Network Security Risks And Controls

Failure to perform the vendor risk assessment

Risk: Impact to IT projects, interrupt business operation.

Control: Is to carry out the vendor risk assessment regularly and review on SLA/NDA and work with CARA team where appropriate.

Weakness on Network remote access control

Risk: Network infrastructure intrusion. Impact on business operation.

Control: Harden remote access controls: IAS to centralize AAA, AD rights management service, VPN client access. Set up the controls environment of AAA appliance, AD group policy privilege management and VPN client access the schedule with the Pen Test. Apply Firewall rules (inbound/outbound).

Unauthorized access to the network infrastructure

Risk: Intruder attacking and interrupt to business operation.

Control: AAA appliance must be in place. Harden on Firewall rules. Monitor log in comply with AAA appliance. Review on Firewall rules and do Pen Test.

Insufficient controls on Wireless Access

Risk: Packet sniffing, IP spoofing, network system intrusion, and impact on business operation.

Control: WEP, WPA, Encryption have to be in place. Hide SSID. Apply WEP, WPA2 and encryption on the share key. Hotspot user authentication. SSID must be hidden.

Improper backup and testing plan on network security devices

Risk: Potential risk of business interruption and financial loss

Control: Clear procedure on performing back up and test plan with proper scheduling. Scheduling and monitoring on the job of back up and test plan must be regularly performed. Maker and checker with dual controls.

Absent of Network sniffing monitoring controls

Risk: Data leakage, private information, user ID, password are captured by sniffer. Interrupting the security of the network.

Control: Encryption SSH, SSL, automate controls on malicious attacks detection mechanism. Encrypt data with SSH, SSL. Avoid one-time password. Use other tools such as Kerberos, Deslogin, VPN, SMB/CIFS

Weakness on Firewall rules

Risk: Network security intrusion. Business operation impact due to the outside attack

Control: Apply strongly Firewall rules, encryption (inbound/outbound) and cryptographic, AAA appliance. Set up Firewall rules which allow the authorize access in Firewall devices (Cisco ASA, Juniper…). Do Pen Test with any loophole.

Weakness on network infrastructure design

Risk: Network system attack from intruder. System hacking cause to business operation impact.

Control: Update the network baseline for both physical and logical design. Firewall rules and controls need to be in place. Regularly review and update the network baseline (plan to upgrade) and identify problem areas that are falling out of compliance (Pen Test).

Poor Router configuration

Risk: Network security intrusion. Impact on business operation

Control: Strictly on allowing route (from branches or business operation). NAT/ACL on inbound/outbound access. Base on P&P, set up the router configuration which allow only on AAA. Disable CDP neighbor which intruder might use to sniff/spoof the traffic. Core layer must comply with the strong restriction.

Poor Switch Configuration

Risk: Packets overflow to the entire network which causes the slowest network performance.

Control: Separate VLAN for each department, which are controlled on bandwidth, privilege access, and collision domain. Sticky on network access port for authorized users. Create separate VLAN (Department, Staff, Guest, Management…). Define the privilege access to those groups of AD. Set switch port security which allow only the authorized access devices (MAC Address).

Default password of console/network not change

Risk: Easily login and get harmful to the network security and also organization operation. Intruder/insider can exploit and gain access to the default setting of network devices.

Control: Disable/ harden the default password of console/network. Regularly change the password with policy requirement. After finishing the configuration of network devices, change the strong password of consoles and use AAA appliance or TACAS server for login log.

Weakness of password rules or No password policy and awareness

Risk: Intruder easily attacks the whole network security system and destroys it. Business operations hang/stuck.

Control: Password length is at least 8 characters and be aware of strong password policy. Set up the strong password to every network devices, especially the network security device or core system. Be trained to all users aware of password policy.

All critical systems and network devices yet deployed into the centralization log management system

Risk: No tracking report on network system login log. Segregation of duties not in place which cause high risk to the network security and interruption of business operation.

Control: Segregation of duties must be in place. Maker and checker closely cooperate. Centralized login server (TACAS) is set up. Set up TACAS server.

Misappropriation of Change/configuration

Risk: The critical network system is down and interrupts business operation.

Control: Well prepare the proper plan on the change, which go through many related teams 
consultation and advice with contingency plan for the change failure. Prepare the change plan with approval from related teams especially CARA team. And schedule the change with contingency plan in case the failure.

No IP Security protocol/device

Risk: Date leakage. Data transmission is captured by the hacker/intruder. Data lost.

Control: IPSec service and protocol are enabled at any higher layer TCP/IP. Encryption, authentication, tunnel/trunk are set with secure. IP Security devices are installed for any branches.

No audit trail and documentation

Risk: No record of the log events or documentation on network security management.

Control: Create Audit Trail and system Logs management and do it effective. Prioritize log management appropriate and establish policies and procedures of log management and create & maintain a secure log management infrastructure and finally provide proper training to all staff.

