Multi-Level Approach to Enterprise Security

Introduction

Allow me to introduce myself. I am Gage Olson, a seasoned security analyst at ACME Company. As we prepare for a future transition into a new market, our goal is to secure contracts with the federal government over the next seven years. A change in infrastructure is imperative to bolster external confidence in our security posture. By conducting assessments now, our leadership can plan for future compliance and budget for new technology or processes that may need an introduction, guided by my extensive experience in this field.

The ACME Company is not just looking but actively pursuing the adoption of a robust multi-layered approach to security. This approach, meticulously designed to consider the three risk domains of people, process, and technology, will fortify our security posture. We are not waiting for vulnerabilities to be exploited but are proactively applying systems thinking to identify and address vulnerabilities within the three risk domains. We also discuss employing an adversarial mindset while assessing the vulnerabilities within the three risk domains. This proactive approach will ensure that our security measures are always ahead of potential threats.

Threat Assessment

As defined by the National Institute of Standards and Technology (NIST), a threat assessment is not just a formality but a comprehensive evaluation of the degree of threat to an information system or enterprise. It describes the threat's nature in detail, leaving no room for ambiguity. This thorough threat assessment is essential for identifying and mitigating vulnerabilities in ACME Company’s infrastructure to keep a secure environment for our operations.

People

The first vulnerability I observed within the people risk domain was the lack of physical security in the IT closets. The doors to these closets do not have locks, leaving them accessible to unauthorized personnel. This could also lead to theft or tampering with equipment. This vulnerability can lead to significant disruptions if equipment gets damaged or stolen, affecting availability and integrity. The second vulnerability I observed was remote employees connecting to office servers from unsecured networks. Attackers can intercept traffic from unsecured connections, reveal sensitive information, or even inject malicious data into the system. If the remote connections are not adequately protected, this could expose the company to data breaches, affecting confidentiality and integrity.

Process

The first vulnerability I observed within the process risk domain was Insufficient access controls between departments. Without granular access controls, there is an increased risk of unauthorized access to sensitive information. Employees or attackers can access data they should not have access to, leading to data breaches or insider threats that affect confidentiality and integrity. The second vulnerability I observed within the process risk domain was the lack of network segmentation. This could also lead to unauthorized access and the spread of malware across the entire network. An attacker who gains access to one part of the network can laterally move across the network, causing widespread damage and impacting availability and integrity. Malware can disrupt services and corrupt data across the network, leading to significant operational issues and potential data loss.

Technology

The first vulnerability I observed within the technology risk domain was a single point of failure in the network infrastructure. The main hub is the central connection point for all other hubs and switches. If this hub were to fail or the ISP were to go down, the entire network would be affected. The second vulnerability I observed within the technology risk domain was the absence of an Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) to prevent and monitor malicious activity across the network.

Adversarial Mindset

Adopting an 'adversarial mindset' is a crucial aspect of our security analysis at ACME Company. This mindset involves understanding hackers' potential capabilities and anticipating their tactics. By putting ourselves in the attacker's shoes, we can identify potential exploits and anticipate their methods of breaching our defenses. This approach allows us to understand vulnerabilities from an adversarial perspective, enabling us to implement targeted security controls that effectively counteract these threats and enhance our overall security posture.

People

When assessing the risk domain of people, you must consider how an attacker might exploit human behavior or physical security weaknesses. For example, the lack of locks on the IT closets makes critical equipment susceptible to unauthorized access, tampering, or even theft. An attacker could potentially gain unauthorized access to an unsecured IT closet, install a rogue device, such as a keylogger or network tap, and capture sensitive data without being noticed. An attacker could also target remote employees who connect to the office servers from unsecured networks. The attacker could use a Man-In-The-Middle (MITM) attack to intercept sensitive traffic and gain unauthorized access to internal systems. We can anticipate and implement measures to prevent these potential attacks by adopting an adversarial mindset.

Process

An adversarial mindset can reveal procedural weaknesses that might be exploited in the risk domain of processes. Insufficient access controls could allow attackers to move laterally within the organization, accessing sensitive information across all departments. Without granular access controls, insider threats could also surface. An employee in the marketing department could access the finance department’s sensitive financial records due to insufficient access controls, leading to a potential data leak or misuse of information. Similarly, the lack of network segmentation means that once an attacker gains access to one part of the network, they could easily traverse it or spread malware across the entire network, affecting multiple departments and business operations. Image an employee falls for a phishing email and that employee downloads malware onto his computer. Without network segmentation, malware can traverse the network as pleased, impacting all departments and critical systems.

