Network Security
Description
Networks and network devices shall be secured, managed, and controlled to protect information in systems and applications.
⚠️ Risk Impact
Network is the substrate every other control runs on. Network-layer breaches (unauthenticated services, exposed ports, weak encryption in transit) cascade into application-layer compromises.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Segment networks via VPC/subnet. No default-deny exceptions. East-west traffic controlled via NetworkPolicy / security groups. TLS 1.2+ everywhere. Disable legacy protocols.
💀 Real-World Attack Scenario
A flat network allowed compromised web server → direct access to database, Redis, internal APIs. Attacker moved laterally across 14 servers in 90 minutes. Segmented networks limit blast radius by 60-80%.
💰 Cost of Non-Compliance
Flat networks: 2.8× higher breach cost vs segmented (Mandiant M-Trends 2024).
📋 Audit Questions
- 1.Network segmentation architecture?
- 2.East-west traffic controlled?
- 3.TLS configuration?
- 4.Legacy protocols disabled?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Segmenting VPC-level but not subnet-level
- ⛔Overly permissive security groups within VPC
- ⛔Monitoring only north-south traffic
📈 Business Value
Network segmentation limits breach blast radius — fundamental for SOC 2, PCI DSS, HIPAA.
⏱️ Effort Estimate
40-80 hours network architecture review + segmentation
EchelonGraph scans firewall rules + identifies overly permissive access
🔗 Cross-Framework References
Automate ISO 27001 A.8.20 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →