used with permission from FTC.gov
by Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
Who’s coming in and what’s going out? Businesses that want to stick with security build commonsense monitoring into their brick-and-mortar operations. Whether it’s a key card reader at the door or a burglar alarm activated at night, careful companies keep an eye on entrances and exits.
Your computer systems deserve the same kind of watchful attention, which is why Start with Security advises you to segment your network and monitor who’s trying to get in and out. Based on FTC cases, closed investigations, and questions posed by businesses, here are examples illustrating the benefits of segmenting your network and monitoring the size and frequency of data transfers.
Segment Your Network.
Network technology gives companies the option to link every computer, laptop, smartphone, and other device together on the same network. Of course, there may be legitimate business reasons why you need some of your data transfers to be seamless. But is there sensitive information on your network that deserves special treatment?
Segmenting your network — for example, having separate areas on your network protected by firewalls configured to reject unnecessary traffic — can reduce the harm if a breach happens. Think of it like water-tight compartments on a ship. Even if one portion sustains damage, water won’t flood another part of the vessel. By segmenting your network, you may be able to minimize the harm of a “leak” by isolating it to a limited part of your system.
Example: A company must maintain records that include confidential client information. By using a firewall to separate the part of its network that contains its corporate website data from the portion that houses confidential client information, the company has segmented its network in a way that could reduce the risk to sensitive data.
Example: A regional retail chain permits unrestricted data connections across its stores — for example, allowing a computer from the store in Tampa to access employee information from the Savannah store. Hackers detect a security lapse in one in-store network and exploit the “open sesame” aspect of the company’s system to gain access to sensitive data on the corporate network. The retail chain could have reduced the impact of the initial security lapse by segmenting the network so that a weakness at one location doesn’t put the entire corporate network at risk.
Example: A large consulting firm segments its network into a sensitive and non-sensitive side. However, the credentials to the sensitive side are accessible from the non-sensitive side. Thus, the firm undermined its efforts at segmentation by making it easier for data thieves to access confidential information.
Monitor Activity on Your Network.
Another key component of network security is monitoring access, uploads, and downloads and responding quickly if something seems amiss. Businesses don’t need to start from scratch. A number of tools are available to warn you about attempts to access your network without authorization and to spot malicious software someone is trying to install on your network. Those same tools can alert you if quantities of data are being transferred out of your system — exfiltrated — in a suspicious way.
Example: A company installs an intrusion detection system to monitor entry onto its network, but it fails to monitor outgoing connections. As a result, large amounts of sensitive files are transferred to an unknown foreign IP address. The company could have detected the unauthorized transfer if it had configured its system to flag exfiltration of large amounts of data and routinely monitored any flags.
Example: An up-to-no-good employee decides to steal sensitive customer information. The company has tools in place to detect when confidential data is accessed outside of a normal pattern and to alert the IT staff when large amounts of data are accessed or transferred in an unexpected fashion. Those steps make it easier for the company to catch the data thief in the act — and to protect customers in the process.
Example: A company sets its intrusion detection system to flag exfiltrations of over 1GB of data to foreign IP addresses. The system flags hundreds of false positives per day. Concluding that the false positives are too disruptive, the company simply turns off the alerts. The better practice would be for the company to do further testing and calibration to address the problem of false positives, rather than completely turning off the system.
Example: A company properly configures an intrusion detection tool to alert IT staff of anomalous patterns of activity on its network. During the setup process, the company instructs the tool to send alerts to a designated company email address. The IT professional assigned to monitor that address goes on extended medical leave, and the email address is not monitored during his absence. By failing to ensure prompt monitoring of the alerts, the company has increased the risk that a breach will go undetected for a long period of time.
The lesson for businesses is to make life harder for hackers. Segment your network so that a data “oops” doesn’t necessarily turn into a major “uh-oh.” Use readily accessible tools to monitor who’s entering your system and what’s leaving.