Not all security barricades are made of wood. Some are made of bits.
According to the New York Post, the New York Police Department ran into some security trouble back in October, when a contractor plugged an infected Intel NUC computer in to the network at the Queens location of the Police Academy as part of work on the school’s digital signage system. The NUC quickly did what infected computers do and reached out and touched 20+ other systems, infecting them with malware.
The interesting part (and lesson for all of us) is that the infected machines were part of the NYPD’s LiveScan fingerprint system, which I think we can all agree would count as a critical system for any law enforcement agency. It appears that the cops reacted quickly, isolating the infection, cleaning the systems and determining that there was no malicious intent on the part of the contractor who caused the mess.
This is a great example of why network segmentation is a good idea and a good security control to consider in your organization.
I can’t think of any reason for the Police Academy’s digital signage network to have the ability to talk to the LiveScan network (or pretty much anything else other than systems holding content and network management tools). Had firewalls or access control lists separated the signage network from the rest of the network, the damage could have been contained to the less critical signage network.
While the NYPD would probably have not have had to buy additional equipment to implement network segmentation, this control is not without a cost. Having a more segmented network does mean that thought has to be given as to what systems need to communicate with each other and adds to the workload of the networking team, who need to open needed ports and routes and keep track of why systems communicate.
However, the security rewards of segmenting networks are significant, making it much more difficult for malware to spread and for attackers to move laterally once they have breached a portion of the network. Hunting for suspicious traffic on segmented networks is also made easier – just look for firewall drops between segments to see if malware or attackers are rooting around. Finally, this kind of setup makes it harder for internal users to set up applications and servers without the knowledge of networking and security personnel.
Making the commitment to network segmentation is a non trivial project and in today’s fast paced business world, processes need to be in place to quickly evaluate and implement needed connectivity. But when an event occurs, a segmented network is much easier to defend, coordinate response on and clean up.