The Department of Homeland Security National Cybersecurity Communications and Integration Center (NCCIC) and the Coast Guard released this blog to address threats to network infrastructure devices and is the result of analytic efforts between the NCCIC and the Coast Guard to provide best practices for securing devices. Although the post is not written specifically for a maritime audience, as a courtesy, Maritime Commons is sharing this information to assist our readers charged with risk management decisions in the maritime cyber domain.

Submitted by the Dept. of Homeland Security National Cybersecurity Communications and Integration Center (NCCIC) and the Office of Port & Facility Compliance (CG-FAC)

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished.

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.

Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.

Malicious actors with persistent access to network devices can re-attack and move laterally after they have been ejected from previously exploited hosts.
Following is a summary of six prevention measures to help system users and administrators provide a more secure and efficient network infrastructure.

1. Segregate networks and functions.
On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

2. Limit unnecessary lateral communications.
Allowing unfiltered peer-to-peer communications, including workstation-to-workstation, creates serious vulnerabilities and can allow a network intruder’s access to spread easily to multiple systems. Once an intruder establishes access within the network, unfiltered lateral communications allow the intruder to create backdoors throughout the network.

3. Harden network devices.
A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices.

4. Secure access to infrastructure devices.
Administrative privileges can be granted to allow users access to resources that are not widely available. Limiting administrative privileges for infrastructure devices is crucial to security because intruders can exploit administrative privileges that are improperly authorized, granted widely, or not closely audited. Organizations can mitigate unauthorized infrastructure access by implementing secure access policies and procedures.

5. Perform Out-of-Band network management.
Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.

6. Validate integrity of hardware and software.
Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment.

For any questions related to this post, please contact NCCIC at 1-888-282-0870 or NCCICcustomerservice@hq.dhs.gov.

For more information on cyber risk management and cyber security awareness, read our previous Maritime Commons content:

6/30/2017: IMO approves resolution on cyber risk management
6/29/2017: Cargo disruption a reminder that cyber risks are real
11/3/2016: The shipboard application of cyber risk management
10/25/2016: Why cyber defense matters
10/19/2016: Building cyber resiliency
10/11/2016: Building cybersecurity governance