What the FBI wants you to know about network security

If you grew up watching US movies and TV, you’ll be familiar with America’s domestic security agency, the Federal Bureau of Investigation.

It recently issued a free report well worth reading, Modern Approaches to Network Access Security.

The report explicitly urges organisations of all sizes to consider a wide range of technology approaches that major security vendors have been pushing, most notably Zero Trust access and Secure Access Service Edge (SASE).

Government cybersecurity bodies from Canada, the US and New Zealand have also endorsed the report.

What Do They Suggest You Do?

Here’s our summary of what they’re suggesting.

Replace Traditional VPNs with a Zero Trust Approach

Implement granular network access that's sceptical of devices/users seeking to connect to the network, stay connected to the network, or access particular hosts or ports.

Consider Implementing Secure Service Edge If You’re Now Using the Cloud More

Use hosted gateways to govern access to on-premises and cloud resources, providing greater visibility over cloud use. A Cloud Access Security Broker (CASB) can mediate, log and authenticate cloud access attempts. Consider centralising control to the cloud, rather than having an array of local on-premises security devices, each with its own independent policy.

Consider Implementing Secure Access Service Edge, If You’re Using the Cloud More Now

This is similar to Secure Service Edge but adds Next Generation Firewall (NGFW) functionality, secure management interfaces and software-defined WAN functions.

Implement a Next Generation Firewall

This lets you ban or throttle traffic from certain applications and classes of application. There’s an Intrusion Prevention System and advanced threat detection powered by a threat signature feed.

Integrate Security and Network Access Control

Implement security vendor offerings that deliver both elements together, rather than treating cybersecurity as a separate layer to be added on top of the network layer.

Implement Risk-Based Access Control Policies

A correct username and password should no longer be sufficient to guarantee network access. Your network access control systems may need to consider additional factors such as geolocation, network trustworthiness, device identity, multi-factor authentication, time of day and other user/device behaviour patterns.

Implement Stricter Network Segmentation

This makes it harder for attackers to traverse from an unauthorised device, compromised device or stolen machine to other devices on the same network.

Don’t Use Purely Software-Based VPNs

These risk a software flaw giving the attacker unrestricted network access. Note, this is not saying that end-users can’t have VPN software clients. It’s saying that the backend part of the VPN solution that has the power to grant broad network access should be implemented on appropriate dedicated hardware such as a firewall or VPN concentrator.

Take Care over Allowing Remote Access to Privileged Accounts

Consider whether allowing remote access to such accounts is strictly necessary. hSo would add that if such access is necessary, consider what additional security restrictions might be appropriate such as locking down access to specific IP address ranges or VPNs, requiring multi-factor authentication, or requiring any access be from trusted employer-managed devices. 

Monitor WAN/LAN Activity

Log attempts to login – whether successful or not. Log attempts to connect to hosts and applications – whether successful or not. Then, monitor those logs. Where suspicious activity is seen, the risk-based policies should be applied, forcing users to reauthenticate mid-session.

Use Web Filtering and Email Filtering

This reduces the risk of the user’s device being compromised. Filtering can also reduce the likelihood of data being expropriated in contravention of the organisation’s data protection policies.

Use Cloud-Based Firewall-as-a-Service

Consider moving away from the traditional one-firewall-per-site approach to a centralised service that’s easier to manage via a central control panel.

If You Are a Nation State Target, Implement Hardware-Enforced Network Segmentation

Where hacking would pose a credible threat to public safety, national security, and critical functions, hardware-enforced network segmentation may be necessary. This could, for example, use hardware to ensure data (such as the feed from a CCTV camera or monitor) can only flow in one direction.

Implementing the Above Measures Doesn’t Have to be Difficult

Most of the above boils down to a combination of subscribing to cloud-based security services, running licenced security-vendor software, using dedicated networking hardware with security functions, setting security and access control policies, and setting up reports and alerts.

You Don’t Have to Implement Everything

You are free to ignore the FBI’s recommendations.

However, if your organisation is attacked by cybercriminals, the most you’re likely to get from the police is a crime reference number. You’re effectively on your own. If you don’t protect your non-cloud systems, no-one else will.

The recommendations from the FBI, US, Canadian and New Zealand cybersecurity authorities are notable for endorsing the thrust of major cybersecurity vendor’s longstanding recommendations. They are effectively saying ‘This stuff isn’t overkill. You should be considering it.’

Implementing the bulk of these recommendations is simpler than it sounds. Just work with a partner like ourselves that’s experienced at implementing a major cybersecurity vendor’s offerings. Fortinet, Palo Alto Networks, Cisco, Check Point, HPE Aruba Networks, Juniper Networks and Sophos all have solutions that can tick a lot of the FBI’s boxes.

As an experienced Fortinet partner, hSo can help you beef up your organisation's cybersecurity.

To learn more call 020 7847 4510 or email info@hso.co.uk.