In our previous entry on this topic, we dove into the world of endpoint device security. In many cases, malware and attacker entry points can be traced back to a compromised endpoint device. In this day and age, however, malware and malicious users are more resourceful than they were in years past, so all possible vectors must be identified and sufficiently protected.
When one mentions network device, a vast range of items can come to mind. Firewalls, routers, switches, wireless access points, network attached storage, and so on. In a call center environment, telephony systems must be considered as well, because it is ultimately the life blood of the business.
Out of the box, none of these devices are immune to an attack, whether it is from a snooping user, malicious attacker, or malware. Many attacks can be avoided if security risks are analyzed and measured against the business need for a specific device or exception. For example, if a user demands an exception for a specific and temporary business need, that exception must be undone when the business need is no longer applicable. Attackers search for remotely accessible holes and ports that are vulnerable to exploitation. As vulnerabilities and entry points increase, so does the chance of an attack. Common examples of vulnerabilities include poorly configured mail servers, web servers, and file servers. If an attacker is able to gain access, your administrator is looking at a nightmare scenario. The attacker can view or alter sensitive organizational data, or attempt to disrupt business continuity.
Unlike PCs, laptops, and servers, many of these devices must be manually hardened by administrators based on the needs of the business. Rather than installing a slew of anti-malware tools, meticulous steps must be taken to minimize exposure to attacks by modifying individual security controls. A few widely accepted best practice measures taken are below:
- Allow access only to ports and protocols with specific and documented business needs.
- Disable or remove any services that are not needed or are redundant to pre-existing services.
- Keep all services, firmware, and operating systems up-to-date.
- Perform port scans on a regular basis against all devices to identify vulnerabilities before an attacker finds them.
- Periodically review and re-justify services needed for business use.
- Operate critical production services on separate hosts. These include, but are not limited to, DNS, e-mail, DHCP, file, database, and web services.
- Document all explicit exceptions with the information pertaining to the business reason for allowing the exception. Keep track of any changes to these exceptions.
Of course, there are many, many additional steps that should be taken to harden your devices. The necessary actions can vary greatly from device to device, but the concept is the same regardless of brand, model, and operating system. If you’re a Microsoft shop, there are Best Practices Analyzers available that can be used to scan your systems to help configure your services using guidelines as defined by experts. Other trusted resources should be used to make sure that all bases are covered.
Unfortunately, it is impossible to completely protect a heterogeneous device environment without actually taking your devices off of the network. However, if you stay abreast of security trends and best practices and configure your devices accordingly, your administrator can sleep peacefully.