Network Hardening– through the lens of small business operations

Small businesses are easy targets with lots of low-hanging fruit in the eyes of nefarious actors.

In resource-constrained environments, many small business environments contain networks that have been around for years, with no significant budget dollars invested to revamping or hardening a network for security purposes.  If it works for business, the rationale is: “Why change it?”

Over time, however, an aging and outdated network with a simple architecture can become an ideal environment for “bad actors” to target.

Securing a small business network is essential to protect sensitive information and maintain operational integrity. Here are some steps to help fortify a small business network. In some instances, upgrading or acquiring new hardware may be necessary to implement these recommendations:

Layering Your Network

It can be helpful to think of a “Layered” Network when considering all there is to protect.

First, you have a Physical Layer.  You’ll want to secure physical access to networking equipment, servers, and other critical infrastructure and ensure that server rooms and network closets are locked and accessible only to authorized personnel.

•       Secure physical access to servers and networking equipment.
•       Ensure that server rooms are locked and accessible only to authorized personnel.

Next, you have a Perimeter Layer.  You should implement a firewall at the network perimeter to filter incoming and outgoing traffic.  You should use intrusion detection and prevention systems to monitor and block malicious activities at the network boundary; set up a DMZ (Demilitarized Zone) to isolate and protect publicly accessible services.

•       Install and configure a firewall to filter incoming and outgoing network traffic.

•       Regularly update firewall rules to reflect changes in your network environment.  Use a next-generation firewall for more advanced threat detection.

Segmenting Your Network

Take action to intentionally consider Network Segmentation.  Segment the internal network into different zones based on function or security requirements.  Use VLANs (Virtual Local Area Networks) to separate different types of traffic, such as guest networks, employee networks, and server networks.

•       Segment your network into different zones to limit the potential impact of a security breach.

•       Keep sensitive systems and data on separate network segments.

Ensure Your Access Control

From there, plan the Access Control Layer.  Enforce strong access controls and authentication mechanisms.  Implement role-based access controls (RBAC) to ensure that users have the minimum necessary permissions.  Consider network access control (NAC) solutions to validate the security posture of devices before granting access.

•       Implement strong authentication mechanisms, such as multi-factor authentication (MFA).

•       Regularly review and update user access rights, revoking access for employees who no longer need it.

Hardening Your Endpoint

Plan the Endpoint Security Layers.  Install and regularly update antivirus and anti-malware software on all devices.  Implement host-based firewalls on endpoints.  Ensure that all devices, including workstations and mobile devices, are configured securely and receive regular updates.

•       Install reputable antivirus and anti-malware software on all devices.
•       Regularly scan and update antivirus signatures.

Remember to address and layer your Wireless Security.  Secure Wi-Fi networks with strong encryption (e.g., WPA3) and unique, regularly changed passwords.  Separate guest Wi-Fi networks from internal networks.  Disable unnecessary Wi-Fi features like WPS (Wi-Fi Protected Setup).  Pay attention to wireless printers.  You may wish to configure them on a separate layer entirely.

•       Use strong encryption (WPA3) for Wi-Fi networks.
•       Change default Wi-Fi passwords regularly and use strong, unique passwords.
•       Disable unnecessary features like WPS (Wi-Fi Protected Setup).

There are additional layers to work through in the design phase of network design, or as you evolve an existing network:

Manage Your Application Security

Application Layer Security: Regularly update and patch applications and servers to address vulnerabilities. Implement secure coding practices when developing custom applications. Use web application firewalls (WAFs) to protect against web-based attacks.

•       Keep all software, including operating systems, antivirus programs, and applications, up to date with the latest security patches.

•       Enable automatic updates when possible. 

Applying Data Encryption

Data Encryption Layer: Apply encryption for sensitive data both in transit and at rest.  Use encryption protocols (e.g., SSL/TLS) for secure communication.  Encrypt stored files and databases containing sensitive information.

•       Use encryption for sensitive data, both in transit (e.g., SSL/TLS for web traffic) and at rest (e.g., encrypting stored files).

Plan Your Monitoring and Logging

Monitoring and Logging Layer: Implement logging mechanisms to capture events and activities on the network.  Use monitoring tools and SIEM (Security Information and Event Management) solutions to detect and respond to security incidents.

•       Implement network monitoring tools to detect unusual or suspicious activities.

•       Maintain logs and regularly review them for signs of potential security issues.

There are peripheral layers to design, too.  While these may not fit as technical layers within policy, they are equally as vital:

Don’t forget Your Incident Response

Incident Response and Recovery Layer: Develop an incident response plan outlining steps to be taken in the event of a security incident. Regularly test and update the incident response plan based on lessons learned from drills or actual incidents. Implement backup and recovery processes to ensure data availability in case of data loss or system compromise.

•       Develop and document an incident response plan to guide your response to security incidents.

•       Regularly review and update the plan based on lessons learned from drills or actual incidents.

Provide Training and Security Awareness

Employee Training and Security Awareness Layer: Provide regular security awareness training for employees. Educate employees about phishing, social engineering, and other common attack vectors.

Encourage a security-conscious culture within the organization.

•       Educate employees about security best practices and potential threats, including phishing attacks.

•       Conduct regular security awareness training.

Perform Regular Audits

Regular Security Audits and Compliance Layer: Conduct regular security audits and assessments to identify vulnerabilities. Ensure that the network design and security measures align with relevant legal and regulatory requirements. Document and enforce compliance measures.

•       Conduct regular security audits and assessments to identify and address potential vulnerabilities.

•       Stay informed about relevant laws and regulations that may impact your business and ensure compliance.

Manage Your Vendors

Vendor Management Layer: Assess and verify the security practices of third-party vendors and service providers. Ensure that vendors adhere to security requirements and standards.

•       If using third-party services, ensure that your vendors follow security best practices.

•       Regularly assess and audit the security practices of your vendors.

Consider Redundancy

Redundancy and Resilience Layer: Design for redundancy in critical network components to ensure business continuity. Implement failover mechanisms and disaster recovery plans.

•       Regularly back up important business data, and store backups in a secure location.

•       Test backup restoration procedures to ensure they work effectively.

In a small business setting, resource constraints and simplicity are often top priorities. Therefore, it is crucial to balance security and usability, ensuring that security measures are both manageable and effective for the organization’s specific needs. Regularly reassess the network’s security posture and adjust the layered architecture as necessary to account for changes in the business environment and emerging threats.

Sentinel Blue is a managed security service provider (MSSP) that works daily with the small businesses tackling operational and security challenges designed to streamline secure architecture and IT environments, mitigate threats and implement incident response best practice.