In Continuum’s 2019 State of SMB Cyber Security report, 64% of small and medium-sized business (SMB) respondents said their organization has suffered a cyberattack.
62% of surveyed SMBs also say they lack the skills in-house to deal with cybersecurity issues. As a result, many pay an MSP to take care of it for them. And you’ve got them covered, right? You’re protecting endpoints with lines of defense like antivirus, spam filtering, managed detection and response, and more.
But there are more entrances into your client networks than just endpoints. There are switches, firewalls, access points, and IoT. And if a hacker happens to breach just one of those devices, then they can get access to your client’s entire network.
So how do you prevent a network breach from happening?
A hacker breaching a network device is a lot like a burglar breaking into a home: They gain access to anything they can unlock and take everything they can get.
No matter if they’re a burglar or a hacker, they're going to leave evidence that they were there. In a home, that looks like rearranged, damaged, or missing items. In a network, that can be a strange device sending traffic to an unusual IP. The challenge is noticing the evidence of an anomaly and acting upon it as quickly as you can.
You can’t identify something different if you don’t know what normal looks like. To spot an anomaly, you need to know your client’s network baseline. There are two baselines you need to have a handle on:
- The physical baseline is all about understanding all of the devices on the network and determining whether or not they should or should not be there.
- The soft assets baseline is about the software and applications being used on the network and what that traffic looks like.
When you establish what’s normal on a network, you can spot anomalies and address them quickly. And then you can limit their impact by reducing an attacker’s dwell time.
How do you get the visibility you need into your clients’ networks to establish those baselines and protect them effectively? It’s as easy as using these five steps from the CIS (Center for Internet Security) Cybersecurity Controls framework.
1) Maintain an up-to-date inventory of all hardware assets.
To know what’s on the network, you need an accurate, up-to-date inventory of all the devices on your client sites—all the way from endpoints to the network layer.
Thankfully, you don’t have to do this manually anymore. Your network management system can give you complete visibility into the devices connected to your client’s network, including details like make and model, serial number, and IP address. They’ll also alert you when there are changes.
With this visibility, you can easily identify changes to your client’s hardware baseline. If it’s something you were expecting, like a new installation of IoT thermostats, it’s fine. If it’s something new, you can map it and find exactly where it is.
2) Constantly analyze for vulnerabilities in the network.
This is all about bugs in your device software and firmware. If a bug goes unnoticed, it creates a huge vulnerability and leaves a device open to manipulation. We only need to look back to the 2016 Cisco ASA firewall fiasco—where a firmware vulnerability could allow an unauthenticated remote attacker to gain full control of an ASA device—for a far-reaching example.
Your network management system should automatically collect the current software and firmware version of every device it discovers, so you can quickly see which version its running. Then, as network device vendors issue vulnerability warnings, you can quickly identify any devices that are at risk and update them to the most recent version.
3) Keep an eye on network ports and protocols.
Start by documenting which devices are connected to which ports on the network. Here, you can make sure that only approved ports and protocols are being used. If something seems suspicious, then you can use a NetFlow tool to take a closer look into the who, what, and where of the network traffic.
4) Harden network devices credentials and configurations.
If your clients’ login credentials and SNMP strings are left unchanged from the device defaults, it’s really easy for hackers to gain access to your client networks. They can just look up the default password for a device’s configuration header and get full access.
That’s how the 2016 Mirai botnet worked—it scanned the internet for open Telnet ports on IoT devices, tried logging in using default passwords, and eventually amassed a botnet army to execute a massive DDoS (distributed denial of service) attack.
So get creative with your device passwords, put in validated credentials, and set up devices with SSH. Your network management system will then encrypt and securely store the passwords, and you’ll be automatically authenticated when you log in to the system.
5) Make sure you can recover network device configurations
When a network breach happens, you need to minimize downtime for your client. Having up-to-date network configurations can help.
Your network management system should automatically back up network configurations and data as changes happen and keep them stored in a version index. So if your client experiences a cyberattack, you’ll be able to reset their system and its devices to the most recent configurations before the attack.
Endpoint protection just isn’t enough anymore. If you’re going to keep your clients’ data secure, you need to protect the entire network, not just part of it. And since you can’t protect what you can’t see, visibility is the answer.
Want to learn more best practices for improving cybersecurity for your business and your clients'? Tune in to our hangout, Hack the Hacker!
By Lily Teplow
By Brian Downey
By Dave LeClair