Pub. 6 2016-2017 Issue 1

12 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S FEATURE ARTICLE Network segregation defines what can communicate on the network and how that communication can occur. If one took a geographic look at many internal networks, they might see something that reminded them of the Great Plains: flat, open, and unregulated. They would find a terrain that allows someone to get from one place to another by traveling in a straight line. Those terms are fine when applied to the Great Plains; however, the time has come to fence in and segregate internal networks. Segregation or Segmentation? Many networks already have some form of segmentation in place. Network segmentation could take the form of different subnets for each location, floor, a specific switch, or a group of ports. Technologies like virtual local area networks (VLANS) can also help achieve segmen- tation. Network segregation goes a step further by restricting access to devices and services offered on each network segment, and within network segments to only those devices that have been explicitly allowed. Network segregation defines what can communicate on the network and how that communication can occur. Technologies used to implement network segregation can include router, switch, and VLAN access control lists, as well as network, virtual, and host based firewalls. Why Segregate? Network compromises often originate from within a network. Attackers do not find much success by “hacking through the firewall.” It is much easier to get access by tricking an internal user into clicking a link or attachment in a phishing email or website. The attacker then has gained a foothold on the internal network and will pivot mercilessly from machine to machine, seeking the opportunity to elevate their level of privilege until control of the network is obtained. An Important Principle Many businesses, large and small, have an inherent trust in their employees. Duties within some business functions such as human resources or accounting may be separated so that no one employee has too much access. However, while operational job functions may have been addressed, the need to separate duties and restrict access to information, systems, and services is often not extended to the network level. The principle of least privilege must be applied. This principle gives an employee or system only the access needed to perform their job. Splitting Up the Herd: A Case for Network Segregation TY PURCELL SECURITY AND COMPLIANCE CONSULTANT CONETRIX