Views, News & more
If you grew up watching US movies and TV, you’ll be familiar with America’s domestic security agency, the Federal Bureau of Investigation.
It recently issued a free report well worth reading, Modern Approaches to Network Access Security.
The report explicitly urges organisations of all sizes to consider a wide range of technology approaches that major security vendors have been pushing, most notably Zero Trust access and Secure Access Service Edge (SASE).
Government cybersecurity bodies from Canada, the US and New Zealand have also endorsed the report.
Here’s our summary of what they’re suggesting.
Implement granular network access that's sceptical of devices/users seeking to connect to the network, stay connected to the network, or access particular hosts or ports.
Use hosted gateways to govern access to on-premises and cloud resources, providing greater visibility over cloud use. A Cloud Access Security Broker (CASB) can mediate, log and authenticate cloud access attempts. Consider centralising control to the cloud, rather than having an array of local on-premises security devices, each with its own independent policy.
This is similar to Secure Service Edge but adds Next Generation Firewall (NGFW) functionality, secure management interfaces and software-defined WAN functions.
This lets you ban or throttle traffic from certain applications and classes of application. There’s an Intrusion Prevention System and advanced threat detection powered by a threat signature feed.
Implement security vendor offerings that deliver both elements together, rather than treating cybersecurity as a separate layer to be added on top of the network layer.
A correct username and password should no longer be sufficient to guarantee network access. Your network access control systems may need to consider additional factors such as geolocation, network trustworthiness, device identity, multi-factor authentication, time of day and other user/device behaviour patterns.
This makes it harder for attackers to traverse from an unauthorised device, compromised device or stolen machine to other devices on the same network.
These risk a software flaw giving the attacker unrestricted network access. Note, this is not saying that end-users can’t have VPN software clients. It’s saying that the backend part of the VPN solution that has the power to grant broad network access should be implemented on appropriate dedicated hardware such as a firewall or VPN concentrator.
Consider whether allowing remote access to such accounts is strictly necessary. hSo would add that if such access is necessary, consider what additional security restrictions might be appropriate such as locking down access to specific IP address ranges or VPNs, requiring multi-factor authentication, or requiring any access be from trusted employer-managed devices.
Log attempts to login – whether successful or not. Log attempts to connect to hosts and applications – whether successful or not. Then, monitor those logs. Where suspicious activity is seen, the risk-based policies should be applied, forcing users to reauthenticate mid-session.
This reduces the risk of the user’s device being compromised. Filtering can also reduce the likelihood of data being expropriated in contravention of the organisation’s data protection policies.
Consider moving away from the traditional one-firewall-per-site approach to a centralised service that’s easier to manage via a central control panel.
Where hacking would pose a credible threat to public safety, national security, and critical functions, hardware-enforced network segmentation may be necessary. This could, for example, use hardware to ensure data (such as the feed from a CCTV camera or monitor) can only flow in one direction.
Most of the above boils down to a combination of subscribing to cloud-based security services, running licenced security-vendor software, using dedicated networking hardware with security functions, setting security and access control policies, and setting up reports and alerts.
You are free to ignore the FBI’s recommendations.
However, if your organisation is attacked by cybercriminals, the most you’re likely to get from the police is a crime reference number. You’re effectively on your own. If you don’t protect your non-cloud systems, no-one else will.
The recommendations from the FBI, US, Canadian and New Zealand cybersecurity authorities are notable for endorsing the thrust of major cybersecurity vendor’s longstanding recommendations. They are effectively saying ‘This stuff isn’t overkill. You should be considering it.’
Implementing the bulk of these recommendations is simpler than it sounds. Just work with a partner like ourselves that’s experienced at implementing a major cybersecurity vendor’s offerings. Fortinet, Palo Alto Networks, Cisco, Check Point, HPE Aruba Networks, Juniper Networks and Sophos all have solutions that can tick a lot of the FBI’s boxes.
As an experienced Fortinet partner, hSo can help you beef up your organisation's cybersecurity.
To learn more call 020 7847 4510 or email info@hso.co.uk.
020 7847 4510
We may process your personal information in order to send you information you request, measure and improve our marketing campaigns, and further our legitimate interests. For further details, see our privacy policy.