As our world has become ever more connected, we’ve all learned common online safety tips. It’s now second nature to use strong passwords and antivirus software; take care when connecting to public Wi-Fi; and remain alert to social engineering scams (e.g., phishing).
Don’t get me wrong. It’s good advice—all to be heeded—but enterprises have additional security requirements. Tackling cybersecurity issues requires commitment at the highest level of an organization; and these risks need to be mitigated by smarter, more strategic network architectures and operations. While this can become complicated, I’d like to suggest eight immediate actions executives can take to help reduce the risk of cyber attacks.
At a strategic level:
Get cyber literate: Do you know what an SQL Injection is? Fuzzing? Diversionary DDoS? You should. Adversaries are using technology and disruptive innovation in ways that are outpacing defenders; understanding the tools, techniques, and procedures (TTP) they use can help us model the threat in the context of outcomes and risk so we can better understand the issues we’re facing. As reference, have a look at our study with the RAND Institute on the breadth and depth of the current hacker economy.
Identify your most valuable assets: Hackers aren’t just after credit cards. They want your intellectual property, customer contracts, employee personal data, strategy, design, and financial documents—everything’s ripe for the hacking. Where do these assets reside? How are they accessed and by whom? Which assets are most valuable and most vulnerable? You need to have a clear understanding of the legal and brand reputation risks if any of these are breached and be ready to make appropriate decisions on security protection.
Establish an enterprise-wide risk management framework. A solid governance structure—encompassing regular reviews, clear oversight, and well-understood technical safeguards by the entire board—needs to be in place to help mitigate risks. This isn’t a case of if you are hacked; it’s a case of when. In this instance, a little paranoia will go a long way. So establish a robust cyber-attack response and crisis communication plan as part of your risk management agenda.
Enlist your people. One of the greatest resources you have is your employee base. In fact, many incidents target your employees. Social engineering is a foundational element of many attackers’ toolbox collections. To combat this, you can influence the operational processes your employees follow. Start with creating a cyber-literate culture through ongoing training programs. This must be viewed as a multi-disciplinary effort cutting across the company horizontally, avoiding the siloed, stovepipe-structured approach of the past. If you think this is solely an IT issue, then your company will remain at risk.
Adopt new security technology. Digital technology has become the fabric of our world and it will take highly sophisticated, deeply technical, and adaptive systems to detect and defend against ongoing cyber attacks. Adoption of new security technologies must focus on what will provide the greatest return on investment in terms of reducing risk holistically. And make no mistake; this is very complicated stuff. So you need to partner with the best technology companies to create the right solution to defend your assets.
At a more tactical level:
Separate use of NIS and Active Directory. Active Directory (AD) is a Microsoft Windows-based directory service whereas Network Information System (NIS) is a UNIX-based directory service for user and resources management. While AD is a more popular and proven technology, over time, it can result in catastrophe if not implemented securely. For this reason, AD has seen its fair share of compromises. During the 2013 Target data breach, attackers exploited an AD weakness to gain access to the retailer’s core network using a third-party HVAC vendor’s credentials. The infamous 2014 Sony hack, too, likely involved an AD compromise.
Like many companies, Juniper once linked its NIS- and AD-based systems in order to facilitate employee access to engineering systems. However, we separated the two because NIS has a weaker password-store mechanism that’s susceptible to hacker exploits. The project entailed stopping synchronization of AD passwords to NIS and forcing users to choose different passwords for AD and NIS environments.
Over the course of the project, we learned the importance of isolating environments to contain exposure. Our long-term strategy is to eliminate dependency on the NIS environment and use AD as the single source of identity truth. This is in effort to further enhance the AD security posture, and our plan is to perform annual AD security audits and remediate the audit findings. We also continue to explore emerging technologies for anomaly detection for user authentication, authorization, and access.
Segment your network. Segmentation increases survivability. Think about a submarine comprised of watertight compartments. If the hull is damaged, its crew can close bulkhead doors to contain unwanted water ingress. The same can be done with your network. While no solution is perfect and attacks are going to happen, if you implement robust network segmentation, you’ll be better able to isolate, contain, and stymie a cyber invasion. At Juniper, we rely on our own next-gen SRX firewall to keep business afloat and secure against cross-compartmental contamination or infiltration.
Secure privileged accounts. Privileged account users, often network and application administrators, have unique access to everything in a company network. Hardware, software, data. You name it. Once privileged accounts are compromised, a hacker—who can be an external attacker or a malicious insider—can infiltrate every corner of your corporation. Stop them before they start by setting up control and accountability of privileged users. At Juniper, we’ve implemented tools and techniques to lock down those accounts. While it can be a temporary inconvenience for the user, it’s a lifesaver when it comes to protecting company assets.