Dr Craig Valli and Dr Ian Martinus
There are some simple steps that a SME can take that can greatly enhance the security of their network infrastructure. This involves locking in details about the devices that connect to your work network. This lockdown includes existing internals and any externals who are going to use your networks.
Free Wireless….Computer says no
One of the not so smart things to do is offer access to your production network. A problem we find in some industry types where people have to queue or wait or recreate is that “free” wifi is available, good concept for marketing, unless installed properly extremely bad for cyber security.
Any “free” service should really be run on a completely physically separate network than your existing production end of story. It is inviting trouble to use your production network as the gateway or access for this service why?
All traffic will be attributed to your organisation. You have no real way of validating people are who they say they when they access these networks and they maybe performing criminal acts.
It will congest your existing network connection further as the “free” devices will draw down on your existing capability.
The “free” clients will be in the same network space as your work machines and data, remember criminal acts
The question that filters out of all this for any SME is sure supply free wifi, but are you going to significantly increase risk and for and degrade performance on your networks, data and reputation for as little as saving 49.95 a month (cost of a separate Internet connection)
DHCP the enemy of basic control
DHCP is the default move for most networks i.e power on your device connect to the network and get a semi-random IP is how most networks function. Great for the end user and the admin from an admin side of the coin but really just a nightmare for audit, control and security overall. These issues can be slightly overcome by some logging but again your will need someone post incident to audit them. A further point very few places we have audited ever keep extensive DHCP logfiles so this again does hamper any chance of success in audits or investigations.
Nail it down..MAC
The simple solution is to use what is called static IP colloquially referred to as nailed IP. A device is assigned a permanent IP address this can be done when you acquire and onboard new equipment or staff (see sample template). It should record the MAC (Media Access Control) address for the network devices its a useful unique identifier. Note yes we know its possible to change MAC address, but again if this is done it is not accidental and goes to the users/abusers intentions which are not good.
While not completely beyond reproach as evidence nailing IP does bring accountability into focus for the user and is a great conversation starter. It also protects the end user as well from certain events around bad actors faking access or trying to circumvent restrictions.
Several IPs should be set aside for visitors/contractors/consultants and allocated on a needs basis.
To protect against reuse implement and also “randoms” plugging into your network sockets (yes people do) you should also implement MAC address locking. Most decent network routers have this already provisioned you just need to configure it and best to just use the allow function i.e enter the devices allowed to connect and ban everything else, remember you recorded those MAC addresses…in the onboarding sheets.