Forescout describes security challenges of handling both Republican and Democratic National Conventions By Katherine Gronberg, VP Government Affairs Inside RNC/DNC Convention Networks - Cybersecurity Challenges ForeScout had the honor of providing information security support for the Republican National Convention (RNC) and the Democratic National Convention (DNC). These were challenging environments as the networks were created and configured in a short time-span, they were more “IP-enabled” than any conventions in history and, of course, they were extremely high profile. But the lessons learned in Cleveland and Philadelphia are relevant to almost any complex network, including large commercial and government networks. It helped us to think about the conventions’ networks in terms of buckets. Segmentation, Segmentation, Segmentation… Probably the biggest challenge in securing events like the conventions is that there are SO MANY ad hoc networks being created all the time. It’s an unavoidable requirement for the event to be successful. This happens in the commercial and government worlds too, although to a lesser extent. You have to divide your network up in to three high-level buckets. We called them The Wild West, Mission Control, and The Vault. If at all possible, these networks need to be completely isolated from each other. The key to success in the convention environments was to focus on controlling access to the most sensitive networks, while still ensuring that the less sensitive networks remained operational. The Wild West These days, people attending events like the conventions expect access to reliable free WiFi. Public access to WiFi enhances their experience and makes for a more successful and impactful event. However, “Secure free WiFi” is an oxymoron. When people connect to a public WiFi network, their traffic is often visible to other people on the network and they run a greater risk of having their device infected with malware. There are steps that can be taken to make users more secure, such as requiring WPA2 encryption and attempting to isolate users from each other, but 28 these efforts are only partially effective at best. In an environment like this, user education is necessary: instructing Katherine Gronberg users as to which network is the “Official” free WiFi network, and also advising users to not conduct sensitive business on public WiFi without establishing a VPN tunnel first. Above all else, the public free WiFi should NEVER have a connection back to Mission Control or The Vault. We developed specific policies that looked for cross-bucket communication and remediated any discovered anomalies. Mission Control Mission Control is the network for “official” business. These networks often include things like staff systems, kiosks, point-of-sale devices, VOIP phones, cameras, and many other mission-critical functions. In such a dynamic and transient network environment characterized by
so many wired and wireless network access points, unauthorized network access should be expected and planned for. Controlling access as much as possible by using passwords and other authentication protocols is critical. But the real key is continuous monitoring of the networks to look for unwanted behaviors (devices scanning your network, transmitting large amounts of data, or changing their profiles unexpectedly). Establishing a baseline of a known good state BEFORE the event begins is critical to identifying something that’s not supposed to be there. For all of the devices found, policies must be written that stipulate how a device must be handled depending on how it behaves. We started this process early on for the conventions and continually refined our baseline throughout the events. In addition to establishing a baseline, penetration testing, or “pentesting,” is highly encouraged. This will allow you to anticipate the methods that attackers may use to gain access to your network. Reconfiguring the network can mitigate some attacks. Others can be caught through Continuous Monitoring policies, but you first need to know what to look for. This is where a skilled pen tester comes in very handy. ForeScout did not pen test the conventions ourselves, however, we worked extensively with trusted White Hat resources to develop policies to catch malicious behavior that can indicate network intrusions. The Vault 29 The best advice for securing the most sensitive assets in an organization is: “Don’t connect it to the Internet!” If, for some reason, Internet connectivity is required, give these systems their own dedicated and highly monitored internet connection. Something as important as a teleprompter should be completely disconnected. A broadcast system is another example of something that deserves an isolated internet connection. If the only thing that is ever present on that connection is a broadcast system, network anomalies should be easy to detect. Leading up to the conventions, there was a lot of speculation around the potential hacking of teleprompters or broadcast systems, but in actuality, they were never connected to the convention networks. Physical security is also used to protect these assets – in this case, physical security was provided by Secret Service agents manning doors backstage. At a corporate datacenter, physical security is provided by things like guards and retinal scanners. At the end of the day, for your most critical assets, disconnect them from the network and rely on robust physical security. Katherine Gronberg is Vice President for Government Affairs at ForeScout Technologies. Prior to joining ForeScout, she was a professor at Georgetown University, teaching classes in cybersecurity and business-government relations. Katherine also founded and ran her own consulting firm, Gronberg Consulting, L.L.C., which represented top U.S. technology firms on their government relations strategies. Prior to this, Katherine worked for Morhard & Associates, L.L.C. Katherine began her Washington career in 2000 as a staff member on the Senate Appropriations Committee handling annual appropriations for a range of federal agencies. Katherine holds a Bachelor’s degree from Yale University, an MBA from the University of Virginia’s Darden School of Business, and is a former Fulbright Scholar.