Network security practitioners often look to solve technical problems with technical solutions: “The engineers got us into this mess; they can get us out of it.”
I know what you’re about to say: “It took all of us to get into this mess, and don’t underestimate the importance of physical and administrative controls!” OK, I agree. But, maybe they’re still right. Taking everything into account, perhaps technical controls are the most effective path forward.
There are good reasons to conclude they are. After all, on the policy front things look grim. Consumers have proven unwilling or unable to demand or implement security, yet they eagerly adopt the latest products and services that are sold “as is, and without warranty of any kind.” The results are predictable. Consider botnets, and the 760 million computer infections recorded last year alone. And then there’s the scourge of phishing. Once a malicious email makes it to an inbox, 23 percent of users will open it, and 11 percent will click on the attachment.
Fortunately, there are ways to minimize information security risks by relying more upon technology and less upon end-users. Within the NIST Framework’s Protect function, under the category labeled “Protective Technology,” you will find best practices for ensuring that technical security solutions are managed correctly. Organizations are encouraged to focus their attention on these four areas:
• Reduce the Attack Surface. Following the principle of least functionality, configure systems to provide only essential capabilities, restrict certain “functions, ports, protocols, and/or services,” and limit component functionality to a single function (by way of example, having separate email and web servers). Convergence is not security’s friend.
• Focus on Communications and Control. At the technical level, companies should consider restricting external connections and interfaces to, from, and between specific machines; disabling wireless access; preventing the remote execution of privileged commands; continuously monitoring endpoints to detect, and respond to, indicators of attack; identifying and preventing the transfer of sensitive information through sophisticated data loss prevention and protection solutions; and establishing alternate telecommunications channels for business continuity.
• Leverage Big Data. There seemingly is no end to the amount of event logs that now can be captured, stored, analyzed, correlated, shared and turned into action when next-generation cloud technologies are combined with user-defined response rules. This allows mere mortals to focus more time on governance, risk and compliance, and less time on traditional forensic and audit activities.
• Constrain Removable Media. External devices pose unique challenges, but technologies exist that can be used to log their use, control access to the data stored on them, and enforce encryption requirements. On the network side, administrators can disable autorun and autoplay options, and block USB ports from working altogether.
Of course, technical controls – like all other solutions – require the right people and processes to support them. With those in place, dramatic improvements to security can be achieved by locking-down certain functions, isolating specific systems, and taking advantage of today’s improved automated collection, analysis and response technologies.