sunhux
asked on
Analysis/justifications for not segmenting each department's PCs from another department
We get an audit finding from one of the Big Four audit firms as follows:
"A study should be conducted to determine the granularity of the segmentation of end-users. Minimally,
IT administrators should be in a separate network segment from the rest of the end-users."
"Inadequate network segmentation increases the ease and risk of lateral movement by cyber-
attacks, if a server or device in the segment is compromised."
As sysadmins have "privileged" access to servers & compromise of their PCs will risk compromising
the servers in a 'privileged' way, we'll adopt the recommendation.
I'll need some good points/arguments to support our stand of not further segmenting each
departments from each other:
a) the main exposures are from "Internet surfing" & emails access (lots of malicious attachments,
phishing, spam emails seen in email gateways) besides USB ports
b) all other users belong to same trust domain as they read emails & surf internet (yes, the
sysadmins are encouraged to surf internet on PCs not used to surf Net & read emails)
c) for workstations used for Industrial Control Systems/Operations Tech, they don't have email
access & Internet surfing & have been rightfully segregated as per existing set-up
d) To prevent lateral attacks, EDR, AV & email security (forwarding of malicious emails to
other colleagues) are in place with SIEM for detecting such events in the pipeline
e) if we were to segregate every departments (eg: Finance due to financial compromise,
HR due to PII data), then we'll have to segregate Finance server from HR server from
Procurement server from ... (ie each server has to be isolated from each other).
It's also not feasible to segregate a department head from his/her manager, the
managers from the staff as all their PCs of the same level of trust domain ie
could access emails & surf the Net
f) should there be crucial PCs (eg: to make multi million dollar transactions like for
SWIFT payment etc, these PCs ought to be isolated such that they have no
email & Internet access)
Anything else to further support our stand??
"A study should be conducted to determine the granularity of the segmentation of end-users. Minimally,
IT administrators should be in a separate network segment from the rest of the end-users."
"Inadequate network segmentation increases the ease and risk of lateral movement by cyber-
attacks, if a server or device in the segment is compromised."
As sysadmins have "privileged" access to servers & compromise of their PCs will risk compromising
the servers in a 'privileged' way, we'll adopt the recommendation.
I'll need some good points/arguments to support our stand of not further segmenting each
departments from each other:
a) the main exposures are from "Internet surfing" & emails access (lots of malicious attachments,
phishing, spam emails seen in email gateways) besides USB ports
b) all other users belong to same trust domain as they read emails & surf internet (yes, the
sysadmins are encouraged to surf internet on PCs not used to surf Net & read emails)
c) for workstations used for Industrial Control Systems/Operations Tech, they don't have email
access & Internet surfing & have been rightfully segregated as per existing set-up
d) To prevent lateral attacks, EDR, AV & email security (forwarding of malicious emails to
other colleagues) are in place with SIEM for detecting such events in the pipeline
e) if we were to segregate every departments (eg: Finance due to financial compromise,
HR due to PII data), then we'll have to segregate Finance server from HR server from
Procurement server from ... (ie each server has to be isolated from each other).
It's also not feasible to segregate a department head from his/her manager, the
managers from the staff as all their PCs of the same level of trust domain ie
could access emails & surf the Net
f) should there be crucial PCs (eg: to make multi million dollar transactions like for
SWIFT payment etc, these PCs ought to be isolated such that they have no
email & Internet access)
Anything else to further support our stand??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the MS link.
I'm for isolating specialized workstations (eg: Industrial Control Systems or
SWIFT payment stations both of which are not allowed Internet surfing,
access emails & don't have active-content rendering softwares ie MS Ofc,
PDF reader, ActiveX etc in them) & fair enough, sysadmins or privileged
access being isolated. But to further segment one dept from another dept
is too tall an order: we'll probably need many firewalls or firewall with
many legs to cater to this.
Thanks, what the audit requires is basically a study or an assessment
report.
I'm for isolating specialized workstations (eg: Industrial Control Systems or
SWIFT payment stations both of which are not allowed Internet surfing,
access emails & don't have active-content rendering softwares ie MS Ofc,
PDF reader, ActiveX etc in them) & fair enough, sysadmins or privileged
access being isolated. But to further segment one dept from another dept
is too tall an order: we'll probably need many firewalls or firewall with
many legs to cater to this.
Thanks, what the audit requires is basically a study or an assessment
report.
Complexity is an enemy of Security. Indeed business function still take precedence. Risk assessment will help to justify for acceptance as part of study. A long term plan may be put on table for consideration or when there a revamp comes along the way.
ASKER
> commonly by having a management LAN for the server farm, while the data LAN remains to be accessed by user
The auditors are fully aware our servers are segmented from the users VLAN by firewall.
For sysadmins to access critical servers, sysadmins need to go thru a PAM (eg: Cyberark)