• Securing Your Network on a Budget

  • Securing your network on a budget is a challenge most organizations face. Questions come to mind such as:

    • Are we investing enough in information security?
    • Are we over investing in information security?
    • What are other companies like ours investing?
    • What are our competitors doing for information security?

    In a lot of cases I find that that nothing gets done to create a formal information security program because there’s no understanding of how information security should be implemented.

    This usually ends up with the old school approach to information security where the IT department implements what security they can with the limited technology budget.

    The Best Security No Money Can Buy

    It should be a crime to spend more on coffee and donuts than information security.

    I worked in an organization for 10 years that literally spent more on coffee and donuts than information security. The security in place was created with open source solutions for the firewall, email server, and with no intrusion prevention or detection abilities.

    Endpoint security was always a struggle since they were always chasing a better price. That lead to migrating the endpoint solution to a new vendor almost annually.

    The interesting part is that apart from the occasional malware incident, there was never a breach. We had the best security no money could buy, and it worked. That worked back then and we were extremely lucky. This approach isn’t sustainable today.

    During that time smaller business weren’t a high value target. Threat actors were going after retail chains, ATMs, and larger corporations. Attackers have shifted over the years to attack smaller obscure businesses hoping to get a six figure ransomware pay out.

    Securing your network doesn’t need to be a dumpster fire like what I was working in. Back then there wasn’t a lot of open source tools for information security. Today there are numerous robust tools that can help you better secure your network That’s what I’m going to cover in this blog post.

    Creating an Information Security Program

    Formalize your information security program.

    To better increase security one of the first steps is to create a formal information security program. This should be a company wide policy with an executive level endorsement stating that the organization understands the importance of information security. This over arching policy should also convey that security is a priority by creating an information security director, team, and the appropriate budget.

    The director can be someone from within the IT department, or you can hire a part time or virtual director known as a Virtual Chief Information Security Officer (Virtual CISO). Having someone responsible to drive the security program ensures your stay on track and make progress with the maturity of the program.

    The next part is determining how many people should be allocated to the information security program. This should be given careful consideration and requires an understanding of where you are at today.

    If your organization is hosting its own servers and infrastructure, now is the time to consider what can be moved to the cloud and what’s the associated cost savings.

    For example, Email. No small organization should be hosting their own email today. The overhead with having email in house includes:

    • Server administration of operating system updates, upgrades, and maintenance.
    • Rack space, bandwidth, and electricity
    • Anti-malware, anti-phishing, and anti-spam services.
    • Uptime and availability SLAs

    Moving email to the cloud could result in a substantial cost savings. The two most popular services are Office 365 and Google’s G Suite. The average cost per user is under $20.00.

    With that strategy in mind, we can move to a better approach for identifying key parts of the information security program using risk assessments.

    Risk Assessments for Securing your Network

    Risk assessments are an important part of an information security program.

    Risk assessments help identify the bad things that could go wrong before they happen. A basic risk assessment looks at the following:

    • What is the threat?
    • What is the impact?
    • What is the likelihood?

    You shouldn’t perform a risk assessment in a silo. Performing a risk assessment requires getting input from other areas of the organization and input from those responsible for those areas.

    Identifying threats may include downtime, service degradation, lack of staff, natural disasters, threat actors, lack of budget, and other factors that can adversely affect a process, system, or business operations on some level.

    The impact is what happens when the results of the the threat is realized. There could be financial impacts, political impacts, legal impacts, or even loss of life depending on the nature of the threat.

    Determining the likelihood is the most difficult part of the risk assessment process. Determining likelihood requires research and estimation into the perceived threat. For the most part the risk assessment is a qualitative approach for identifying risk. As your organization matures you may get into a quantitative approach in some areas and actual dollar amounts and specific factors.

    On a basic level the qualitative approach identifies each one of these factors using terms like “high, medium, and low”, or using a number scale of “1-5, or 1-10”.

    As an example for cloud computing service in a fictional organization might look like this:

    Cloud security risk assessment

    Risk Management and Securing Your Network

    Network security risk management.

    With an understanding of the risks, impact, and likelihood, the next step is to identify the actions to mitigate the risk. This is one of the most important part of developing your information security program.

    In this part of the process you are going to determine what controls should be put in place to offset the risk. These controls might include transferring the risk with insurance, administrative controls such as policies and procedures, or technical controls.

    Insurance is a business decision and should be left to the executives to act on, but policies, procedures, and technical controls and be driven by the information security director or CISO.

    Keep in mind that policies and procedures are the least expensive way to mitigate risk and can be more effective than technical controls in some cases.

    Securing Your Network With Policy and Procedures

    As you develop the appropriate policies and procedures for your network security keep in mind that you should consider the following as you build your security program:

    • You should include input from other areas of the organization and steering committees are a good approach for this.
    • You policies and procedures should drive any contractual, legal, and compliance regulations you are subject to.
    • Policies and procedures should be kept in centralized location and easy to access for those in the organization.
    • Treat this as a Governance, Risk, and Compliance program so that it conveys the importance to the organization as a whole.

