Fresh Thoughts #64: How to Spring Clean Your Network
- Newsletter
Spring is in the air.
As most cybersecurity projects start by tidying an existing environment before making improvements - spring cleaning came to mind.
In this vein - I've written a 2-part series on organising and tidying two key areas: your network and your data.
This week - it's all about your network.
How to Spring Clean Your Network
It's the first week of May. And there's still time for some late-spring cleaning.
But how do you spring-clean something like your network?
Marie Kondo's - "Does this spark joy?" - approach to spring cleaning has gained popularity over recent years.
But network spring cleaning should follow more closely my traditional approach.
Go to Ikea.
Buy more shelves and boxes.
Hide the clutter.
More seriously - there needs to be an organised approach to what devices connect to your network and how.
If I'm honest - most business networks are an evolution... of an evolution of... a plan.
What started as a simple, well-planned network has received numerous new requirements - combined with an obligation to say - Yes.
This situation often leaves businesses with a flat, unsegmented network — or, marginally better, a network split into Guest and Everything-Else.
The Guest Network
The core idea behind separating the guest network is - "I don't trust people I don't know - guests to our business - with access to our business network."
This approach makes perfect sense and is a strong self-defence mechanism.
But there is more to it than this...
In 2018, the UK NHS was severely impacted by the WannaCry ransomware attack. The attack encrypted NHS computers, rendering them unusable, and demanded Bitcoin ransom payments. The incident resulted in disrupted services, cancelled appointments, and diverted ambulances.
One crucial lesson from the incident was the need to segment networks. Wannacry spread rapidly across the NHS network as it could freely exploit shared drives from across the network.
Cyber insurers increasingly ask for proof that systems with different risk profiles are separated. In the event of one area becoming compromised - it's essential to avoid contagion to the rest of the network.
Network Segments
What other risks and devices on your network should you also question?
Again in 2018, hackers exploited an aquarium's thermometer to break into a casino's network. In total, the cybercriminals stole 10 gigabytes of sensitive data.
And as recently as 2021 - 150,000 security cameras from police stations, schools, and companies like Tesla and Equinox were compromised by hackers.
It's clear greater segregation is required.
We need to put network clutter into more boxes.
So what network segments should you have?
Your exact decision will depend on the context of your business needs, but here are a few to think about:
- Guests: Optional but extremely common. Providing internet access to visitors is the polite thing to do.
- Staff: This is the core of your network — the segment where most of your business activity is. The operations/work area.
- Phones: As phones can be sensitive to delay and jitter - it is best to separate them to provide more granular control.
- IoT: This is where you put IoT devices that underpin business initiatives - but you're unsure of their origin: door opening systems, aquarium thermometers, or renewable energy monitoring.
- Cameras: While you can combine cameras with your IOT segment - the data generated often contains more sensitive information. Best to keep it separate.
- IT Management: this is the most sensitive segment of your network. Not just because of the data it stores but also because this is where the management ports are that can remove all of the defensive barriers between different types of risk.
And so in 2023 - what started as a simple, flat network needs to evolve to look more like an Ikea KALLAX shelving unit.
May 2, 20233 Minutes Read
