Security Articles

Today, more than ever, it is critical for network operators to regularly conduct a network threat analysis and risk assessment to guide the selection of the right solutions to help protect your networks against threats today and into the future. Here are some steps to assess your network vulnerabilities, determine risk tolerance, and select solutions that can help minimize damage from network security threats.

Step 1: Conduct network threat analysis and risk assessment
Conducting a thorough threat analysis and risk assessment of your entire network is the first step needed to determine vulnerabilities. Doing so will enable you to identify areas with risk so that you can choose cybersecurity solutions with protections where most needed. Some questions to ask:

• Have you had network security breaches in the past, and how did they affect your business?
• How did the breach occur?
•  Did you experience downtime?
•  What was the impact in terms of time, productivity, and dollars?

Threat analysis should be ongoing to track existing and evolving threats and their effect on potential areas of vulnerability.

Step 2: Determine your security risk tolerance
The next step is to determine your organization’s security risk tolerance. This is the level of risk you are willing to assume as it relates to potential outcomes.

• Is your tolerance aggressive, moderate, or conservative?
• What areas within your organization would be most affected by a cybersecurity breach?
• What threats do you consider acceptable?
• How much risk are you willing to take versus the cost to prevent a cyberattack intrusion?

It is important to understand exactly what is at risk, the repercussions involved, and the reasonable level of potential loss or disruption. 

Step 3: Choose the solutions you need
Once you know where your network is vulnerable and understand your organization’s risk tolerance, you can determine which solutions are available for each identified risk type and how it balances with your budget. The solutions you choose should provide protection for today while having the ability to address the changing future threat landscape.

Here are some solutions to help eliminate or reduce today’s cyber risks while managing potential future risks as threats evolve. 

Dedicated Fiber Bandwidth: Optical transport's physical properties lower intrusion abilities and offer more security than the public Internet. With a dedicated circuit, Internet-based type threats are eliminated. Look for a provider that can offer a network where all your traffic is segmented and protected, along with route diversity and resiliency.

Optical Encryption: A 24/7 ultra-low latency solution with high throughput and dedicated encryption management can help provide reliable, secure, ultra-low latency data protection. It should secure in-flight data in the network transport layer from endpoint to endpoint as it is carried over optical waves across fiber-optic cables. Traffic leaving your site is encrypted at the optical layer for optimized security, throughput, and latency. Gateway routers send traffic directly to the transport device for bulk encryption without requiring expensive encryption gateways or additional encryption appliances. Choose a solution that offers protocol-agnostic encryption for a wide range of services and supports all infrastructures, from metro to long-haul.

SD-WAN with built-in security: Select an SD-WAN solution with integrated security layers throughout without degrading performance for bandwidth-intensive networks. Architecture should include network management visibility and control features with security features such as IDS/IPS, URL filtering, web search filtering, anti-malware, geo-IP-based firewalling, IPsec, VPN connectivity, and advanced malware protection. Automatic firmware updates to keep current with security patches should be included. The solution should also segment, isolate, and protect critical assets with the Cloud, partner networks, etc. 

Managed DDoS Protection: To protect against volumetric DDoS attacks, choose a solution that automatically identifies and re-routes suspect malicious data away from your network so that it can be cleansed and analyzed without disturbance to your business. It should include expert 24/7 DDoS monitoring, technical support, and detailed incident reports. Choose a solution that continuously monitors the changing threat landscape and updates protections to address those changes.

Cloud Security: Ensure that secure connectivity exists between your organization and your connectivity provider as well as between your connectivity provider and the Cloud provider. Security should be built in at every step of data transport to protect against possible breaches. A review of the security policies of your Cloud provider will help ensure that your needs are being met. Dedicated connectivity to your specific Cloud providers can provide you with the highest level of security.

Advanced Firewall: An Advanced Firewall will monitor and control your network traffic and block unauthorized or malicious inbound or outbound traffic, such as malware and hacking, from entering your network. This can be accomplished through either hardware or software, which uses a set of rules or policies to filter data. The firewall will act as a barrier between trusted networks and untrusted networks such as the Internet. An Advanced Firewall allows filtering in a “human readable” and simple fashion, such as “Deny traffic to/from country “x.” Older Firewalls work only at layer 3, so you must identify the IP address, port, and protocol.

IPsec for Multi-site VPNs: To secure connectivity between multiple locations, IPsec protocols will ensure all traffic is encrypted in transit through the VPN funnel. Traffic will only be allowed from one end to the other, blocking any outside attempts to intercept it. A digital certificate must sign all traffic, and to get authenticated, a public key infrastructure must be deployed.

IPS/IDS protection: This protection will monitor all traffic on your network to identify any known malicious behavior so that an attacker cannot compromise your network by exploiting a vulnerability within a device or software. It identifies those attempts and blocks them before they can successfully compromise any network endpoints. IDS/IPS protection technologies are necessary at both the network edge and within your data center because they stop attackers while they are gathering information about your network.

Assessing your network, establishing risk tolerance, and choosing solutions that best help minimize damage from cyber threats is critical to protecting your organization both today and in the future.

Lightpath’s highly reliable Network, Connectivity, SD-WAN (LP FlexNet), and Managed Security solutions can help prepare and protect your organization from cyber threats. For more information, visit lightpathfiber.com or call us at 877-544-4872 today.