    The baseline policies for securing your network and systems should include, but are not limited to:

    • Acceptable use policies for email, internet, cloud, laptops, mobile devices, and remote access
    • Security awareness training
    • Passwords
    • Access Control
    • Data Classification
    • Risk Management
    • Incident Response
    • Business Continuity and Disaster Recovery
    • Change Control
    • Physical Security
    • Security Audits and Penetration Tests
    • Logging, Monitoring, and Alerting
    • Encryption
    • Data and hardware disposal
    • Patching, updates, and vulnerability management

    Obviously since no organization is the same, the policies, procedures, and the content of both won’t be the same. This is just a base level to think about as a starting point for your policy and procedure library.

    The goal here is to reduce risk with the least amount of investment. Policies and procedures are one of the best ways to start laying the foundation for that approach.

    Securing Your Network With Technical Controls

    Network Security Technical Controls.

    Your risk assessment process will identify technical controls that you should employ to secure your network. This is when it starts to get expensive. Sorting out the number of vendor solutions, the right fit for your organization, and training to actually use the solution exceeds six figures easily in most situations.

    Cost of ownership is another factor to consider with technical controls. There’s internal administration costs, support and maintenance costs with the vendor, and annual renewals, which is some cases I’ve seen as high as 25%.

    I’m going to take a look at some free or relatively low cost technical controls that you can implement with a conservative budget. There will still be the administration costs to consider, but keep in mind that in some cases you can outsource that to a managed security service provider.

    Firewalls:

    • pfsense: This is an opensource firewall solution that has gained a lot of traction over the years.
    • Firewalla: Firewalla has some easy to manage low cost firewall solutions. These are worth taking a look at in small organization.
    • IPFire: Another low cost firewall solution built on Netfilter and has been gaining traction.
    • OPNSEnse: This is a fork of pfsense and is worth taking a look at.

    Intrusion Prevention and Detection

    • RITA (Real Intelligence Threat Analytics): RITA detects beaconing DNS tunneling, and cross references blacklists. Check out the other solutions Active Countermeasures offers as well.
    • Security Onion: Free and open source platform for threat hunting, network security monitoring, and log management. Security Onion includes best-of-breed open source tools such as Suricata, Zeek, Wazuh, the Elastic Stack, among many others.
    • Zeek: Zeek (formerly Bro) is the world’s leading platform for network security monitoring. It’s Flexible, open source, and powered by network defenders.
    • Suricata: Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

    Incident Response and Forensics

    • Kansa: A PowerShell-based incident response framework. You can also read more about Kansa here.
    • SANS Investigative Forensics Toolkit (SIFT) Workstation: The SIFT Workstation is a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.
    • GRR Rapid Response: GRR Rapid Response is an incident response framework focused on remote live forensics.
    • The Hive Project: A scalable, open source and free Security Incident Response Platform.
    • Autopsy: Opensource forensics platform.
    • CAINE: CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project.

    Vulnerability Management

    • Nessus Essentials: As part of the Nessus family, Nessus Essentials is a free vulnerability assessment solution for up to 16 IPs that provides an entry point into the Tenable ecosystem. 
    • OpenVAS: OpenVAS is a full-featured vulnerability scanner.

    Securing Your Network with Penetration Testing

    • SANS Slingshot: Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond.
    • Kali Linux: Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. 
    • Burp Suite: Web application penetration testing framework.
    • Zed Attack Proxy: A web application scanner and vulnerability testing application.

    Security Control and Program Frameworks

    • NIST CSF: NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
    • CIS Controls: The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

    Security Conferences and Training

    • DEFCON: DEFCON is one of the world’s largest and most notable hacker conventions, held annually in Las Vegas, Nevada.
    • BSides:Free infosec conference held in many cities around the world.
    • SANS Summits: SANS Virtual Summits Will Be FREE for the Community in 2021!
    • Wild West Hackin’ Fest: One of the best conferences for the money. WWHF is currently running virtual, but is worth the trip to Deadwood, South Dakota to attend in person.
    • SANS Reading Room: This isn’t a conference, but has an abundance of information and guidance on how to better secure your organization.

    Network Security Posture

    Network Security Posture.

    Your network security depends on the posture you assume and the foundation you lay build on. Defending networks takes a consistent approach, diligence, and constant awareness.

    I covered a lot of resources in this post and you might not know where to start. If you are just getting started with your information security program, I recommend starting with a risk assessment. After the risk assessments are completed, take those actions that reduce the most risk first.

    Once the risk meets the your desired risk appetite, you should then start optimizing your security program to mature it with the organization as it grows.

    If you are in the unfortunate situation of already experiencing a breach, check out the blog post I wrote for SANS about Rekt Casino. Rekt Casino is a fictional casino that suffered a ransomware incident as part of a breach.

    I cover how to build an information security program in a post breach scenario in that post. Recovering at that point requires quite a bit analysis an investment as opposed to creating a solid information security program at the start.