December 16, 2020//Joel Burleson-DavisLast Updated: July 27, 2022
When looking to decrease your risk from your vendors and other third parties that access your networks and systems, look first to protecting your network. Outsourcing is a fact of life and you aren’t going to have fewer vendors needing access to your networks to do their job. However, (and unsurprisingly) improperly secured networks are a big contributor to breaches and hacks.
Let’s look into the past; the Target hack was one of the largest of all time and came largely because their HVAC vendor was able to access payment system networks, which were far from their areas of authorization. Once that vendor got hacked, it was child’s play for the hackers to cross the VPN and then go “lateral” within the unsegmented network to the credit card laden payment systems they desired and plunder over 40,000,000 customer credit cards from them. The rest is widely reported history. In this article, we will review some techniques and technologies to properly segment and protect your networks from vendors and keep them from “targeting” you.
This is 101 for network security and yet many companies still don’t do it or don’t do it well. Switches and routers have long supported VLANs and setting up these protections but again and again, we see hacks on networks that were not segmented properly.
First, start with the basics. Networks used by outsiders like guest and visitor WiFi should be tightly segmented. Onsite contractors or visiting vendors can often cause havoc on your network if their machines are infected with malware and it spreads throughout your network. Put these freewheelers on their own segment, ideally separated physically from your internal LAN. It’s not just viruses and malware you are trying to protect yourself from but also illicit activities, such as downloading torrents of copyrighted material, not safe for work content, or other activity that can get you in legal hot water. Even better if you spring for the extra $100 a month or so and put them on their own internet. This way, any bandwidth-related chicanery won’t affect your network’s performance.
After that, you should segment by server and data sensitivity. Databases and file or domain servers should sit on their own highly protected segments. Accounting and HR servers are likely to contain sensitive and regulated data, and should be protected as such. There is no reason for someone, like a phone technician, to have access to those segments. Then, look at segmenting by function; development should be segmented from production to prevent incompetent or malicious dev contractors from affecting your operations.
If your network has highly sensitive or regulated data, the systems that store it should be on their own highly secured segments. For vendors, you can set up specific VLANs for their activity, either generally or by the vendor. This can get labor intensive though, and if you have more than a few dozen vendors, you’ll want to look to a network abstraction technology such as Vendor Privileged Access Management (VPAM) where connections are never made directly to a network by users.
There are also technologies and frameworks such as Zero Trust that establish rights and access based on each session. These can protect your internal use as well as vendors and become very useful in the age of large work from home user populations, such as we have had during the pandemic. However, these frameworks often take a complete overhaul of your network infrastructure and are not to be undertaken lightly.
Finally, if your network has systems that involve public safety, healthcare, or classified data, you should consider avoiding broader network access completely. One way to do this is “air gapping” which isolates the device or network with the physical separation of network segments. This was the norm for industrial and classified networks for years, but over time, the need for remote monitoring, maintenance, and interaction with other systems such as reporting or accounting has brought the internet to our most sensitive networks and systems.
A move back towards air gapping may make sense in some cases, especially where safety is concerned. However, even air gapping isn’t a silver bullet for exploitation. This was proved in a dramatic fashion when centrifuge-destroying malware was introduced into an air-gapped nuclear facility in Iran by a USB drive carried in by an unknowing, or possibly complicit, technician. This resulted in thousands of centrifuges being damaged and their nuclear program being set back by years. Network protections such as 24/7 monitoring, IDS/IPS systems, and threat detection services that look at outbound connections to known bad actor sites from your network should also be deployed for these most sensitive systems.
You may want to use all these methods in your plan to secure your networks from exploration by malicious software and its creators. Because if you can keep hackers off your internal networks, it will go a long way to keeping them away from your data and systems. To learn more on how to protect your network from vendors, third parties, and contractors, make sure to download our interactive checklist that can help you identify vulnerabilities and get control of them before it’s too late.