Businesses operating across multiple locations, such as those with branches and pop-up shops, are facing extensive challenges in maintaining network security and are at a particularly high risk of suffering data breaches. The threats are very real and according to Gartner, by 2016 thirty percent of advanced targeted threats will specifically target distributed locations as the entry point.
A range of factors contribute to security weaknesses in distributed networks, but they can be heightened by issues such as limited onsite IT support, lack of employee security awareness, and the dangers associated with third parties and customers accessing the network. The highly vulnerable ‘Network’s Edge’ must also be carefully protected against threats and malicious attacks as this if often viewed as a soft target.
Strategies for a safer network
Ensuring device visibility is the key to any security strategy. With many new devices joining enterprise networks, visibility into mobile networks is becoming critical. Network administrators need the ability to identify, track, and categorise all devices accessing the network. Device visibility provides IT with real- time inventory and security intelligence for active remediation while allowing users to seamlessly connect to the network without disruptions or changes in end-user experience.
A disciplined approach to security at the Network’s Edge can play a major role - regular audits should be conducted to maintain up-to-date and accurate network topologies (logical and physical). Use a common set of security controls for policy management, and institute governance, risk, and compliance security best practices. Strong collaboration and communication across teams within the IT organisation is also key to creating a reliable and uniform approach.
These human factors are very important - it is imperative for enterprises to teach and enforce employee security protocols. In particular, employees should be trained to recognise and report phishing emails – they should be able to spot the common signs of suspicious communication, such as encouragement to click on links, especially examples that are unfamiliar or do not match the supposed source’s web address. Urgent requests to provide information, call a phone number, or download attachments are also a danger sign, along with bad spelling or unusual grammar.
Beyond organisational and strategic efforts to improve security, specific policies, such as controlling entry points to routers and correctly configuring network firewalls are a vital steps in minimising the risks of a security breach.
With the explosion of ‘Bring Your Own Device’ (BYOD) and mobility, there are more network access points than ever before. Organisations should also create segmented safety zones and implement Parallel Networking to deliver extra layers of security.
Network segmentation allows for the partitioning of the network into “security zones,” or segments separated by firewalls. Properly configured segments separate applications and prevent access to sensitive data. A Point-of-Sale system, for example, should operate on a segment separate from third party applications, employee email, or public WiFi.
This limits the ability of attackers to pivot from one application to another, and allows network administrators to manage the quality of service (QoS) on specific segments, prioritising bandwidth usage for mission-critical applications.
In contrast to segmenting a single network, creating multiple Parallel Networks is a relatively simple solution. Separate applications are assigned completely separate networks, or “air-gapped.” This physical separation of data further prohibits attackers from using a compromised device to pivot to other servers and networks, including those that hold sensitive data.
Based on information collected by Verizon2, a global network carrier, for the 2015 Data Breach Investigations Report, twenty-three percent of recipients now open phishing messages and eleven percent click on attachments. This allows attackers onto the network, set up camp and continue to work to find vulnerabilities. Because of this, enterprises should consider hosting customer WiFi, employee devices, and Point-of-Sale systems on their own respective networks.
By Kent Woodruff, Chief Security Officer, Cradlepoint
