Methodical Journey From Chaotic Network To Secure Network

egrizzly

Hello ladies and gentlemen,

For those who have walked this journey or that have the knowledge is there a methodology that exists for small businesses to go from a chaotic/disorganized network to a secure network environment where the cyber security maturity journey can now begin.

In recent years I've witnessed organizations who have existed in a chaotic/disorganized network and suddenly had the motivation to organize their environments to where frameworks like CIS Top 20 or NIST CSF can now start being engaged to maturity. I thought then that this might be commonplace and figured to open that discussion here.

JDMurray

This is a very broad topic. Usually the motivation is to increase revenue (e.g., ISO 9001 for selling to the EU), or compliance to obtain a contract (e.g. FISMA and FedRAMP), or to remediate problems cause by a change in their size or business interests or have gone public (e.g., SOX, PCI-DSS, HIPAA), or they've realized they might/are being cyber-targeted and want to stay off the front page of the WSJ for negative publicity reasons (e.g., security frameworks, IT audits). This all has been happening for decades now and is only getting more intense with the (seemingly) sudden proliferation of ransomware.

UnixGuy

So many ways to skin a cat

A good way is what you suggested, using a framework like NIST to find the baselines, and think about the future state and how to get there!

trojin

No mater what you have to start from inventorying all devices, subnets, networks, etc

TechGromit

I recall the first company I worked for, they run equipment till it failed. Even when they did purchase new hardware, the older computers if they still functioned, were deployed to other employees. It wasn't till Y2K scare that they started to spend serious money to upgrade there hardware and get rid of outdated systems.  The company location I work for now, before it was merged with Exelon, they also ran network equipment till failure. Now systems are on a refresh schedule, mandatory patching, secure protocols, etc. Some local managers were able to push off updates to the future because they were inconvenient, no longer, the corporation takes cyber security very seriously. 

egrizzly

trojin said:

No mater what you have to start from inventorying all devices, subnets, networks, etc

There are actually no convenient subnets in the network I'm referring to. hmm, I wonder if it means that I'm the only one to experience this type of environment before. Also, little cosmetic things like labels/descriptions on assets aren't there so everything is like swimming upstream.

JDMurray

trojin said:

No mater what you have to start from inventorying all devices, subnets, networks, etc

Assessment of physical and virtual assets is always the first step. Many orgs don't have a single, complete database of their assets that automatically scans and updates for changes in assets--including finding new and rogue assets. It's interesting how many modern threat management products require integration with an org's asset management database to be really effective in helping the SecOps teams find and identify possibly malicious threats. Lacking a comprehensive assets management database, complex enterprise-class threat detection tools are not very helpful at best. (Personal experience talking here )

trojin

JDMurray said:

...Many orgs don't have a single, complete database of their assets...

Single database...I would be happy to see this in my place
I have now 4 or 5 different environments with unknown number of appliances, devices, etc.
So I'm trying to figure out what and how to secure

JDMurray

trojin said:

Single database...I would be happy to see this in my place

An asset tracking "database" implemented as multiple Excel spreadsheets maintained by different people distributed across the Enterprise is much more the norm. 

UnixGuy

Asset management is a good one and will be an ongoing process, it's a control within NIST, which is why I like NIST, it covers everything and points you in the right direction.

One thing I must say for asset management/CMDB, yes it's essential and the first step, but don't get hung up on it, start work on it and keep working at it, but don't wait untill it's perfect before looking at other things (like MFA for example). Seen companies get hung up on CMBD way too long

JDMurray

What does NIST say about having multiple teams to working on different things in parallel, like an asset management and an IAM team working on their own stuff?

UnixGuy

@JDMurray My understanding is that the framework doesn't say much in terms how you choose to implement or prioritise.

You have your set of controls within the the detect/protect/respond/recover domains. You choose what's important/relevant to you and what to work on.

I worked on Asset registers where it was a work on progress, servers/network devices were a bit easier than laptop in one instance , and then a regulator came and said everything needs to inventories and classified, including software/hardware/apps/papers..which is a huge task, an important task, but other stuff were also important to divide and conquer worked well

egrizzly

JDMurray said:

trojin said:

Single database...I would be happy to see this in my place

An asset tracking "database" implemented as multiple Excel spreadsheets maintained by different people distributed across the Enterprise is much more the norm. 

@JDMurray it's my understanding that Excel is now the old-school way.  My new boss says that tracking assets using intelligent tools like LANSweeper IPAM Database is the new way to go.  It auto-discovers assets plugged into your corporate network versus manually keying things into Excel.

egrizzly

If it was a regular environment I would say you guys are forgetting Risk Analysis, however this is a hypothetical network that's not even designed according to best practices of segmentation, etc.  I would go through a segmentation project and get the network divided, then do an RA using a cybersecurity industry framework.

