Avoid making financial headlines
Written by Mike Parsons, CISSP, PCIP, IAM, IEM, HIPAA Certified, Techgardens Senior Security Engineer and Chris Poer, Director of Cloud & Security Services
The Capital One data breach best illustrates the importance of a properly configured firewall. A Gartner study determined that 95% of firewall breaches are due to misconfiguration, not the fault of the actual firewall – and Capital One is not the only company that has been, or will be, affected. It is my experience that most firewalls are configured by a network or security engineer, given a brief test to ensure that good packets go through and there are no obvious problem and then ignored until there is a problem or an update is required. If there is a configuration error, the firewall will be left open to intruders for months or even years. The real issue is that firewalls can be complex to configure and even the best technicians make errors as IT teams are usually understaffed forcing the network/security manager to rush from project to project while constantly being interrupted to deal with other real-time issues.
It is no secret that security breaches can be extraordinarily expensive, especially when involving sensitive personal data. One thing is certain, whatever the initial cost estimate is for a data breach, the final costs will be more, and frequently significantly more due to unknown legal settlements and other hidden costs. Equifax is the best example of the ever-increasing costs of data breaches. Initial estimates of $200 to $300 million were quickly revised to up $600 million. A little over a year later Equifax disclosed a total cost of $1.3 billion.
Unfortunately, there is no simple way to ensure 100% network and data security. At best, the security architect can offer a solution that reduces risk to a manageable level and design an architecture that minimizes damage caused by a breach. To achieve that goal, organizations need a technology team that can bring a disciplined, tested approach to the table. Here are a few firewall-related practices I would have my team employ if my job depended on keeping my company out of the financial and technology headlines.
- Hold formal reviews whenever a firewall was built, updated, or had any changes to its configuration. When I was a hardware develop, we would formally assign two people for each project. The lead engineer was responsible for the design, and a second engineer was assigned to review the accuracy of the lead engineer’s work. Before any hardware was released for manufacture (prototypes or final), there was a formal review led by the two engineers but also including other engineering staff and management. If there was ever a design fault, it was the second engineer that was held primarily responsible for the failure. The same approach should be done for firewall security. You can never have just one person solely responsible for a company’s network and data security.
- Never utilize the person that configured the firewall to be the one to test it. At least once annually, utilize a 3rd party to perform firewall penetration tests for both internal and external facing interfaces. I know this may sound self-serving coming from a security company that provides vulnerability management and penetration testing. However, this work should not be left solely to internal teams due to the high potential of confirmation bias. Not only is third party involvement required by most compliance regulations and accepted audit standards, but third parties bring a fresh perspective and have no built-in assumptions arising from having too much knowledge with an environment. Periodic testing is important as the cyber security landscaping is dynamic, what works one day is not guaranteed to work the next day.
- In many companies there can be a blurring of the lines between network and security engineers. While there is frequently an overlap in expertise between the two, critical network and data security work such as the management of critical firewalls should be assigned only to certified and well-trained security engineers. I know this can create tensions in some IT organizations, but a focused security plan is best implemented by a focused security engineering team.
- Cyber security is a constantly evolving battle as attack vectors change daily. Regular patch maintenance is critical for continued success. Regular (at least quarterly) vulnerability reviews and assessments should be undertaken to ensure that the firewall is current and no known vulnerabilities exist. And just like when creating the firewall, patches should be reviewed and tested by a security engineer that did not perform the upgrade.
- Assume firewall failure. Best practices are not perfect practices so you should plan for failure. Design a layered security plan with multiple protections so that a breach can be contained and mitigated. A fully layered security approach includes detailed record keeping of policies created and subsequent changes made, active and continuous log and event monitoring, data logging, network segmentation, penetration testing, and encryption of all sensitive data both in transit and at rest. How personal data is not 100% encrypted both at rest and in motion in this day and age is truly beyond me.
- Pick the best firewall for the job. There are many options to choose from including web application firewalls, application firewalls, intrusion prevention systems, universal threat management firewalls and next generation firewalls. One size does not fit all. Nor does every firewall have the right mix of capabilities to serve every organization. For this reason, Techgardens supports a range of firewalls enabling us to design the optimal solution for each client. For example, more organizations are looking for SD-WAN to securely link multiple locations and remote workers together. Techgardens supports Forcepoint’s firewall technology because they pioneered Multi-Link capability that accommodates redundant ISP configurations. Similarly, we utilize Forcepoint for organizations that need a solution that spans large, complex organizational requirements that are best managed through a single pane of glass.
- Know your vulnerabilities and review them on a regular basis. There are only so many ways that a network can be penetrated. Know which ones are most likely and represent the greatest potential danger and focus your efforts accordingly. A firewall protecting millions of client records should be on every IT managers watch list and constantly reviewed.
Cyber security is probably the hardest job in today’s corporate environment. Threats come at you from every direction, the technology is complex and constantly changing, and budgets have limitations. However, the risk of expensive and embarrassing data breaches can be minimized with a disciplined and methodical team approach.
Techgardens is a leading systems integrator founded in 2009 and based in NYC. We build customized IT solutions that meet the unique needs of our customers; exceeding their expectations. Techgardens is more than an IT consulting firm. We select the best technology to appropriately match IT solutions that provide efficiency and return on investment.
Techgardens is a leading integrator and authorized reseller of many widely recognized vendor products with over a decade of experience deploying their products. We understand the technology, the products and how they are used today. We will help you design your solution holistically, based on your specific needs taking into consideration your applications, IT requirements, performance requirements and budget.
Our technical team has over 50 years of combined experience working in the financial, healthcare, government, retail and other verticals. We are staffed with CISSPs, Network Engineers and Systems Administrators with offices in New York, Maryland, Pennsylvania and North Carolina.
To learn more about Firewall Best Practices employed by the Techgardens team or to discuss your firewall needs, please contact us at 646-783-4550 or firstname.lastname@example.org
To learn more about Forcepoint’s Next-Gen Firewall, download the brochure.