In late December, three Ukrainian energy companies -- known as oblenergos -- had their operations disrupted, causing a loss of power to 225,000 customers.
While the attack started -- as so many do -- with an employee falling for a spear phishing e-mail, it worsened when the foreign attackers used stolen credentials "to pivot into the network segments where SCADA dispatch workstations and servers existed," stated an analysis of the incidents by the Electricity Information Sharing and Analysis Center (E-ISAC) and the SANS Institute. According to the findings, the December attacks are the first publicly acknowledged incidents to result in utility outages.
The top architecture recommendation in the report? "Properly segment networks from each other."
It's not a new recommendation. Most of the serious breaches that occur each year would have been much less severe had the victim company followed that advice, says Eric Cornelius, managing director for industrial control systems at Cylance Inc., an endpoint protection provider in Irvine, Calif. The top problem Cornelius' team sees when testing network security is a lack of proper segmentation.
"Without network segmentation, you can be assured that you will not have security," he says. "Compromises go from trivial to detect to critical incidents because the network is not properly segmented."
Mat Gangwersecurity operations leader, Rook Security Inc.
Companies and government organizations often fail to minimize where critical information resides and to control access. This all-too-common scenario is blamed for many of the data leaks from compromises that use third-party contractor credentials to infiltrate networks; it was the root cause of both the massive Target breach and the debilitating compromise of the United States Office of Personnel Management. Even PCI-compliant networks of major retailers fail to use proper segmentation.
"Good network segmentation is not going to make it impossible to compromise your network, but it does make it more difficult," says Mat Gangwer, security operations leader with Rook Security Inc., a managed security service provider in Indianapolis.
'No CVE assigned to it ...'
The problem is that segmenting networks is typically not easy, requiring planning, measured deployment and frequent adjustments. The failures are not because network segmentation security is a new or unknown defense -- keeping a network properly segmented requires discipline and regular attention. Too often companies are focused on quickly getting their network to provide a needed function rather than making sure the data is sequestered away in its proper segment.
"There are still a lot of organizations that struggle with it," according to Kurt Hagerman, CISO for Armor Defense Inc., a cloud security service provider in Richardson, Texas.
"When you've been in the business for a long time, and your network has grown, and you have mergers and acquisitions, and you have all the changes that a company goes through, it is an extraordinarily hard thing to keep up with," he says.
This burden is typically experienced in network risk analysis and firewall policy and change management. In its 2016 State of the Firewall Report, firewall-management software firm FireMon found that IT security practitioners tasked with managing firewalls listed as their top-four concerns: optimizing rule-sets, managing firewall changes, meeting best practice configurations, and enforcing access and policies. All of these issues have a role in traditional network segmentation security.
"There is no world where a network with segmentation is going to be easier to manage than a flat network," says Cylance's Cornelius. "But it is not so overwhelmingly difficult that you should not do it."
Network segmentation security is often overlooked, or not revisited often enough to keep up with changes in the business network, because it is not catalogued as a security threat, nor is it viewed as a traditional cybersecurity problem that requires information sharing and other resources.
"With the way that people measure security, which is inherently difficult, people tend to overlook network segmentation, because there is no CVE assigned to it," Cornelius says. "So they tend not to track it."
Network segmentation does not just stop attackers from jumping around inside your network security infrastructure; it can also reduce the headaches that come with needing to comply with a variety of regulations. Some organizations can limit the scope of compliance assessments such as PCI DSS by walling off areas of their networks.
Network Segments: How To Get into the Zones
When he worked with a university, DataGravity's CISO Andrew Hay encountered a significant failure in network segmentation. The school's teaching hospital had routed its traffic through its admissions office. "That was the easiest way to do it at that point in time, and they thought nothing of it until they saw MRI machines getting hit by Code Red," he says.
Companies should create a network segmentation security model as soon as possible. While organic growth and the speed of business can make such planning a challenge, the benefits are too great to ignore, according to Mat Gangwer, security operations leader with Rook Security.
"It is very critical to design things upfront," he says. "It allows you to plan, and planning is huge with this, when you are talking about the zones and the controls and the policies around them, and saying what resources have access into the zone."
To start, companies should divvy up their resources and users based on their roles, according to Kurt Hagerman, CISO for Armor Defense.
"We have more than one user segment, because we have more than one type of user," he says. "We have developers, testing and QA people, we have product management people, people in finance and general population users -- the IT administrators. If I can correctly capture resource segments and user segments, then I can give my people what they need to do their job."
Using a product that helps analyze and monitor firewall rules is another major benefit, notes Hay.
"On one side, these tools are looking at making sure that a process is followed in making the change, and then they are analyzing the ruleset to eliminate problems," he says. "Those are tools that I would have loved to have had in my previous jobs." -- R.L.
A common approach is to define network zones based on risk profiles. Retailers ought to create physical or VLAN network segments for cardholder data by segregating assets such as databases and applications and point of sale systems. Security teams should also restrict access using role-based controls -- no customer service applications, for example. Finally, they should continually monitor these segments for suspicious behavior. Likewise, insurance companies and healthcare providers should form network segments that limit access to medical data, simplifying the job of complying with the Healthcare Insurance Portability and Accountability Act (HIPAA).
"Segmenting that information into its own network zone can help you restrict the scope of those regulations," says Rook's Gangwer.
Design Segmentation In
To start, companies should architect their network segments with zones based on the sensitivity of the data on each set of resources. Users should be assigned groups or roles, according to Andrew Hay, CISO with DataGravity Inc., a storage provider in Nashua, N.H.
"If done right, network segmentation does [work]; then they should not have access to pivot or move laterally into the network, because nothing on the DMZ should be initiating a connection," Hay says. "So once they get to the database -- if somehow they are able to ride that connection into the database -- that critical system should not allow them to move laterally into other parts of the organization." This type of a strategy can also be used to isolate newly acquired assets that may not meet corporate security standards.
Secure network segments are not foolproof against attacks. In the extreme case, a company can create a list of resources -- single servers, directories or files -- and only allow certain users to access that data. However, this network segmentation security strategy just moves the attacker to focus on stealing credentials, says Armor Defense's Hagerman.
"In some cases, if you are too clever about network segmentation, you are making it easy for your users to do their job and move around the network," Hagerman says. "But you are also opening up the possibility that if that credential is compromised then your network segmentation will no longer protect you," he adds.
What About SDN?
The ability of software-defined networks to virtually create paths between servers makes network segments both more important and harder to do without. Armor Defense, which provides clients with private data centers and other secure infrastructure, uses micro-segmentation (of collision domains) to create granular blocks.
"You can say that server 1 does not need to talk to server 2, but it does need to talk to server 3," notes Hagerman, who says a lot of companies in the virtual space have adopted this more granular approach. "At that point, you can do a very good job of isolating servers."
While most companies are better served by focusing on information security fundamentals, micro-segmentation is a niche technique that is starting to surface in data centers.
About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 18 years. He currently writes for several publications focused on information security issues.
Segmentation in virtual and cloud environments