Technology

We must consider how attacks target the infrastructure directly for the technology risk domain. A single point of failure in the network, such as a central switch or hub, could be exploited to shut down the entire network. The main switch is the central connection point for all other switches and hubs. If this switch fails, it could bring down the whole network, causing operational downtime and affecting availability. An attacker could also target that switch with a Distributed Denial of Service (DDoS) attack, causing it to fail and halting business operations. Without an IDS or IPS, the organization is vulnerable to undetected malicious activities, allowing attackers to operate within the network without immediate detection, potentially causing long-term damage. This impacts confidentiality, integrity, and availability as undetected instructions can lead to data breaches, manipulation, and network service disruptions.

Infrastructure Diagram

People

The first control I have implemented regarding the people risk domain is not just a measure but a decisive action - locks on all IT closet doors. There is no reason these closets should not be locked to keep unauthorized personnel out and equipment free from theft or tampering. This control enhances physical security and aligns with NIST SP 800-53 PE-3 (Physical Access Control), which emphasizes restricting physical access to information systems and equipment. The second control I implemented is a suggestion and a solution- a VPN or virtual private network. A VPN is an encrypted connection from a computer to an organization’s network over the internet. The encryption ensures that sensitive data is safely transmitted. This will ensure all remote employees can securely connect to the office servers. VPNs align with NIST SP 800-52 (Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations) and NIST SP 800-77 (Guide to IPsec VPNs), which recommend the use of secure communication protocols for remote access. I also advise ensuring all devices have the proper endpoint protection installed, such as an endpoint protection platform (EPP). An EPP is not just a tool but a comprehensive solution combining multiple endpoint security functionalities into a single platform delivering antivirus, anti-spyware, a personal firewall, application control, and other host intrusion prevention capabilities.

Process

The first control I implemented regarding the process risk domain was Role-Based Access Controls (RBAC). RBAC makes certain employees only have access to the necessary information for their roles. Pair that with the principle of least privilege, and you have good, strict access controls that align with NIST SP 800-53 AC-2 (Account Management) and AC-6 (Least Privilege), which emphasizes the importance of access control mechanisms and minimizing unnecessary access. The second control I implemented was 'network segmentation '. This security strategy involves dividing a network into subnetworks, each isolated. We used VLANs to separate department traffic and apply specific security policies to each segment. Each department is on its own VLAN (as shown in the infrastructure diagram), ensuring that sensitive data is kept separate from non-sensitive data. This aligns with NIST SP 800-41 (Guidelines on Firewalls and Firewall Policy and SP 800-125 (Guide to Security for Full Virtualization Technologies), which recommend network segmentation to enhance security and control.

Technology

The first control I implemented regarding the technology risk domain was redundancy. Network redundancy provides multiple paths for traffic so that data can keep flowing even in the event of a failure. To eliminate the single point of failure, I added an additional ISP connection, router, and main switch. If one fails, the other can pick up and maintain business continuity. This aligns with NIST SP 800-34 (Contingency Planning Guide for Federal Information Systems), which advises implementing redundancy to maintain operational continuity. The second control I implemented was an IDS/IPS solution in line between the routers and the main switches. This will monitor for suspicious traffic and prevent intrusions to the internal network. This aligns with NIST SP 800-94 (Guide to Intrusion Detection and Prevention Systems), which recommends implementing IDS/IPS solutions for effective network security monitoring and response.

Organizational Protection

People

The physical locks installed on the IT closets will prevent unauthorized access to critical network equipment and reduce the likelihood of theft or tampering. This will guarantee the integrity and availability of network equipment by restricting physical access. Using a VPN and endpoint security measures will ensure remote connections are secure and protected from malware, reducing the risk of data breaches from remote working environments. This prevents common attacks such as MITM and eavesdropping, maintaining the confidentiality and integrity of the data.

Process

The implementation of RBAC limits access to sensitive data, ensuring that only those who are authorized can view or modify it, thus protecting against insider threats and the confidentiality and integrity of the data. Network segmentation prevents malware from spreading across a network, containing potential breaches to smaller network segments and allowing for a more targeted response. It also keeps employees within bounds and doesn’t allow them to wander into other departments' files, maintaining availability and integrity.

