In the first part of the blog post I discussed logging, backup, surveillance and management. If you haven’t already read it, I strongly suggest that you do. In this part I will focus on some other areas which will help you get a more robust and secure infrastructure.
One of the most crucial risk factors for businesses is outdated software. This goes for both clients and servers. Studies suggest that up to 75% of security incidents happens because of outdated software. Considering this, it is very important to establish a procedure for software updates.
When it comes to the clients, Java and Adobe Flash are attacked most frequently. You may consider having these uninstalled on client devices. Today, Java is not quite as necessary as previously, for instance, when you used it for Netbank. Therefore, you might as well uninstall it. In regards to Adobe Flash, you might want to use an alternative PDF viewer.
The risk of virus, malware or trojans on client computers is high if you do not focus on upgrading. Spear-phising Attacks happen often to client computers, for instance. Here you get the clients to click on links to malicious sites. Another type of attacks is Drive-by Download, which infects the clients if they go to a malicious site or via advertising on well-known sites. For example, a large Danish newspaper was subject to last-mentioned with malicious advertising banners placed on their website. Spotify has recently also suffered from an attack. They unintentionally distributed malware via malicious advertising to their subscribers using their free-of-charge and advertising-based version. Common for most of these attacks is that they exploit outdated software.
You should also make sure to automate updates as much as possible. Experience shows that you can’t expect the users to do it themselves. In regards to servers, we also recommend you automate as much as possible though you should consider the risk of operational problems when doing so. You might experience that some services or applications do not allow automated updates. However, you should always have a list of the services you use together with an update policy. Alternatively you can set up specific programs to help you launch software and updates.
The Principle of Least Privileged
Since we just discussed Patch Management, this is probably the best time to address rights and administrative entries. “Least privileged” access should be the default setting for all users. In other words, your employees should only be granted the rights demanded by their job function. For instance, there is no need to display documents concerning accounting, personnel and development on the network drive for everyone to see or that all users can log on to all servers. The same goes for the user’s own computer. Most often the user has local administration rights meaning that the user is permitted to install programs etc. If a user gets malware this will run as a local administrator giving full access. However, if the user had only had user access this attack might not have happened because regular users are not permitted to install programs or make changes at systems level. We recommend that users are only granted the rights required for their job function and that you add a local administrator user responsible solely for installing programs and systems changes.
Unnecessary services and applications
As mentioned earlier, Java is an excellent candidate for uninstallation. Overall, you should take a look at which services and applications are running on clients and servers respectively. The services and applications not needed, should be uninstalled to minimize the surface of attack as much as possible. Another benefit of this is that you reduce what has to be updated or patched.
I have previously mentioned patching in connection with both servers and uninstallation of unnecessary services. You could also consider running scans and/or penetration tests of the services exposed to the internet, for instance. The scans show which services are open. The pen test digs a bit deeper and examines patch levels, misconfigurations, bugs in running services etc.
We recommend that you segment your network into smaller parts to increase security. As a minimum requirement, the network should be divided into an LAN (Local Area Network – internal environment) and a DMZ (Demilitarized Zone), if you offer services to less secure zones such as the internet. For instance, if you have a web-/ftp-/mail-server this must be placed in the DMZ separated from the LAN. The reason for this is that if an external server is compromised there is not free access to the LAN.
You may split up your network even more. This can be done using different DMZ zones or by segmenting the LAN. As an example, there is no reason for clients and servers to be placed on the same LAN segment. Yet again, this is primarily done for security reasons but also for stability and performance. If a client suffers from a virus attack, you might as well minimize the damage and make sure that the servers are not affected. It also makes sense that clients are not able to access all servers directly on all gates. They might only need access to the frontend server and not the underlying database server. The actual segmentation is usually conducted using a firewall and with minimal exposure.
In addition to one or more DMZ and LAN zones you could have a management segment, for instance. In this way you are able to restrict the access to servers, routers, firewalls etc. to only this management network. As I have already mentioned, this is done to minimize the risk of unauthorized access to critical resources. When administrators need to access these resources, it is done by using jump hosts included in the management network. In addition, you can place SNMP, management, configuration backup, surveillance etc. on the management network.
The same goes for Wi-Fi and guest networks. Generally, these do not need to be directly connected to the LAN. You should consider only giving these networks internet access. In this way guests are able to access their own company (receive emails etc.) but not internal resources. If your employee is to access internal resources, this is done by using a client VPN. If starting a VPN session when you are connected to the Wi-Fi becomes a daily obstacle you could consider a certified 802.1x solution. This will automatically give access to the internal network only to internal clients with a valid certificate. Guests without a valid certificate will be placed on the guest network. This can be implemented on both cable and Wi-Fi networks. However, it might be a complex process to implement an 802.1x solution to already existing infrastructure.
Speaking of network segmentation, the term IoT (Internet of Things) is important to know. IoT is “the new black” although it creates a high security risk. Today, almost all electronic devices, such as, refrigerators, radiators, alarms are connected to the internet. I do agree that it works really well to be able to control all your devices by using your phone. However, the manufacturers do not take security measures into consideration when developing the products. For instance, little implementation of code, hardcoded admin passwords (newest example is Sony surveillance cameras), bad or no possibility for firmware upgrades, no possibility to restrict access to the devices etc. Maybe the users do not have the expertise required to keep the IoT devices updated. This has caused several IoT devices to be placed in the wrong hands, where they are used as zombies on a botnet or as a mean of access to the rest of the company or private network. If you care to read more search the internet for “IoT botnet”, “IoT ddos” or “mirai”. Some of the most extensive DoS/DDoS attacks are caused by IoT botnets. I’m afraid this development will continue. For this reason, it is important that IoT devices are placed on a closed segment eliminating all possibilities to use compromised devices to attack the rest of the network. Another important consideration is to evaluate the network’s need for internet access and subsequently limit the access as much as possible.
