Protect Network Assets and Users

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to protect assets on the network.
  • Explain how to protect user access to the network.

Protect Assets on the Network

When it comes to protecting assets on the network, it’s key to remain vigilant to threats and to protect data in transit and at rest. Following these guidelines can help keep devices and data secure while keeping out adversaries.

  • Identify assets. As discussed previously, it’s necessary to identify the most important data in the network to identify associated protections and prioritize actions. Network security engineers identify data storage locations, understand data transfer flows, and manage what devices should and shouldn’t be allowed to access network data.
  • Know the threats. Understanding who may want to view a company’s confidential information, make unauthorized changes to the network environment, or even steal sensitive data helps defend against cyberattacks.
  • Minimize weaknesses. After identifying what assets need to be protected and the threats posed to them, it’s crucial to identify associated vulnerabilities as well. Devices should be assessed for vulnerabilities and malware prior to being allowed to connect to the network, and any existing vulnerabilities in systems should be patched as soon as possible, especially on public-facing systems. Network security engineers work with the vulnerability scanning and patch management teams to minimize weaknesses in the network.
  • Proactively secure the settings on devices. Network security engineers ensure each networking device, such as a router or a switch, adheres to an agreed upon configuration to harden the device against attacks.
  • Secure the connections to networking devices. User access to networking devices should be managed using strong authentication (like requiring something the user has and something they know, such as a mobile device and PIN) rather than simply allowing access with usernames and passwords. Such protections make gaining unauthorized  access to devices harder. Additionally, access to these devices should be encrypted so that a bad actor on the network cannot intercept the communications. Encryption transforms data into a code so that someone who does not have the key cannot crack the code and access the data.
  • Protect data in transit and at rest. In addition to encrypting connections to network devices, it’s important to encrypt data at rest and in transit to protect it from unauthorized access. One method of protecting data in transit, especially when dealing with a remote workforce, entails using a virtual private network (VPN). A VPN creates a safe and encrypted connection over a less secure network, such as the public Internet.

Cars representing confidential data types such as PIN numbers, SSN numbers, and personally identifiable information (PII), flowing along the information superhighway driving through a toll booth titled “Next Generation Firewall.”A

Control Ingoing and Outgoing Connections 

Think of the flow of data into and out of the network as an information superhighway. Traffic controls on a physical highway include toll booths, traffic police, and even monitoring via speed cameras and helicopters. There may even be border patrol checkpoints if the highway traverses an international boundary. 

In the same way, traffic flowing over the network must be monitored and controlled. Tools like firewalls control incoming and outgoing network traffic based on predetermined security rules. Next-generation firewalls can even filter specific types of data, such as personally identifiable information (PII) and social security numbers in the US to protect them from being exfiltrated inappropriately. Devices can be configured to block unnecessary internet access to minimize the risk of a user downloading malware from a malicious website or exporting sensitive data and posting it online. Computing environments should be monitored to detect rogue Wi-Fi access points that hackers can use to compromise a user’s sensitive data. This can be done by restricting users’ devices to connect only to authorized access points. Access to wireless peripherals that may be insecure, like Bluetooth headsets, can also be blocked. Additionally, according to the Center for Internet Security controls, only necessary ports and protocols on each system should be enabled to prevent unauthorized access to devices and the network. There are many possible entry points to a network. Network security engineers monitor and protect each and every one, alongside the rest of the organization’s security team.

Protect User Access to the Network

Protecting assets is just one piece of the security puzzle. Network security engineers also protect user access to the network and associated resources. Some of the protection mechanisms that a network security engineer should be aware of are as follows.

Block Unauthorized Attempts Using Access Control Systems

In physical security, access control systems are the locks and keys used to prevent unauthorized entry into buildings. Logical access controls are systems that limit connections to computer networks, system files, and so on. They identify users (ask who the user is), authenticate them (verify the user is who they say they are), and authorize (allow the user to view/edit) access to resources. When a user logs on to their work laptop and enters their username and password, they are authenticated and allowed to access to authorized resources.

Use Strong Authentication Whenever Possible

Strong authentication means verifying someone should have access to the network with a stronger method than simply a username and password. Attackers can take advantage of unchanged default passwords, weak passwords like 12345, or passwords that can be guessed from personal information available in a user's online presence (like his or her birthday). Strong authentication generally uses something the user knows (like a PIN) and something a user has (like a card or a phone) to verify his or her identity. You’ve probably seen this when you’ve logged into your bank and you receive a code via a text message sent to your phone that you need to enter in order to login. Compromising this method of authentication would require the attacker to have access to the phone and the code sent to it, in addition to knowing the username and password. It therefore provides a stronger level of protection than username and password alone. 

Pay Special Attention to Privileged Accounts

A privileged account allows a user to perform administrative functions that an unprivileged user would not need to perform, such as changing configurations on network devices, administering a database, or installing software. Because these accounts have elevated access, if an attacker compromises a privileged account, they can cause more damage. Gartner provides information on various hardware and software tools available to help security professionals manage and protect privileged accounts. Using one of these tools, the administrator logs in to a separate software platform using a username and password and authentication token sent to his or her mobile phone, then checks out an administrative password to perform a function such as exporting data from a sensitive database. The administrator uses the administrative password only one time, in a time-limited session, that is monitored throughout. This provides a higher level of security beyond just traditional username and password alone.

Review User Privileges at Regular Intervals

Network security engineers also control access to resources based on what the user needs to know, and reviewing those privileges at regular intervals. This helps limit the attack surface, which means limiting what an unauthorized user has access to on the network if they are able to compromise an account. If a hacker compromises a Human Resources employee’s account, he or she should not be able to use it to access financial records of customers. Additionally, reviewing privileges at regular intervals ensures that users do not have access to resources they no longer need to do their jobs, either because a project has ended or because they have changed roles, or even left the company. These steps are just as important as provisioning access, and often neglected.

Use a Centralized Dynamic Access Management Solution
Access management solutions are tools that help control and monitor user access. They use centralized policies to let network administrators review who has access to individual files and resources. They also allow administrators to audit who has accessed different resources. So if a hacker compromises an account, the network security engineer can easily identify what the hacker viewed, changed, stole, or destroyed, and thus, assess the impact of the breach. In another example, a malicious insider, such as an employee who has recently been fired, downloads several sensitive company documents onto a personal USB. If the network security engineer monitors the employee’s account using an access management solution, the company can quickly identify what items they accessed and work to contain the impact. 

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column to the matching category on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Nice job! Taken in total, these activities and controls help secure the network. For a network security engineer at a large organization, many of these activities may be the purview of another team, like the one that deals with Identity and Access Management. However, the engineer still has a role to play in being aware of how users access network resources and devices. If the engineer works at a small company, many of these tasks may be part of their daily responsibilities.