Technology

Redundancy ensures network availability even if one component fails, maintaining operational continuity. The additional ISP, router, and switch will ensure the network can still function properly if one of the components fails. This reduces downtime and ensures the availability of data and critical systems. The IDS/IPS detects and blocks malicious activity, providing an active defense against network intrusions. This ensures the confidentiality, integrity, and availability of data.

Implementation

Balancing the implementation of controls between the risk domains of people, processes, and technology requires considering both simple and broader organizational concerns. Simple fixes, such as installing locks on the IT closets and enforcing the use of a VPN, provide immediate security benefits with minimal disruption. More complex solutions, such as implementing RBAC and network segmentation, require a lot of upfront planning and integration to align with existing systems. Redundancy and IDS/IPS solutions might involve a high initial investment but are crucial to the long-term resilience and protection of the ACME Company.

Conclusion

In conclusion, enhancing ACME Company’s security posture requires a comprehensive, multi-layered approach that addresses vulnerabilities across the risk domains of people, processes, and technology. By adopting an adversarial mindset and applying systems thinking, we can proactively identify and mitigate potential risks, ensuring our business-critical assets' confidentiality, integrity, and availability. Implementing physical security, enforcing granular security controls, and introducing redundancy and IDS/IPS solutions will fortify our defenses against potential threats. As ACME Company prepares to transition into the new market and begin gaining federal contracts, the efforts we have applied thus far will build external confidence in our infrastructure and ensure long-term success.

References

Threat assessment/analysis - Glossary. (n.d.). CSRC. Retrieved May 30, 2024, from https://csrc.nist.gov/glossary/term/threat_assessment_analysis

Davies, L. (2022, March 2). What is systems thinking? Concepts and applications. University of Phoenix. https://www.phoenix.edu/blog/what-is-systems-thinking.html

Adversarial thinking for cybersecurity. (n.d.). Cedarville University. Retrieved May 30, 2024, from https://www.cedarville.edu/insights/post/adversarial-thinking-for-cybersecurity

What is a virtual private network (VPN)? (n.d.). Cisco. Retrieved May 30, 2024, from https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html

Dooley, K. (2022, July 11). Network redundancy and why it matters. Auvik. https://www.auvik.com/franklyit/blog/simple-network-redundancy/

Endpoint security glossary of terms—infosec acronyms defined. (2016, December 2). Best Endpoint Protection Security (EPP) Tools, Software, Solutions & Vendors. https://solutionsreview.com/endpoint-security/endpoint-security-glossary-of-terms-infosec-acronyms-defined/

Physical access control - CSF tools. (2021, March 5). CSF Tools - The Cybersecurity Framework for Humans. https://csf.tools/reference/nist-sp-800-53/r5/pe/pe-3/

McKay, K., & Cooper, D. (2019, August 29). SP 800-52 Rev. 2, guidelines for the selection, configuration, and use of transport layer security (TLS) implementations. CSRC. https://csrc.nist.gov/pubs/sp/800/52/r2/final

Barker, E., Dang, Q., Frankel, S., Scarfone, K., & Wouters, P. (2020, June 30). SP 800-77 rev. 1, guide to ipsec vpns. CSRC. https://csrc.nist.gov/pubs/sp/800/77/r1/final

Force, J. T. (2020, December 10). SP 800-53 Rev. 5, Security and Privacy Controls for information systems and organizations. CSRC. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

Scarfone, K., & Hoffman, P. (2009, September 28). SP 800-41 Rev. 1, guidelines on firewalls and firewall policy. CSRC. https://csrc.nist.gov/pubs/sp/800/41/r1/final

Scarfone, K., Souppaya, M., & Hoffman, P. (2011, January 28). SP 800-125, guide to security for full virtualization technologies. CSRC. https://csrc.nist.gov/pubs/sp/800/125/final

NIST SP 800-34. (2020, January 12). NIST. https://www.nist.gov/privacy-framework/nist-sp-800-34

Scarfone, K., & Mell, P. (2007, February 20). SP 800-94, guide to intrusion detection and prevention systems (IDPS). CSRC. https://csrc.nist.gov/pubs/sp/800/94/final