JDMurray

egrizzly said:

It auto-discovers assets plugged into your corporate network versus manually keying things into Excel.

Yes, Tanium is another such asset manager that is also an endpoint security solution. However, Excel is on your computer right now and asset inventory is a famously underestimated task in many businesses. Therefore, Excel is always what is tried first as the quickest and cheapest inventory tracking "solution." (Hint: inventories are tracked using a database, not a spreadsheet.)

trojin

JDMurray said:

 However, Excel is on your computer right now and asset inventory is a famously underestimated task in many businesses. Therefore, Excel is always what is tried first as the quickest and cheapest inventory tracking "solution." 

The only issue with Excel is that is working for first few days. Later someone forgot to add, was too busy there was too much, etc
And finally few years later we have spreadsheet with few very old appliances, which in most cases already are replaced by new one
The only secure way to keep this valid is automated way

SteveLavoie

Implementing security for SMB is my bread and butter. Usually, I am doing a security assesment based on a light security control (I am using Canada's CyberSecure control, it is geared toward SMB). Then based on that, I focused on the most essential and try to get them a few quick win that does not cost too much money. Implementing a good password policy is not very expensive usually.

So: security assesment to have an assessment and get them to realize how much they are insecure.
then in relative order:
password policy
backup
email security / user education toward phishing
perimeter security / remote access (vpn)
endpoint update and antivirus
asset inventory


Sure there a lot of more to security than that, but most SMB are totally deficient in most or all of those. If you can implement those recomendation, then you can continue your security journey.
 

trojin

wow, doing asset inventory after securing perimeter, backup and few steps  - looks quite brave for me
I know it's my personal experience and personal point of view, but asset inventory should start as first task and have to run all the time. Instead you never will know did you secure already all your endpoints, public IPs, networks, appliances, etc

SteveLavoie

trojin said:

wow, doing asset inventory after securing perimeter, backup and few steps  - looks quite brave for me
I know it's my personal experience and personal point of view, but asset inventory should start as first task and have to run all the time. Instead you never will know did you secure already all your endpoints, public IPs, networks, appliances, etc

Well, I am speaking for small company (100 endpoint or so), usually with the security assesment I can define the perimeter.  Also, I am starting this in paralele.  

JDMurray

This discussion is sounding more and more like this game I started playing recently: ThreatGEN: Red vs. Blue

When playing Blue Team, the first four actions I perform are:

1. Install perimeter/gateway firewall

2. Create policies and procedures

3. Install SIEM

4. Perform asset inventory

egrizzly

SteveLavoie said:

Implementing security for SMB is my bread and butter. Usually, I am doing a security assesment based on a light security control (I am using Canada's CyberSecure control, it is geared toward SMB). Then based on that, I focused on the most essential and try to get them a few quick win that does not cost too much money. Implementing a good password policy is not very expensive usually.

So: security assesment to have an assessment and get them to realize how much they are insecure.
then in relative order:
password policy
backup
email security / user education toward phishing
perimeter security / remote access (vpn)
endpoint update and antivirus
asset inventory


Sure there a lot of more to security than that, but most SMB are totally deficient in most or all of those. If you can implement those recomendation, then you can continue your security journey.
 

Wow, it's insightful to know that Asset Inventory is highly emphasized among all the responses. Also, since the type of network being discussed is typically caused by lack of financial assets/budget it's insightful too to pickup that the affordable quick wins are also at the top of the list.  So do you have tiers of controls that you recommend based on the budget level available to the client?

egrizzly

JDMurray said:

This is a very broad topic. Usually the motivation is to increase revenue (e.g., ISO 9001 for selling to the EU), or compliance to obtain a contract (e.g. FISMA and FedRAMP), or to remediate problems cause by a change in their size or business interests or have gone public (e.g., SOX, PCI-DSS, HIPAA), or they've realized they might/are being cyber-targeted and want to stay off the front page of the WSJ for negative publicity reasons (e.g., security frameworks, IT audits). This all has been happening for decades now and is only getting more intense with the (seemingly) sudden proliferation of ransomware.

You guessed right @JDMurray. So in the particular network I'm referring to it's surprising that the mere presentation of a 6-month plan was able to secure them quite a hefty sum in small business loans.

JDMurray

Are the loans to implement the plans or for something else?

egrizzly

JDMurray said:

Are the loans to implement the plans or for something else?

nahh, the loans are just the regular ones to fund the business (e.g. Schedule C, Schedule E). that sort of stuff.

bigdogz

@egrizzly

Since I am answering this thread extremely late, I will start from the beginning.

