No More Flat NetworksBy Mike Rothman
As I continue working through the nuances of my 2011 research agenda, I’ve been throwing trial balloons at anyone and everyone I can. I posted an initial concept I called Vaults within Vaults and got some decent feedback. At this point, I’ve got a working concept for the philosophies we’ll need to embrace to stand a chance moving forward.
As the Vaults concept describes, we need to segment our networks to provide some roadblocks to prevent unfettered access to our most sensitive information. The importance of this is highlighted in PCI, which means none of this is novel – it’s something you should be doing now.
Stuxnet was a big wake-up call for a lot of folks in security, and not just organizations protecting Siemens control systems. The attack vectors shown really represent where malware is going. Multiple attack paths. Persistence. Lightning fast propagation using a variety of techniques. Multiple zero day attacks. And using traditional operating systems to get presence and then pivoting to attack the real target.
Now that the map has been drawn by some very smart (and very well funded) attackers, we’ll see these same techniques employed en masse by many less sophisticated attackers. So what are the keys to stopping this kind of next generation attack code? OK, the first is prayer. If you believe in a higher power, pray that the bad guys are smitten and turned into pillars of salt or something. Wouldn’t that be cool? But in reality waiting for the gods to strike down your adversaries usually isn’t a winning battlefield strategy. Failing that, you need to make it harder for the attackers to get at your information.
So I liked this article on the Tofino blog. It makes a lot of points we’ve been discussing about for a while within the context of Stuxnet. Flat networks are bad. Segmented networks are good. Discover and classify your sensitive data, define proper security zones to segregate data, and only then design the network architecture to provide adequate segmentation.
I’ll be talking a lot more about these topics in 2011. But in the meantime, start thinking about how and where you can/should be adding more segments to your network architecture.