When users log on from home or at customers, we recommend you use a client VPN solution. In this way it is easier to control who’s logging on to your resources and the traffic is encrypted. This is particularly important if you are logging on to insecure networks at places like hotels, airports, restaurants etc. These networks are often exploited by people with malicious intentions when executing so-called “Man in the Middle” attacks.
We recommend that you use two-factor authentication to increase security of the client VPN solution. This means that a valid username and password is no longer sufficient. You have to use a verification code. It is created via an application on the user’s phone or via a hardware token. So, even though your username and password has been disclosed no one can get access to the company’s network because they lack the verification code. It is worth mentioning that implementing two-factor authentication is also affordable for smaller businesses with a limited IT budget. There are free versions of the software that manages the two-factor part. This only leaves the server where the actual software runs. It does not have to be a large server – I have seen it run on a Raspberry Pi or an Intel NUC. Another advantage of this is that the application used for the phone is also compatible with sites such as Facebook, LastPass, Gmail etc.
Next-Generation Firewalls (NGFW)
Historically, a firewall is the unit that controls the access to the company’s resources based on IP addresses and gates. For tech people, these firewalls work through four layers of the OSI model. Time is running out for the traditional port-based firewalls and they are currently replaced with the more advanced Next-Generation Firewalls which work up until the seventh layer of the OSI model. Some of the Next-Generation Firewall features are:
I’m not going into details with all of these terms. I will briefly discuss some of them. Firstly, the application awareness feature. When using a traditional firewall you would probably allow the employees to access the internet via HTTP (80/tcp) and HTTPS (443/tcp). The options for additional management and inspection are limited. An NGFW makes it possible to look into the traffic and based on the company’s policy control what is permitted and what’s not, for instance, that you want to give your employees access to Facebook but you do not want them to use the Facebook chat or games.
Another feature is IP reputation and web filtering. By using these features the firewall will limit the employees’ access to sites that are known for disseminating malware and virus. In short, the access is automatically limited based on the “reputation” of the site. This is also applicable if you want to limit the employees’ access to sites based on category, for instance, pornography, file sharing or gambling. Other NGFW features are automatic antivirus inspection of the files that the employees are downloading, limitation on what kinds of files the employees are able to dispatch to external recipients (protection of the company’s data), intrusion detection and protection etc.
Although it might seem that way, NGFWs are not just fun and games. You might learn that your existing firewall is not capable of upgrading to an NGFW which means that you have to buy a new one. Some of the abovementioned features are licence based meaning that they require a regular licence fee. Some of the features are also highly CPU intensive, for instance SSL inspection. This means that it will often not be possible to turn on all features and expect large amounts of data to run. It requires thorough planning to make the most of the investment. With that being said, NGFWs allow for better protection of your company. The options for reporting and gaining insight into the company’s data are improved substantially.
Physical safety and Social Engineering
Until now I have focused on soft- and hardware but there are other very important aspects of a company’s infrastructure. Basic elements such as physical safety and training of the employees are essential to security. A large amount of the security incidents occurring in a company is often caused by the employees’ lack of training and alertness. Most businesses are somewhat able to manage alarms, access card readers etc. but what if the combination for the alarm is disclosed and access cards are copied? A combination can easily be seen, if you do not cover the keypad, and an access card can be copied simply just by walking past it with a scanner. When you are out grocery shopping the next time, take a look at all those people who are displaying their company access card for everyone to see. If you have the right equipment you can easily scan them all simply just by “bumping” into them.
How about tailgating? Do your employees ask who the guy delivering all the packages are? Or what his errand is? Or are they just being nice and friendly? Do they make sure not to leave guests on their own? The fact that people are naturally friendly and helpful is exploited by hackers (hacker is probably the term used by most people though cracker is the correct term) to gain access to areas and systems. A few minutes is enough to install malware or trojans on unprotected devices. The device does not even have to be unlocked to install malicious software – I’m sure that you remember to lock your device whenever you leave it, don’t you? All that has to be done to install the malicious software on the device is to plug in a Raspberry Pi or a USB drive with special software for the USB ports and when that is done the malware is installed – even on a locked computer. Employees also need to be informed that they should not plug in unknown USB drives to their computers. Hackers are also exploiting the fact that people are naturally curious. A recent study conducted with 297 USB drives containing “malware” randomly thrown at a university campus, showed that 45 pct. of the USB drives were picked up and plugged into computers.
As mentioned, people’s vulnerabilities are exploited to gain access to networks and companies, either physically or virtually. This is also called Social Engineering. Employees need to be trained to be more suspicious. They should not open attached files from unknown senders, they should be careful when opening attached files from known senders, they should never disclose usernames or passwords via mails or phone calls and if they are accessing secure sites they need to be completely sure that the address is correct etc. These are just some of the basic rules. Generally, you need to use your common sense and to have company procedures. You should also make sure to train your employees according to company policy and best practices – and make sure to do it on a regular basis. Remember that a lot of a company’s security breaches happen because of the employees, regardless of good or bad intent.
If you are curious to see how social engineering actually works, you might want to see this video: https://www.youtube.com/watch?v=lc7scxvKQOo. It is actually quite interesting.
This is it for now. The list is far from complete and I have only gone over the elements in a superficial manner. I might be inspired to write more later on. Hopefully these blog posts will help you increase the security on your infrastructure. I’m well aware that this can't be done from one day to the other - you should just take it day by day. Remember that security is not static. It has to be adapted and evaluated on a regular basis.
If you have any questions, please contact us.