Throughout 2020, businesses, in general, have had their hands full with IT challenges. They had to rush to accommodate a sudden shift to remote work. Then they had to navigate a rapid adoption of automation technologies.
And as the year came to a close, more businesses began trying to assemble the safety infrastructure required to return to some semblance of normal in 2021.
But at the end of the year, news of a massive breach of IT monitoring software vendor SolarWinds introduced a new complication – the possibility of a wave of secondary data breaches and cyber-attacks. And because SolarWinds' products have a presence in so many business networks, the size of the threat is massive.
So far, though, most of the attention is getting paid to large enterprises like Microsoft and Cisco (and the US Government), who were the primary target of the SolarWinds breach. What nobody's talking about is the rest of the 18,000 or so SolarWinds clients who may have been affected. For them, the clock is ticking to try and assess their risk of attack and to take steps to protect themselves.
And because a number of the affected businesses don't have the resources of the big guys, that's a tall order right now.
So, the best many companies can do to take action right now is to make their networks a bit of a harder target – or at least to minimize their chances of suffering a major breach. Here's how:
Begin with Basic Security Steps
The first thing businesses should do is make certain that their networks are as internally secure as possible. That means reconfiguring network assets to be as isolated as possible.
A good place to start is to make sure that any major business data lakes follow all security best practices and remain operationally separate from one another. Doing so can limit data exfiltration if unauthorized users gain access due to a security breach.
But that's just the beginning. The next step is to segment network hardware into logical security VLANS and erect firewall barriers to prevent communications between them (where possible). Then, review the security settings of each group and make adjustments where necessary. Even hardening VoIP systems are worth doing, as you never know what part of a network will be used as an entry point for a broader attack.
And last but not least, review employee security practices and procedures. This is especially important after the rushed rollout of work-from-home policies. Make it a point to see that every employee is operating according to the established security standards and hasn't picked up any poor operational security habits. For example, did anyone start using a VPN for free, believing they were improving their home network security?
If so, they need to stop and receive training to make better security judgments while they're still working remotely.
Conduct a Limited Security Audit
One of the problems that businesses confront when trying to re-secure after a possible network breach is that there's no easy way to tell what – if anything – the attackers changed after gaining access. To be certain, a lengthy and complex forensic examination is the only real option. But that can take months and can cost a fortune to conduct. For smaller businesses that aren't even certain that a breach even happened to them, though, there's a better approach.
It's to take a limited sample of potentially affected systems and conduct a simple risk-limiting audit. Begin with at least two representative computers or devices from each business unit or department. Then, examine each for signs of an issue.
In general, you would look for:
- Disabled or altered security and antivirus software
- Unusual system log events
- Unexplained outgoing network connections
- Missing security patches or problems with automatic software updates
- Unknown or unapproved software installations
- Altered filesystem permissions
Although an audit of this type won't guarantee nothing's wrong with every device on your network, it will uncover signs of any major penetration that's already taken place. For most small to medium-sized businesses, that should be enough in situations where there's no clear evidence of an active attack in the first place.
Engage in Defensive Measures
After dealing with the network and its users, the next thing to do is deploy some defensive measures to help with ongoing monitoring and attack detection. An excellent place to start is to set up a honeypot within the network to give potential attackers an irresistible target. This not only keeps them busy going after a system that's not mission-critical but also serves as an early warning system to administrators when a real attack does take place.
There are a variety of ways to accomplish this, ranging from pre-built system images all the way up to more sophisticated custom deployments. There are also cloud solutions available for situations where on-premises hardware is either inappropriate or undesirable. What's important is to build a system that monitors for the exact kind of behavior that would indicate a problem within its environment.
A word of caution, though. Although a honeypot is built to be a target, that doesn't mean it should be left completely vulnerable. The idea is to make it an attractive target, not an easy one. And, it's crucial to make sure that it can't be used as a stepping-stone to a bigger attack on actual production systems.
For that reason, it's worth it to engage the services of a trained cybersecurity professional to help make sure the system doesn't turn into a security liability instead of a valuable defensive measure.
Remain Vigilant
After taking the steps above, there's nothing more to do but wait and watch. Unfortunately, there's no better way to maintain a network's security than by remaining ever-vigilant. And in a situation like the one unleashed by the SolarWinds hack, businesses, and IT organizations, in general, are at a significant disadvantage.
That's because they're facing an enemy that may or may not already be within the gates, meaning they can't fall back on typical walled-garden security approaches.
So, as 2021 gets underway, the best thing any business can do is get their security house in order and try to limit the damage if they've already been breached.
It's more than worth the effort in any case because the current threat environment is only going to get worse, not better. And the SolarWinds hack, as serious and wide-ranging as it is, won't be the last major security crisis businesses have to face.
So, it's time to buckle up because the new decade is going to be one heck of a ride, network security-wise – and it will pay to be ready for it.