Loading...

If you can’t connect to it, you can’t hack it.

Since networks were established, organisations have implemented a ‘flat network’. A ‘flat network’ allows all connected devices to connect to each other. Traditionally, cyber attacks were only present from the internet, so perimeter firewalls were enough to keep the attackers out.

Over the years, cyber attacks have become more sophisticated and are present throughout the network - any connected device. As the attack surface has dramatically increased, organisations are now under pressure to perform several security practices to ensure their environment is secure, such as the Essential Eight, which is a recommendation from the Australian Signal Directorate (ASD):

  • Application control
  • Patch applications
  • Configure Microsoft Office macro settings
  • User application hardening
  • Restrict administrative privileges
  • Patch operating systems
  • Multi-factor authentication
  • Daily backups

https://www.cyber.gov.au/acsc/view-all-content/essential-eight/essential-eight-explained

However, even after an organisation has effectively implemented the Essential Eight, any devices can still connect to critical and sensitive applications.

Another recommendation, from the ASD is Network Segmentation:

Network segmentation and segregation are highly effective strategies an organisation can implement to limit the impact of a network intrusion. If implemented correctly, these strategies can make it significantly more difficult for an adversary to locate and gain access to an organisation’s most sensitive information; and increase the likelihood of detecting an adversary’s activity in a timely manner.

https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation

Micro-segmentation takes network segmentation to the next level - protecting individual workload to ensure that only trusted devices can connect to other trusted devices within a network.

IT Service Segmentation

This provides the following benefits to an organisation:

Understand Application dependencies

ISO 27001 outlines the requirement for an information security management system, if organisations cannot describe how applications work and their dependencies, how can they build processes to manage and protect them? Are they causing unnecessary exposures to the organisation?

IT Service security

When an organisation has the capability to protect individual workload, they can align more easily to regulatory requirements:

  • ISO/IEC 27001:2013 - A.9.1.1 Access Control Policy
  • ISO/IEC 27001:2013 - A.9.1.2 Access to Networks and Network Services

Another benefit of IT service security is segmenting IT services according to different regulations. For example, without the correct segmentation controls, PCI DSS will consider the entire network in scope for assessment: Without adequate network segmentation (sometimes called a "flat network"), the entire network is in scope of the PCI DSS assessment.1.

Defining network controls per IT service improves control and visibility of the application risk profile. You gain agility by enabling IT services to be dispersed across diverse environments (Hybrid cloud) without comprising risk.

Reduce the attack surface

Will you leave all the doors and windows of your house open at any given time? No. So why will you have a ‘flat network’, leaving all devices exposed?

If a vulnerability is present on a critical device, the less number of devices that can connect to it the better, as this will increase the number of barriers an attacker faces when trying to travel through the network.

If an attacker can only connect to a limited number of devices, the risk is dramatically reduced.

Isolate security incidents

Protecting the downside - When device connectivity and IT services have been isolated, the attacker’s options will be limited.

If an attacker were to try and scan and directly attack another IT service, it would be immediately denied. This isolates the threat to only a single IT service to prevent further compromise from spreading through the network.

Improve incident response times

When an intruder is trying to compromise a network, it is important to detect the threat early. Micro-segmentation makes abnormal behaviors easier to detect, if a device connects to a resource outside of the trusted application, the connection will be denied.

A security analyst can easily identify this denied traffic and quickly investigate the issue and ‘lockdown’ the IT service until the issue has been resolved.

Once an organisation has built these fundamental network controls to create a secure baseline, patterns can be established to effectively protect IT services across the organisation.

If you can’t connect to it, you can’t hack it.