Poor DMZ implementation

Risk: Any outside attack into network security and then to the servers (Web servers, Mail server, FTP server, and VoIP server).

Control: Use DMZ Gateway which has much multi-platform solution that work with conjunction inbound and outbound. Set up DMZ device and software to define the authorize access align with compliance policy.

Use root Account to remote over the Internet without firewall set

Risk: Intruder/hacker easily compromise into the network system

Control: Firewall rules are set. Over the remote must be authentication and token device. Set up Firewall rules aligns with security P&P, and use authentication with Token Dongle for secure VPN client over the internet.

Man-in-the-middle attack over the vulnerable system/network

Risk: Denial-of-service attacks. Bypass IP address-based authentication. Network security compromise.

Control: Packet filtering, Cryptographic. Use packet filtering and avoid trust relationships and use spoofing detection software and finally use cryptographic network protocols (TLS, SSH, HTTPS….).

Man in the middle of attack

Risk: The man (intruder) is compromising the network security.

Control: Strengthen communication, Cryptographic, risk awareness to user/victim. Conventional cryptographic countermeasure. IT Risk awareness must in place to all users.

Lapse in Root/Super ID handling

Risk: Lead to system compromise and data leakage. Unauthorized access could not be mitigated.

Control: Follow the P&P of IDs. Comply strictly of Root/Super IDs procedure and review all related critical system/network security devices root/super IDs to be action taken accordingly.

TCP/IP Hijacking

Risk: Data leakage. Illegitimate conversation between a sender and a receiver. Intruder intercepts the packets.

Control: Encrypt protocol (IPSEC, SSL, SSH, Transport and Tunnel). Track on the re-authentication during a session. Ciphering the packets.

No bandwidth management

Risk: Uncontrollable on network bandwidth access with cause to slow performance over the corporate network. 

Control: VLAN classification and proxy management. Create the classified VLAN to access group and define the bandwidth utilization to them. Keep monitor on the use of traffic flow.

No furnish physical security tools (Alarm, Smoke, Humidity, and robbery, chemical, CCTV…)

Risk: Network security devices in DC can be impacted.

Control: Regularly check/review on the physical security tools. Work with office administration team to regularly review on physical security tools DC.

Buffer overflow (HW life cycle)

Risk: Network devices stuck/hang due to over use. Interrupt the business operation.

Control: Regularly monitor/check the network devices performance. Back up devices. Set up proper schedule monitor/check CUP, UPS, HDD, MEMORY, and others). Reserve the backup devices of the critical network devices or vendor service maintenance.

No BYOD policy

Risk: Any attack to network security system.

Control: BYOD policy must be in place. Conduct the training on IT risk awareness to all users. Raise BYOD policy to management team and enforce it.

No proper SLA/NDA with internet/connection service provider/supportive vendors

Risk: Connection lost, Data leakage, Reputation lost. Impact to business operation.

Control: Sign-off on the SLA/NDA with ISP/supportive vendors on full HA and regularly review on time of SLA/NDA with ISP/supportive vendors to bring full HA of network infrastructure and maintenance support.

 

USB Flash Drives

Risk: The dangers of these innocent-looking portable devices have been known for long enough. USB drives are also one of the most common ways a network can get infected from inside a firewall.

Control: Have clear security policies regarding personal storage devices including who can use them and in what places. Restrict the computers that can read USB flash drives and help prevent unauthorized access by encrypting the data as soon as it hits the device.

 

Mobile devices

Risk: Phones, tablets, and unencrypted laptops pose some of the greatest risks to web security. Think about all the VPN connections, cached passwords in web browsers, and emails containing sensitive login information that you – and likely everyone else responsible for managing your web environment – have stored on mobile devices.

Control: Instill clear data management rules for all employees and make mandatory data encryption part of your security policy. This is becoming even more important with employees connecting their personal devices to the corporate network.

 

Misconfigured firewall rule bases

Risk: One of the biggest, most dangerous, assumptions is that everything is well in the firewall because it’s been working fine. Digging into a firewall rule base that has never been analyzed will inevitably turn up serious configuration weaknesses that allow for unauthorized access into the web environment. Sometimes it’s direct access while other times it’s indirect from other network segments including Wi-Fi – parts of the network that may have been long forgotten.

Control: Start with your organization’s security policy; one that reflects the current situation and foreseeable business requirements. After all, your firewall rule base is the technical implementation of this security policy. Review it regularly and keep it relevant. OWASP provides some good guidance on building operational security guides.

 

Missing patches

Risk: All it takes for an attacker, or a rogue insider, is a missing patch on a server that permits an unauthenticated command prompt or other backdoor path into the web environment.

Control: Follow network security best practices by updating your operating system and any other software running on it with the latest security patches. Too many incidents occur because criminal hackers take advantage and exploit un-patched systems.