A Good CIO Is Risk Adverse

…And so is their staff.

This is a reprint from last year’s EnergySec 8th Annual Security Summit Program Guide By Don MacVittie, Product Management Engineer – Cloud and SDN at F5 Networks. Registration for this year’s summit is now open – summit2013.energysec.org

Energy companies have more points of entry to the network than most corporations. They also have critical infrastructure that for better or worse is on an IP network. There is no room for risk in that environment, when ne’er-do-wells have made it clear that energy companies may be a target of their malfeasance.

Partners, SCADA systems, AMR systems, and employees need various levels of internal access, while customers need external access. This fact doesn’t change just because evil-doers are out to attack exposed access points.

Technology has provided ways to protect systems from attackers. The following is a short list of underutilized tools that could reduce an organizations’ risk profile and improve their security stance.

Point-to-Point tunneling. By putting devices at two endpoints, those devices can create a secured, point-to-point, encrypted tunnel over the Internet. The right devices could offload encryption from over-worked machines, improving performance while enhancing security.

IP access lockdown. There are several ways that IP access can be locked down.

  • IP Tunneling: Simply stating that only the other end of the tunnel has access.
  • Customers: Using geolocation to determine if they’re in your service area. While this might need to be broader than your service area, it is reasonable to say that customers from NE Wisconsin cannot connect from Bangladesh.
  • Employees: Geolocation, device type, and time of day can be utilized to control VPN access. Bob from accounting will not log in from an iPad in New Delhi during a workday.

Web Application Firewall (WAF). Developers mistrust WAFs, and with good reason. The problem is that putting a WAF into place will protect your applications from many attacks, but they do not remove the burden on developers. The application should be as secure as developers can make it, consider a WAF to be a risk mitigation tool. If a developer missed something or a new exploit surfaces, the WAF is there to help. You can’t have too many layers of protection, and a WAF offers centralized management. Design a profile once and deploy it on every application exposed to the public Internet. This has the side benefit of freeing up both developer and information security time by covering at least the most basic cases and only needing to be tested once before applying to many applications.

Post Mortem tools. While the goal is to prevent intrusion, solid analysis of how an attacker or malicious software made it in is also beneficial.

Using geolocation to pinpoint hotspots helps determine where attacks are coming from.

High-speed logging in network equipment can log to a central server for analysis should there be a breech.

And finally, Intrusion Detection Systems fall into the same category as WAF. Why not have an added layer of protection, if it doesn’t interfere with daily operations?

Conclusion: It is a scary world out there. Looking into these technologies is cheap, and they might save you some pain.

About Don McVittie

Don MacVittie is a Product Management Engineer – Cloud and SDB at F5 Networks. In this role, he is responsible for cloud R&D, labs, technical documentation as related to F5 BIG-IQ Cloud products and APIs.

Prior to joining F5, MacVittie was a Senior Technology Editor at Network Computing, where he conducted product research and evaluated storage and server systems, as well as development and outsourcing solutions. He previously held management and engineering positions at WPSC and WPSR. He has authored numerous articles on a variety of topics aimed at IT professionals. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.

Tags: , , , , ,

No comments yet.

Leave a Reply