Everything you ever wanted to know about security policy management, and much more.
In September, a critical bug in the open source Bourne-Again Shell (BASH) that’s ubiquitous in Unix-based systems, including Linux and Mac OS X, displaced Heartbleed as the top network security threat. Called Shellshock, the bug allows hackers to insert code into the shell and hijack an operating system through the internet. From there, they can access sensitive information—unless a strong defense is in place.
The major operating system vendors have issued patches, but they barely begin to solve the problem. In today’s Internet of Things environment, the risk extends to pretty much any embedded system – and patches for all those devices will need to be released by each manufacturer and could take months to get to users, if they are developed at all. In the meantime, hackers have jumped into action to take advantage of the bug while they can.
So install the patches as they come out, but don’t count on them to protect your system as even the first round of OS patches had significant vulnerabilities. In today’s environment where vulnerabilities such as Shellshock and Heartbleed are popping up like mushrooms (not to mention zero day vulnerabilities which we may not be aware of) it is far more effective to contain attacks than to try and completely prevent them. This involves keeping sensitive information behind firewalls and out of the hands of hacker—i.e. network segmentation.
Good network segmentation makes it difficult for an attacker to move from the point of compromise, whether it’s that smart thermostat or a point of sale terminal, through to the treasure trove of passwords and black market valuables, like credit card numbers or personal identifiers. It’s not quick or easy to set up network segmentation, but it’s a strong defense and worth the effort.
Here are a few practical steps to get you started with network segmentation:
Now comes the tricky part. As you continue to implement segments, you’ll likely need to make some changes in the security policies for the ones already established so that they work with new applications or respond better to new business imperatives. To keep those changes from unraveling all your work to date or causing inadvertent outages, you’ll need to have automated controls that will give you good visibility across your network to help you manage the hundreds of security rules you’ll have in place at the end of the segmentation process, and alert you if changes to one rule conflicts with another. Don’t try to do this manually; it just won’t work.
Network segmentation is a significant undertaking and it’s not something that just hums along in the background after it’s technically finished. Even with an automated solution, maintaining proper segmentation requires a significant ongoing management commitment, but it just may keep your organization from being bashed.
Receive notifications of new posts by email.