Thursday, February 6, 2014

Protect the edges of your network

No doubt you know about the data breach at Target over the Christmas holiday shopping season. Hackers extracted 40 million credit card and debit card details from the retailer during the busiest shopping season. I believe this will become a watershed in credit card security, and may even lead the U.S. payment card industry to adopt the more secure chip-and-PIN system used throughout Europe.

But the Target data breach also underscores another important fact for security: you need to protect the edges of your network. We used to think of web servers and similar systems as being "edge-y" but today, the "edge" includes any system that IT doesn't directly control. And according to today's article in The Blaze, your BACnet can be a hacker's gateway. The Blaze reports that hackers used the HVAC building control as the the entry point to Target's network.

IT shops put standards in place for server management. For example, servers that IT controls must have passwords changed every 3 months, and passwords must be at least x characters long and have different character types. Servers must have firewalls, external logging, separation of authority, and automated notification. This helps to provide a high level of security for the systems IT controls.

That's the key: "for the systems IT controls." But what about the systems IT doesn't control?

In this case, the account controlling the building automation and control network (specifically, HVAC) was stolen, allowing the hackers onto Target's internal corporate network. From the article:
Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems, was given access to a Target database so the company could remotely login and perform efficiency updates. After stealing one Fazio worker’s credentials, the hackers used this digital pathway to insert the destructive malware, reported security blogger Brian Krebs.

IT needs to take heed of this data breach, and learn from Target's attack. I see two important steps that IT should already be doing:

1. Separate your networks
Your sensitive network should only be for systems you control. If you need to add a third-party system that's outside your control, put it on a separate network within the corporate network. Consider a non-routable network, such as 192.168.x.x, so that the outside world cannot access your third-party systems. (Actually, any system that doesn't need to talk directly to external systems should be on a non-routable network.)

2. Implement restricted trust
Too often, administrators use "wildcards" to specify who can access a particular machine. For a server in the "example.edu" network, administrators might allow anyone within "*.admin.example.edu" domain to connect to the central servers. When in fact, you should allow only specific IP addresses. Ideally, administrators should allow access to the central systems only through a "gateway" system with a non-routable IP address. This gateway should be well-controlled and monitored.

3. Use two-factor security
While not a panacea, two-factor security is a significant step above "simple" passwords and passphrases. A two-factor system simply implies "something you have and something you know." For example, you know a passphrase. Combine that with a security fob where you must press a button, and the fob displays a code that can only be used one time; that's two-factor security. Outside hackers cannot get access to the system unless they have both the passphrase and the security fob.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.