Methodical Journey From Chaotic Network To Secure Network
egrizzly
Member Posts: 533 ■■■■■□□□□□
Hello ladies and gentlemen,
For those who have walked this journey or that have the knowledge is there a methodology that exists for small businesses to go from a chaotic/disorganized network to a secure network environment where the cyber security maturity journey can now begin.
In recent years I've witnessed organizations who have existed in a chaotic/disorganized network and suddenly had the motivation to organize their environments to where frameworks like CIS Top 20 or NIST CSF can now start being engaged to maturity. I thought then that this might be commonplace and figured to open that discussion here.
For those who have walked this journey or that have the knowledge is there a methodology that exists for small businesses to go from a chaotic/disorganized network to a secure network environment where the cyber security maturity journey can now begin.
In recent years I've witnessed organizations who have existed in a chaotic/disorganized network and suddenly had the motivation to organize their environments to where frameworks like CIS Top 20 or NIST CSF can now start being engaged to maturity. I thought then that this might be commonplace and figured to open that discussion here.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
Comments
-
JDMurray Admin Posts: 13,099 AdminThis is a very broad topic. Usually the motivation is to increase revenue (e.g., ISO 9001 for selling to the EU), or compliance to obtain a contract (e.g. FISMA and FedRAMP), or to remediate problems cause by a change in their size or business interests or have gone public (e.g., SOX, PCI-DSS, HIPAA), or they've realized they might/are being cyber-targeted and want to stay off the front page of the WSJ for negative publicity reasons (e.g., security frameworks, IT audits). This all has been happening for decades now and is only getting more intense with the (seemingly) sudden proliferation of ransomware.
-
UnixGuy Mod Posts: 4,570 ModSo many ways to skin a catA good way is what you suggested, using a framework like NIST to find the baselines, and think about the future state and how to get there!
-
trojin Member Posts: 275 ■■■■□□□□□□No mater what you have to start from inventorying all devices, subnets, networks, etcI'm just doing my job, nothing personal, sorry
xx+ certs...and I'm not counting anymore -
TechGromit Member Posts: 2,156 ■■■■■■■■■□I recall the first company I worked for, they run equipment till it failed. Even when they did purchase new hardware, the older computers if they still functioned, were deployed to other employees. It wasn't till Y2K scare that they started to spend serious money to upgrade there hardware and get rid of outdated systems. The company location I work for now, before it was merged with Exelon, they also ran network equipment till failure. Now systems are on a refresh schedule, mandatory patching, secure protocols, etc. Some local managers were able to push off updates to the future because they were inconvenient, no longer, the corporation takes cyber security very seriously.
Still searching for the corner in a round room. -
egrizzly Member Posts: 533 ■■■■■□□□□□trojin said:No mater what you have to start from inventorying all devices, subnets, networks, etc
There are actually no convenient subnets in the network I'm referring to. hmm, I wonder if it means that I'm the only one to experience this type of environment before. Also, little cosmetic things like labels/descriptions on assets aren't there so everything is like swimming upstream.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
JDMurray Admin Posts: 13,099 Admintrojin said:No mater what you have to start from inventorying all devices, subnets, networks, etc
Assessment of physical and virtual assets is always the first step. Many orgs don't have a single, complete database of their assets that automatically scans and updates for changes in assets--including finding new and rogue assets. It's interesting how many modern threat management products require integration with an org's asset management database to be really effective in helping the SecOps teams find and identify possibly malicious threats. Lacking a comprehensive assets management database, complex enterprise-class threat detection tools are not very helpful at best. (Personal experience talking here )
-
trojin Member Posts: 275 ■■■■□□□□□□JDMurray said:...Many orgs don't have a single, complete database of their assets...
I have now 4 or 5 different environments with unknown number of appliances, devices, etc.
So I'm trying to figure out what and how to secureI'm just doing my job, nothing personal, sorry
xx+ certs...and I'm not counting anymore -
UnixGuy Mod Posts: 4,570 ModAsset management is a good one and will be an ongoing process, it's a control within NIST, which is why I like NIST, it covers everything and points you in the right direction.One thing I must say for asset management/CMDB, yes it's essential and the first step, but don't get hung up on it, start work on it and keep working at it, but don't wait untill it's perfect before looking at other things (like MFA for example). Seen companies get hung up on CMBD way too long
-
JDMurray Admin Posts: 13,099 AdminWhat does NIST say about having multiple teams to working on different things in parallel, like an asset management and an IAM team working on their own stuff?