You said "chaotic/disorganized"

I know this may be understood, but IEEE specifications on the SMB is a good start. I have seen too many networking devices configured incorrectly. Security can be looked at and made sure it is baked in going forward. CIS top 20, NIST, PCI and others will come into play.

From my experience, the only companies who are motivated are stated by @JDMurray earlier. They 'stepped in it' from a security or DR perspective, or need to work on being compliant to obtain more customers. The only motivation by management is cost and revenue.

@trojin

Management has to enforce new policies such as asset management. I am sure that using a SDLC will help show the costs the company has placed in certain groups and find a way to recycle equipment... maybe use for a lab. If IT has created the database, they would be best to make sure they know where all of the equipment is located.When someone leaves the company, IT would know what equipment needs to be returned to the company or funds from the employee's last check may be used to pay for the replacement cost of the equipment that was not returned.

It will be a beast of a project to start but easier as asset management is implemented.

Regards

egrizzly

SteveLavoie said:

Implementing security for SMB is my bread and butter. Usually, I am doing a security assesment based on a light security control (I am using Canada's CyberSecure control, it is geared toward SMB). Then based on that, I focused on the most essential and try to get them a few quick win that does not cost too much money. Implementing a good password policy is not very expensive usually.

So: security assesment to have an assessment and get them to realize how much they are insecure.
then in relative order:
password policy
backup
email security / user education toward phishing
perimeter security / remote access (vpn)
endpoint update and antivirus
asset inventory


Sure there a lot of more to security than that, but most SMB are totally deficient in most or all of those. If you can implement those recomendation, then you can continue your security journey.
 

heh, btw, since you said implementing security for SMB is your bread and butter let me ask the question - What was the craziest network that you've organized from its bad condition to a strong cyber security posture.  Can you share the roadmap you used for that network?

SteveLavoie

egrizzly said:

heh, btw, since you said implementing security for SMB is your bread and butter let me ask the question - What was the craziest network that you've organized from its bad condition to a strong cyber security posture.  Can you share the roadmap you used for that network?

One of the worst network was not using any perimeter security (in 2014!)... All public server were connected to a switch where the ISP was plugged too.. FW was iptables and old Linux distrib.. It was not a small company, but a 50 person software dev company with no internal IT, so it was the dev as IT hell. 

We started with assets inventory while working to implement some minimal perimeter security. Then work all the usual things.. there were no AD, no patch management, no antivirus(except Defender). .. now 7 years later, they are working on getting ISO 27001 and SOC2 (type 1) but Covid slowed them. I worked a lot on the first 2-3 years to start things, they got some real sysadmin, and they still consult me on the direction, but I am not involved into the day to day. 

JDMurray

SteveLavoie said:

One of the worst network was not using any perimeter security (in 2014!)...

The network you described sounds more of a 1994 vintage.

This thread has now reminded me of Marcus Ranum's (2005) article: The Six Dumbest Ideas in Computer Security

UnixGuy

SteveLavoie said:

One of the worst network was not using any perimeter security (in 2014!)... All public server were connected to a switch where the ISP was plugged too.. ...... 

Oh wait for some vendors to try and market as "zero trust" network LOL. Just remove everything and put their product that'll solve everything, join their webinar, get a free t-shirt that doesn't fit and sign up for their mailing list

SteveLavoie

It was an awful network.. but I am proud on their progression. The hardest was to convince the management to remove the task of sysadmin to their head dev.. this way, It paved the way to a more structured IT.  he was ingenious.. but too hacky to the point it was a risk to the enterprise, as only him knew how the network was runned.  By example, he was buying used HPE server, and instead to buy HPE drive, he was buying standard drive. Also instead to buy HDD drive caddy from a third party, he was carving some pencil eraser to stack hard drive in a DL380 server.

SteveLavoie

UnixGuy said:

SteveLavoie said:

One of the worst network was not using any perimeter security (in 2014!)... All public server were connected to a switch where the ISP was plugged too.. ...... 

Oh wait for some vendors to try and market as "zero trust" network LOL. Just remove everything and put their product that'll solve everything, join their webinar, get a free t-shirt that doesn't fit and sign up for their mailing list

Ah "Zero Trust" what a new buzzword   I got into an argument with a sysadmin at a customer because he didnt want the NGFW firewall we were proposing him because his network was "Zero Trust"... His zero  trust strategy was in the ESET Antivirus on the endpoint...

I warned management.. and walked away. Waiting for the disaster horn