Security Awareness

Security Awareness is the foundation of any strong cyber defence strategy. This category focuses on educating individuals and organisations about everyday threats such as phishing, ransomware, social engineering, and poor security hygiene. By developing a culture of security awareness and responsibility, we empower people to recognise risks, make safer choices, and reduce the likelihood of incidents caused by human error.

Securing the Network Boundary

Robert Broxup

Understanding your organisation’s network boundary is essential to being vigilant and maintaining a high level of security.  Internet at home or in a single-site business can be straight forward. Still, as companies grow in size and complexity, it is easy to lose control by not understanding the boundary infrastructure, how it is maintained, and details of those responsible for its maintenance. This blog is not a comprehensive guide to boundary security but covers essential aspects that will provide an improved level of protection and reduced exposure to risk if implemented. In cases of outsourced firewall management, this also acts as a check against 3rd party suppliers.

Firewall Inventory

Maintaining an inventory of firewalls is an essential starting point for understanding the boundary and how it interacts with the outside world.

  • Do you have an inventory of all firewalls?
  • Does the inventory include the physical locations of each firewall?
  • Who are the manufacturers, and what are the models of each firewall?
  • What are the internal and external network addresses of each firewall?
  • Who is responsible for maintaining the accuracy of the inventory?

If you don’t know where all your firewalls are, then it follows that you will not be able to guarantee that strong passwords are applied, that firmware is up to date, or that firewall rules accurately reflect the requirements of the business. The inventory should also include other information covered in subsequent sections below.

Firewall Passwords

Strong passwords and secure storage of passwords are essential to controlling access to firewalls and preventing unauthorised configuration changes.

  • Have all manufacturer default passwords been replaced with strong passwords?
  • Are you able to verify that strong passwords apply to all firewalls in the inventory?
  • How frequently are firewall passwords changed?
  • What password vault do you have in place to store firewall passwords?
  • Do all persons with knowledge of firewall passwords or access to the password vault have a legitimate business requirement to do so?

Firmware

Firmware is the software installed directly in the hardware. Hardware manufacturers often release new versions of the firmware during the usable life of the equipment.

  • What is the latest version of firmware for each firewall’s make and model?
  • What is the current version of firmware for each of the firewalls in the inventory?
  • Are you able to verify that each of the firewalls in your business has the latest firmware version?
  • When was firmware last updated on each of the firewalls in the inventory?
  • Who is responsible for checking firmware releases and performing updates?

New versions of firmware are often released specifically to mitigate security risks. Not having processes to check and upgrade firmware to the latest version will allow exploitation of vulnerabilities.

Firewall Rules

Firewall rules need documentation for each of the firewalls in the inventory. Rule documentation should include:

  • What is the business purpose of the rule?
  • Does the rule control inbound or outbound traffic?
  • What IP addresses and Network Ports are ‘allowed’ or ‘denied’?
  • Who approved and who created the firewall rule?

Firewall rules change over time as business requirements change, not to mention unauthorised changes to firewall rules. Documentation and ongoing processes will ensure that the rules configured reflect business requirements.

  • When was each firewall in the inventory last checked to ensure that all firewall rules fulfil a genuine business purpose?
  • How frequently are firewall rules checked?
  • Who is responsible for checking firewall rules?
  • Are firewall rules disabled or deleted when they no longer have a legitimate business purpose?

Firewall Management

Having effective processes in place to manage firewall configuration will reduce the risk of unauthorised changes.

  • Can the firewalls in the inventory be administered from outside the network?
  • Which Network Port is used to administer the firewalls from outside the network?
  • Is this different from the manufacturer’s default Network Port?
  • Are time restrictions applied to control the administration of firewall changes from outside the network?
  • When accessing the firewall to manage the configuration, is the connection made using HTTP or HTTPS?
  • Does your business use ‘change management’ process to request, approve, and implement firewall configuration changes?
  • Who is responsible for approving firewall configuration changes?

Could DLP have prevented BoE Bookend disclosure?

Robert Broxup

    The Bank of England accidentally sent information about a research project to a journalist at The Guardian to identify the financial risk of the United Kingdom leaving the European Union. Could an effective Data Loss Prevention (DLP) strategy have stopped this breach?

    DLP is about ensuring users do not send confidential or classified information outside the corporate network, driven by threats from inside businesses and legal duties to protect personal data. The key questions asked are:

    • Where is the data located?
    • Who has access to the data?
    • How is the data being used?
    • How can we prevent it from being lost or stolen?

    Nobody has suggested that someone intentionally leaked Project Bookend details to the media, nor that the breach was in any way malevolent. However, with the right policies and systems, accidental and malicious data losses are preventable.

    An effective DLP solution would include:

    • Monitoring specific files or project directories identified as confidential
    • Network and endpoint monitoring to track access, data transfer or writing files to USB devices
    • Detection of uploads to social media sites or to file storage services such as Dropbox
    • Specific profiling of data defined such as bank account numbers, National Insurance numbers, insurance policy numbers, postcodes or credit card numbers
    • Networks and endpoint monitoring to track data transfers of files containing profiled data structures, allowing for cases where someone adds confidential data to other files which would not usually attract attention
    • Integration with email services and other network protocols to intercept and block the transmission of data where attachments contain content that matches the defined profile of confidential data

    An attempt to send the files externally would trigger interception of the email and prevent it from being transmitted; essentially, it would be a quarantine of the entire email along with any attachments for further investigation by an information security analyst.