-
UnixGuy Mod Posts: 4,570 Mod@JDMurray My understanding is that the framework doesn't say much in terms how you choose to implement or prioritise.You have your set of controls within the the detect/protect/respond/recover domains. You choose what's important/relevant to you and what to work on.I worked on Asset registers where it was a work on progress, servers/network devices were a bit easier than laptop in one instance , and then a regulator came and said everything needs to inventories and classified, including software/hardware/apps/papers..which is a huge task, an important task, but other stuff were also important to divide and conquer worked well
-
egrizzly Member Posts: 533 ■■■■■□□□□□JDMurray said:trojin said:Single database...I would be happy to see this in my placeAn asset tracking "database" implemented as multiple Excel spreadsheets maintained by different people distributed across the Enterprise is much more the norm.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
egrizzly Member Posts: 533 ■■■■■□□□□□
If it was a regular environment I would say you guys are forgetting Risk Analysis, however this is a hypothetical network that's not even designed according to best practices of segmentation, etc. I would go through a segmentation project and get the network divided, then do an RA using a cybersecurity industry framework.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
JDMurray Admin Posts: 13,099 Adminegrizzly said:It auto-discovers assets plugged into your corporate network versus manually keying things into Excel.Yes, Tanium is another such asset manager that is also an endpoint security solution. However, Excel is on your computer right now and asset inventory is a famously underestimated task in many businesses. Therefore, Excel is always what is tried first as the quickest and cheapest inventory tracking "solution." (Hint: inventories are tracked using a database, not a spreadsheet.)
-
trojin Member Posts: 275 ■■■■□□□□□□JDMurray said:However, Excel is on your computer right now and asset inventory is a famously underestimated task in many businesses. Therefore, Excel is always what is tried first as the quickest and cheapest inventory tracking "solution."
And finally few years later we have spreadsheet with few very old appliances, which in most cases already are replaced by new one
The only secure way to keep this valid is automated wayI'm just doing my job, nothing personal, sorry
xx+ certs...and I'm not counting anymore -
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□Implementing security for SMB is my bread and butter. Usually, I am doing a security assesment based on a light security control (I am using Canada's CyberSecure control, it is geared toward SMB). Then based on that, I focused on the most essential and try to get them a few quick win that does not cost too much money. Implementing a good password policy is not very expensive usually.
So: security assesment to have an assessment and get them to realize how much they are insecure.
then in relative order:
password policy
backup
email security / user education toward phishing
perimeter security / remote access (vpn)
endpoint update and antivirus
asset inventory
Sure there a lot of more to security than that, but most SMB are totally deficient in most or all of those. If you can implement those recomendation, then you can continue your security journey.
-
trojin Member Posts: 275 ■■■■□□□□□□wow, doing asset inventory after securing perimeter, backup and few steps - looks quite brave for me
I know it's my personal experience and personal point of view, but asset inventory should start as first task and have to run all the time. Instead you never will know did you secure already all your endpoints, public IPs, networks, appliances, etcI'm just doing my job, nothing personal, sorry
xx+ certs...and I'm not counting anymore -
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□trojin said:wow, doing asset inventory after securing perimeter, backup and few steps - looks quite brave for me
I know it's my personal experience and personal point of view, but asset inventory should start as first task and have to run all the time. Instead you never will know did you secure already all your endpoints, public IPs, networks, appliances, etc -
JDMurray Admin Posts: 13,099 AdminThis discussion is sounding more and more like this game I started playing recently: ThreatGEN: Red vs. BlueWhen playing Blue Team, the first four actions I perform are:1. Install perimeter/gateway firewall2. Create policies and procedures3. Install SIEM4. Perform asset inventory
-
egrizzly Member Posts: 533 ■■■■■□□□□□SteveLavoie said:Implementing security for SMB is my bread and butter. Usually, I am doing a security assesment based on a light security control (I am using Canada's CyberSecure control, it is geared toward SMB). Then based on that, I focused on the most essential and try to get them a few quick win that does not cost too much money. Implementing a good password policy is not very expensive usually.
So: security assesment to have an assessment and get them to realize how much they are insecure.
then in relative order:
password policy
backup
email security / user education toward phishing
perimeter security / remote access (vpn)
endpoint update and antivirus
asset inventory
Sure there a lot of more to security than that, but most SMB are totally deficient in most or all of those. If you can implement those recomendation, then you can continue your security journey.
