Device Re-emergence
As our teachers, staff and students return to our schools and offices the thing that should be first and foremost on our minds is their health and safety. For IT teams the second concern should be what have the devices they are bringing back into our buildings and onto our networks been in contact with and were any of them infected with malicious software while they were used outside of our IT protective bubble and controls. Especially for such a prolonged period of time. Adding a cyber security incident that may cause a service outage to the mix of an already complex school year startup is something none of us want.
Continuous Monitoring and Analytics helps us to detect anomalous behaviours, identify possible indicators of compromise and spot any deviation from baselines and expected trends.
Treat every device coming back to the network from home as a potential threat. Every anomalous device or user behaviour should be flagged and followed up on. Keep a closer eye than normal on your SIEM tool (if you are lucky enough to have one), O365/GSuite Security Centre and AAD alerts, your end point protection software, Firewall UTM/Security logs and Network Traffic Diagnostics and Monitoring solution such as SolarWinds for anything that may seem out of the normal especially during the first few weeks as we get back into the swing of things.
A good network design that allows for client isolation on wireless and wired networks using VLAN’s and the presentation of only required services to user groups (i.e. There should be no reason for Students to be able to RDP into a SQL or Web Server in your data centre or SSH into a core switch or firewall) will help to mitigate any infection that makes its way onto the network. Users should cross a layer 3 boundary for inspection by IPS/IDS, Anti-malware as often as possible. Threat intelligence should be used on our edge SD-WAN devices to block outbound connections to known CNC servers and other malicious IP addresses.
Thank for reading and I hope this was all helpful. I wish you all the best and hope for smooth and consistent uptimes for all your networks this coming school year.
Sincerely,
Steve Payne, CISSP Regional Information Security Analyst (Eastern Ontario)