When I was growing up, the evening news (on one of the five total broadcast channels we could watch) would start with the tag line, “It’s ten o’clock, do you know where you children are?” I know, seems so quaint now, especially since many of us haven’t left home in weeks. But the modern equivalent might be, “It’s whatever o’clock. Do you know where your firewalls are?” This is not a rhetorical question and answering it will give you some insight into how your network infrastructure is governed (or not, as the case might be), and what actionable items you’ll need to fix that pronto.
I wrote in last month’s blog as more of us work from home (WFH) we have to go back to basics. One of those basics is in understanding our network topology and where those firewalls are located. A recent informal Twitter survey by researcher Kate Brew showed that less than half of infosec managers don’t even know the basics of their network configurations. They couldn’t even figure out the raw number of firewalls in their network. That is a depressing thought. Now, granted this isn’t a Gallup-level definitive answer, but still probably undercounts the observed on-the-ground truth.
Why is this a big deal? Mainly because our networks are evolving rapidly. Take the situation of new data flows as we have higher proportions of remote users. Or the situation where smartphones are being brought into healthcare facilities and used in different ways by health workers to communicate with patient families. Given that many infosec managers are juggling numerous crises to keep their business networks running, this very basic fact needs quick attention.
It is important now because the bad guys are already sharpened their phishing lures: numerous vendors (and the FBI) report that Covid-related phishing attacks are on the rise. You have to up your game, before someone finds a wormhole and makes off with your most precious data.
But let’s just take this a step further. It isn’t just the number or location of our firewalls, but also what happens to them. Let’s posit that you have put in place a series of “emergency” exceptions to your well-crafted rule set. (Ahem, do you really want to go there?) You did this as a response to fix your network traffic flows to handle the rise in WFH’ers. Great. But let’s move into the future a few years when these exceptions have remained in place, long forgotten and leaving not just a wormhole but the broad side of a barn for your drive-by attack.
This points out that now is the time to get our risk and data governance act together. If we are going to be a 95% WFH operation, then make sure we plan our networks and our security accordingly. In other words, we need to figure out a network topology that will be more secure and have the right tools and hardware, as I mentioned in last month’s blog.
If you view this in another light, the uncertainty over your firewalls is really a proxy for the conflict between the network and security teams at your company. This is an old issue (see this Sandra Gittlen piece in Network World from several years ago) and I am not suggesting that you should combine them into a single unit. Gittlen cites sources who point out that the two teams can collaborate better when they are separated, because they have different roles and jobs to do. Security should track down issues, vulnerabilities and risks; the network folks should fix things and prevent future problems. And both need to work on security from the beginning of any new project, what is commonly called “security by design.” Still, another source says, “There is value in security teams learning networking’s language.”
Take the time to know where your firewalls are located and use this as a teachable moment to better understand how you have set up their rulesets and other basic configuration details.