Wow, it's insightful to know that Asset Inventory is highly emphasized among all the responses. Also, since the type of network being discussed is typically caused by lack of financial assets/budget it's insightful too to pickup that the affordable quick wins are also at the top of the list. So do you have tiers of controls that you recommend based on the budget level available to the client?B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
egrizzly Member Posts: 533 ■■■■■□□□□□JDMurray said:This is a very broad topic. Usually the motivation is to increase revenue (e.g., ISO 9001 for selling to the EU), or compliance to obtain a contract (e.g. FISMA and FedRAMP), or to remediate problems cause by a change in their size or business interests or have gone public (e.g., SOX, PCI-DSS, HIPAA), or they've realized they might/are being cyber-targeted and want to stay off the front page of the WSJ for negative publicity reasons (e.g., security frameworks, IT audits). This all has been happening for decades now and is only getting more intense with the (seemingly) sudden proliferation of ransomware.
You guessed right @JDMurray. So in the particular network I'm referring to it's surprising that the mere presentation of a 6-month plan was able to secure them quite a hefty sum in small business loans.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
bigdogz Member Posts: 881 ■■■■■■■■□□Since I am answering this thread extremely late, I will start from the beginning.You said "chaotic/disorganized"I know this may be understood, but IEEE specifications on the SMB is a good start. I have seen too many networking devices configured incorrectly. Security can be looked at and made sure it is baked in going forward. CIS top 20, NIST, PCI and others will come into play.From my experience, the only companies who are motivated are stated by @JDMurray earlier. They 'stepped in it' from a security or DR perspective, or need to work on being compliant to obtain more customers. The only motivation by management is cost and revenue.Management has to enforce new policies such as asset management. I am sure that using a SDLC will help show the costs the company has placed in certain groups and find a way to recycle equipment... maybe use for a lab. If IT has created the database, they would be best to make sure they know where all of the equipment is located.When someone leaves the company, IT would know what equipment needs to be returned to the company or funds from the employee's last check may be used to pay for the replacement cost of the equipment that was not returned.It will be a beast of a project to start but easier as asset management is implemented.Regards
-
egrizzly Member Posts: 533 ■■■■■□□□□□SteveLavoie said:Implementing security for SMB is my bread and butter. Usually, I am doing a security assesment based on a light security control (I am using Canada's CyberSecure control, it is geared toward SMB). Then based on that, I focused on the most essential and try to get them a few quick win that does not cost too much money. Implementing a good password policy is not very expensive usually.
So: security assesment to have an assessment and get them to realize how much they are insecure.
then in relative order:
password policy
backup
email security / user education toward phishing
perimeter security / remote access (vpn)
endpoint update and antivirus
asset inventory
Sure there a lot of more to security than that, but most SMB are totally deficient in most or all of those. If you can implement those recomendation, then you can continue your security journey.
heh, btw, since you said implementing security for SMB is your bread and butter let me ask the question - What was the craziest network that you've organized from its bad condition to a strong cyber security posture. Can you share the roadmap you used for that network?B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□egrizzly said:
We started with assets inventory while working to implement some minimal perimeter security. Then work all the usual things.. there were no AD, no patch management, no antivirus(except Defender). .. now 7 years later, they are working on getting ISO 27001 and SOC2 (type 1) but Covid slowed them. I worked a lot on the first 2-3 years to start things, they got some real sysadmin, and they still consult me on the direction, but I am not involved into the day to day. -
JDMurray Admin Posts: 13,099 AdminSteveLavoie said:One of the worst network was not using any perimeter security (in 2014!)...The network you described sounds more of a 1994 vintage.This thread has now reminded me of Marcus Ranum's (2005) article: The Six Dumbest Ideas in Computer Security
-
UnixGuy Mod Posts: 4,570 ModSteveLavoie said:
One of the worst network was not using any perimeter security (in 2014!)... All public server were connected to a switch where the ISP was plugged too.. ......
Oh wait for some vendors to try and market as "zero trust" network LOL. Just remove everything and put their product that'll solve everything, join their webinar, get a free t-shirt that doesn't fit and sign up for their mailing list
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□It was an awful network.. but I am proud on their progression. The hardest was to convince the management to remove the task of sysadmin to their head dev.. this way, It paved the way to a more structured IT. he was ingenious.. but too hacky to the point it was a risk to the enterprise, as only him knew how the network was runned. By example, he was buying used HPE server, and instead to buy HPE drive, he was buying standard drive. Also instead to buy HDD drive caddy from a third party, he was carving some pencil eraser to stack hard drive in a DL380 server.
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□UnixGuy said:SteveLavoie said:
One of the worst network was not using any perimeter security (in 2014!)... All public server were connected to a switch where the ISP was plugged too.. ......
Oh wait for some vendors to try and market as "zero trust" network LOL. Just remove everything and put their product that'll solve everything, join their webinar, get a free t-shirt that doesn't fit and sign up for their mailing list
I warned management.. and walked away. Waiting for the disaster horn