Vector
Vector

Choose your topics

Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Adversary Services, Cyber Security

Network Segmentation Series Part 2: Securing Wide Area Networks Across Remote Workforces

Network Segmentation Series Part 2: Securing Wide Area Networks Across Remote Workforces
Written by

Ellie Owen

Published on

20 Jul 2019

Network Segmentation Series Part 2: Securing Wide Area Networks Across Remote Workforces

 

Risk management and compliance are two of the top concerns for any business reliant on digital systems – which is just about every business in today’s tech-forward world. Network segmentation is one of the broader ways businesses can protect their systems, even when their workforce and offices are spread out.

 

Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. This series of blog posts will describe the different types of segmentation, their benefits, and applicable controls to maximize the security they provide.

 

Segmentation of Wide Area Networks (WAN)

In Network Segmentation Part 1, we discussed protecting the corporate network from external parties. This article will review the controls applicable to a geographically dispersed Wide Area Network (WAN), as used by many larger organizations to connect multiple offices.

 

What are Wide Area Networks used for?

An organization will often use a Wide Area Network (WAN) to join geographically disparate offices and sites, connecting them to the main corporate network using an MPLS network, VPN, or similar method. In many cases, these sites are connected directly to each other, with no security appliances in place to restrict traffic between these sites, relying on physical security controls in each location to protect the network. Due to this, a compromise at one site, whether achieved through an attacker gaining physical access to the local network or through remote compromises, such as a malware infection against a connected device, could enable an attack to target systems in remote sites. This could include compromising remote systems which are affected by unpatched or “zero-day” vulnerabilities.

 

For example, an attacker who has gained access to the corporate network via a remote “satellite” office, potentially in a different country to the main corporate systems, may be able to identify and connect to vulnerable systems or services on other systems elsewhere on the corporate network. These could then be used to gain access to unauthorized information, to create a “back door” into the network to allow them to reconnect in the future, or to “pivot” further onto other vulnerable systems elsewhere on the network.

 

How can Wide Area Network segregation boost security?

A lack of WAN segregation could also allow a malware infection to spread throughout the entire corporate network, rather than being isolated to a small network where it can more easily be contained. There were reports of networks still hosting the Conficker malware, due primarily to insufficient segregation, as recently as June 2016, more than seven years after its initial release. In 2017, Conficker was also found to be related to the delivery of the Wannacry ransomware. The APT1 report from Mandiant demonstrated that attackers might be able to remain inside networks without being detected for over 12 months. While segregation would not prevent this, it would reduce the scope to which an attacker could compromise the network.

 

“Big networks tend to become unmanageable in terms of security unless there is some form of separation between parts of the network. In a country-wide network that is internally completely open, a security incident such as a break-in in one office might require all hosts of the entire network to be reinstalled to ensure that the attacker has not left some Trojan horses somewhere. An increasing number of companies are securing their internal networks additionally by, for example, separating offices with firewalls. This is, in general, a good security practice.”

 

Provision of firewalls or combined router/firewall devices at the edge of office networks should limit the inbound and outbound traffic between remote sites to only authorized sources and destinations and only for the minimum number of authorized services. When this is in place, the connections between sites would be limited to the specific services or systems required by each site and only from specific networks within each site.

 

For example, the end-user network in a remote site may be allowed connection to the Intranet servers located at another location, and Domain Controllers would be allowed to replicate traffic to remote Domain Controllers, but the end-user network would only be able to access the local Domain Controllers. As well as restricting the source and destinations of traffic, the individual services should be restricted to only those necessary. For example, only HTTP ports such as 80 and 443 would typically be required to connect to the aforementioned Intranet server.

 

“Network policy enforcement on the WAN edge can be extended to include the enforcement of different security policy domains through the integration of firewall functionality. A firewall provides additional protection from unauthorized access and stateful application and protocol inspection.”

 

 

Want to know more?

Our cyber risk management experts are your go-to for advice and information about making your WAN more robust. Take a look at our Cyber Risk Management capability, or consider penetration testing as a way to identify weaknesses in your cybersecurity posture.

 

About SureCloud

SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management and compliance products, which reinvent the way you manage risk.

 

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.