The hack that succeeded in stealing 40 million customer credit and debit card details from US retailer Target last Christmas has been pored over in detail by infosecurity experts for the past year. Much attention has focused on the sophisticated BlackPOS malware that infected tills across the organization (a variant of which was also responsible for a similarly audacious hack on another US retailer, Home Depot, revealed in September 2014). Other commentators have thrown the spotlight on the inadequacy of the firm’s IT security management and even on the resilience of compliance standards like PCI-DSS.
It’s easy to point the finger after the event: if only they'd flicked this switch or paid attention to that alert the hack could have been thwarted, we’re told. But in reality, as enterprise networks grow ever more complex – branching out across sprawling supply chains that encompass myriad suppliers and partners – purposeful hackers have ever more possibilities of finding a ‘path of least resistance’ into companies’ systems.
As Infosecurity reported in February, malware infected Target's systems via a third-party provider of refrigeration, air-conditioning and heating systems. It subsequently transpired one of the third-party firm’s staff had fallen victim to a phishing email that stole its access credentials for Target's electronic billing, contract submission and project management systems (to which it had legitimate access). But because Target’s networks had not been adequately segmented, the hackers were able to use this as a launch-pad to infect critical point-of-sale systems.
Risk Unlimited
Many large companies are just as vulnerable to this kind of attack, and the risk isn’t limited to the retail industry. Across many sectors, companies are opening up systems, applications and networks to their supply chain partners as they seek to boost the speed, agility and efficiency of their operations. In some cases firms have hundreds of partners and suppliers that require connectivity to particular systems. New suppliers and partners are being brought on board continually, while relationships with others are being terminated. To add to the complexity, applications are being deployed, decommissioned, updated and changed all the time.
In addition, because many enterprises today have such a large number of network connections in constant flux, spanning many partner organizations, they have woefully inadequate visibility of these connections – for example, their business purpose, which supplier owns them, how they are implemented on the network and how well they conform to security policies.
And although third parties may have a recognized security accreditation or be nominally compliant with particular standards, it is not realistically possible for a larger organization to continually monitor how well these best-practice principles are being followed by an ever-changing group of independent partners.
In fact, there needs to be a far greater focus on secure connectivity management. If hackers manage to find a way into one part of an enterprise’s network, enterprises need a way to limit any damage by ensuring they can’t then use this initial intrusion to launch a potentially more damaging attack on more sensitive areas of the network.
However, it is notoriously difficult to maintain sufficiently tight network segmentation across a complex supply chain where business requirements are constantly changing. It means continually updating and re-configuring a slew of firewalls and network devices. And, particularly for larger enterprises, it’s a task that’s no longer possible to manage manually without significant risk of errors or omissions.
Securing the Extended Network
So what can firms do to better secure their extended network? They must move away from low-level details of network and security policy configuration, such as routing, ACLs and security rules, to a higher level model that can be understood by the business owners and which can be automatically implemented at the network level.
Rather than trying to translate business connectivity requirements directly to network configurations, firms should apply abstraction layers to simplify the task. They should start by identifying their suppliers and partners and which applications and services each one of them requires in order to conduct their business roles. Then they should define the interactions and connectivity needs between the applications and services.
Combined, these requirements are sufficient to establish an optimal network connectivity configuration – one which enables the business connectivity needs and disallows any unnecessary connections. Since the requirements are now defined in a human-readable language, they can be owned and maintained by their respective business owners. Translating the business requirements to firewall configurations should be done automatically through Security Policy Orchestration.
Security Policy Orchestration is a breed of software that looks at an organization’s network holistically and ensures segmentation policies and business connectivity are continuously adhered to across the enterprise and its extended supply chain. By continuously monitoring the network configuration and the business connectivity requirements, it can accurately re-configure firewall policies right across the environment whenever a change is needed.
As the move to open up enterprise networks to supply chain partners (as well as, increasingly, to a raft of connected devices) accelerates, there will be ever more opportunities for hackers to find a way into organizations’ networks and an ever more pressing need to automate security in this way. Infosec professionals must act now to minimize the risk of serious breaches that could damage both their company’s reputation and bottom line.
About the Author
Reuven Harrison is CTO and co-founder of Tufin. He has more than 20 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS. He received a Bachelor's degree in Mathematics and Philosophy from Tel Aviv University.