — instead of earlier, when prevention matters most.

Education Is Critical
I recently interviewed multiple enterprise networking candidates, some of them Cisco Certified Internetwork Expert certified. Unsurprisingly, their concept of security was limited to intrusion detection or event logs. I've yet to hear a candidate mention making actual infrastructure enhancements to secure a router or switch environment. 

If we want to create networks with intrinsic self-protections, we should begin with how we educate network engineers. At many universities, network engineering programs focus on logic, infrastructure, architecture, and visualization. When addressing security, however, curricula are often vague or focused on topics such as intrusion detection and firewalls. And, of course, traditional technologies still matter. But let's also teach how even the simplest capabilities, such as network segmentation (or micro-segmentation), can address threats.

At the same time, we can't simply wait on a new generation of security-minded network engineers to graduate. Those of us already in the field need to change our own perceptions of and approaches to security as well.  

Empowerment
For network engineers, the traditional focus on designing, building, and maintaining networks creates a silo — one unoccupied by security. Unfortunately, this disempowers engineers from playing meaningful roles in their organizations' security strategies. 

It's time for network engineers to abandon convention and believe that network security begins with them — particularly their network designs. 

Think about segmentation technology. It's not a traditional security tool; it's a network tool — one that, used properly, has significant security impact. Without segmentation, for instance, an attacker could easily breach a pharmaceutical company's payroll department and subsequently access the lucrative research and development department. In a well-segmented network, however, the same attacker couldn't access R&D from payroll, because those two traffic streams are isolated from one another.

Planning
Most IT leaders want to avoid introducing too much new technology at once. Eventually the organization tires of it — even solutions designed to protect your system. 

But improving your security posture doesn't always mean large investments of money, time, or resources. Instead of buying new technology to fix old problems, we should utilize our existing capabilities. 

Often, better security is achievable through comparatively simple network tweaks and changes, such as refreshing switches and routers. If your system runs on Oracle, for example, invite networking team members to discuss what they can do to improve basic security hardening — no shiny new security tools needed.

Doing this effectively requires bringing your networking team into security discussions from the start. Early participation allows network engineers to understand their contributions to your security strategy, and to play an active role in its success.

Sustainable, Preemptive Security
Sometimes, no matter how aggressively you respond to a breach, the damage is done. Perhaps Bill Gates said it best: "Treatment without prevention is simply unsustainable."

Ideally, your network should offer its own best defense — a goal that begins with prevention and made possible by your network engineers. They not only know your network better than anyone, but with the right support, education, and planning, they can play a first-line role in securely configuring it. Ultimately your engineers should play a crucial role in your organization's overall security posture by heading off threats from the start.  

Related Content:

Jon Kim is the Director of NextGen Networking at Force 3. In this role, Jon is responsible for providing unique expertise to help clients build effective, long-term IT strategies around software-defined networking (SDN) platforms and emerging technologies. He has more than ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/6/2017 | 10:15:51 AM
Detection is a must
Yes, please do take every measure possible to prevent an event but, rest assured, if someone wants you they will have you. Having consulted at Fortune 50 companies and government agencies I can assure you that the attackers have more ways in than you have safegaurds.

Prevention is important but detection is a MUST. Stop thinking you can be 100% safe 100% of the time and start planning for how you will recover. Spend time, money and brainpower on how you will find an attack as quickly as possible,
chakhloo
50%
50%
chakhloo,
User Rank: Apprentice
12/26/2016 | 3:45:49 PM
microsoftofficesupport.org
Thanks. This is nice post regarding the Network Security. It one of the most importnat thing to keep our data safe from hacker.

Regards.

microsoftofficesupport.org
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.