Ransomware attacks typically begin with phishing, credential hacks, or taking advantage of open vulnerabilities. Once the bad actor is in, they rummage around looking for access to their honeypot, a hub of data, to hold hostage. Maintaining good policy hygiene and access control is paramount in preventing and stopping the bad guys before they get to your data.
Remember the Target hack back in 2013? Hackers stole credentials from an HVAC contractor, gained access to the network, pinged around, found the PCI network and injected malware into point of sale devices at every Target in America. Overly permissive access to the network made this possible. Having a clean set of firewall policies and a segmented network would have prevented the bad actor from ever gaining access past what the original victim, the HVAC contractor, required.
Access within an organization should be relegated to just what is necessary to meet the needs of the business: nothing more, nothing less. This is good policy hygiene. Unnecessary complexity caused by things like duplicate/redundant and shadow rules, increases the probability of misconfigurations, human error, and risk. Bad actors rely on humans to make these mistakes, creating paths to use as attack vectors, and they are often not disappointed.
Unnecessary complexity is often a byproduct of day-to-day operations. A port is opened for RDP (remote desktop protocol) for troubleshooting, but is never closed. Access is granted for temporary communication between devices, but is left open as meetings and other priorities fill the day. A rule is created for a resource and not removed once it is decommissioned. The scenarios are endless but the results are the same: rules are created, then forgotten, resulting in policy clutter that causes inadvertent access and exposes security gaps for cyber criminals to leverage. When working with thousands of policies among hundreds of devices and platforms, it is nearly impossible to properly manage these policies manually.
FireMon provides a solution to this problem. By centralizing all of your security policy enforcement data into a single pane, a rule repository, FireMon allows you to manage policies across all of your devices from ground to cloud. It integrates seamlessly with hundreds of vendors, including Splunk, AWS, Swimlane, and Qualys, to consolidate policy management and visibility. With FireMon, you have one place, instead of five, ten, or fifteen different platforms, to investigate a policy, which drastically increases the efficiency of your team. In the first run, FireMon typically finds 30-50% of rules in active policies are unused as well as pervasive overly permissive access throughout our clients’ networks.
FireMon starts with ground zero, an assessment of what is currently being allowed, and an access control list (ACL), then detects any deviation from that in the wrong direction. FireMon looks for access parameters, for certain access routes or vectors, and alerts on abnormalities in real-time. FireMon consolidates policies from many other technologies and has access to disable rules for each technology from one dashboard, raising the total value of the combined security solutions and resulting in a larger return on your total security investment.
When changes are made to your policy environment you should immediately ask, “Did I expect this change? Did I analyze the change for impact: security posture, compliance posture, business operations?” When access is granted, it should be revalidated after a certain timestamp. That revalidation needs to be against a lens of business justification, asking, “Do we still have a need for that access? Is the business justification for that access still valid? Are we granting only what is necessary to meet the needs of the business?” Typically, access that’s granted is greater than what is necessary, which gives way to overly permissive rules. It is imperative these policies are managed to maintain a strong security posture and thwart ransomware attempts.