Securing organizations IT infrastructure from modern threats

Home > Security tips > Securing organizations IT infrastructure from modern threats

To secure an organization against modern threats consider following:

User VLANs gateway at firewall

All VLANs should be only L2 at core / distribution / access level. Gateway for all users should be at perimeter firewall. All traffic between two user VLANs should go via firewall.

In this case have separate VLANs for printers, Biometric devices, CCTV, etc. While the printers can be accessed by end-users, other way round firewall should not allow a printer to initiate communication with an end-user machine.

Backup as separate zone in firewall

Avoid clubbing backup along with other servers in DMZ. When a server is compromised attackers get access to backup server over LAN / subnet from this server. We want to protect backups even when a server is already compromised. Hence we dont want to allow servers to initiate communication with Backup infrastructure. Only backup servers should be able to initiate communication with a few servers (ESXi/vCenter for VM level backup, Agent port and machine IP where there is backup agent installed for agent based backup, etc.).

BMC (iDRAC, iLO, etc.) of backup server should also be in backup zone

Any backup related storage including storage management should also be in backup zone

Dont enable remote access for backup servers

Backup servers should not be remotely accessible even for IT team members, not even for a single person. For any backup access the IT team should be forced to move away from there desk to another location, preferably physically protected data center. No remote access to backups should be possible.

Immutable backups

Backups should be immutable. It should be impossible (Compliance) even for administrators with all usernames, passwords, OTP, tokens, etc. to delete existing backups before they expire. An administrator should only be able to change future backup goals and retention period. Existing backups should not be remotely modifiable by anyone.

If immutable backup is not possible then at least backup should be on a separate storage, ideally in near-DR / far-DR and not in the same DC.

Ideally avoid backup solutions that involve multiple OEMs. Have a single OEM for entire backup including software (Preferably on appliance), hardware, MFA, Possibly tape, possibly cloud sync to OEM specific cloud storage, etc.

Offline / Offsite / Cloud backups

(3--2--1 or 2n+1 Backups ) Apart from on-disk backups there should also be offline backups on tape, off site backup on tape / USB / Cloud etc. (Immutable) if possible / air-gapped if possible.

Longer backup duration

We should avoid having scenario where we only have last 7-8 days of backup with 1 full and rest incremental. We should try to have at least 1 full backup going back 3-4 weeks. Then we should have at least one full monthly backup going back 2-3 months. These durations can be more based on organizations budget, compliance / security requirements, etc. But having only a few days backup may not be enough typically as by the time we realize something has gone wrong 6-7 days might already have been passed.

Also just one full backup and rest incremental may not be enough in case there is some corruption issue with that single full backup

Backup restoration steps and validation

We should have very clear tried and tested steps for validating restoration of backups. This restoration test if manual should be repeated once every six months for all applications. If automated this validation should be done at least once every month for all backups.

We need to test resotration using only offline / offsite

Micro-segmentation between servers

Similar to user VLANS, it would be ideal if server to server traffic is also protected via firewall. This protect should be agent-less (Eg NSX) for it to be very effective.

XDR

Instead of traditional signature based anti-virus prefer using XDR which look at behavior of application during execution and dont maintain any static DB of hashes to compare against.

If XDR has firewall and USB blocking then consider using them to ensure that only required people have USB access and not everyone can connect printer / USB etc.

If XDR has list of vulnerable applications listed, see if those applications can be updated / uninstalled and/or some alternate can be found for those.

Automatic patching / Asset management / Ticketing / Monitoring

Tools that help in monitoring health of servers, switches, applications, etc. along with help track which assets (both hardware and software) are allotted to which individuals, along with automated patch management (at least for OS) are required. Without this we may not learn about some service being down, which assets are used / assigned to which individuals and miss out on critical security updates from being applied to official assets.

SIEM

Along with basic monitoring for health there should also be central logging with analytics and security alerts for these central logs (SIEM). SIEM is also critical for doing BAS (Breach Attack and Simulation) and also for forensic analysis post-incident.

24x7 monitoring

Once there are tools such as XDR, monitoring, SIEM, backup etc. we need dedicated teams to monitor the related alerts and dashboards 24x7. If the tool alerts and dashboards are not monitored continuously then we are likely to loose out on critical information already captured by the tool during / before severe attack.

VA-PT

Through asset or patch management any way we are likely to get list of all assets having old unpatched versions. After that we should also invest in VA-PT to get the environment validated by security experts so that if there is any known vulnerable service, application or servers, we can learn about it and patch it.

OS hardening

As mentioned at CIS Benchmarks we need to harden all physical servers, VMs, even golden images and templates so that by default the privileges on any end-user machine are very limited and only business purpose related. Users should not have any additional privilege (eg ability to create scheduled task, administrative access, power shell access etc.) if not required.

Breach Attack and Simulation (BAS)

BAS is typically used to check how is security / monitoring within the environment. Once we have invested in XDR, SIEM, 24x7 monitoring etc. we also need to validate whether during an actual attack are we getting SIEM alerts, is the team able to detect malicious activity, do they know what immediate actions can be done during an attack without waiting for discussion / approval as immediate response, etc. BAS tools will help in checking the same.

BAS and VA-PT both are periodic exercises and must be done at least once every quarter or even more frequently in case of automated setups.

Perimeter firewall

There should be perimeter firewall which ensures that all non-work related categories are blocked in URL filter. AV / IPS / Anti-spam filter / file analysis etc. features if available can be enabled. We must do SSL interception at perimeter by deploying custom CA at firewall and pushing this CA via AD to all end machines.

In terms of Internet access all LAN to WAN rules should be severly limited to only required ports / applications. For example most remote access applications should not work. We should not have option to query public DNS such as 4.2.2.2, 8.8.8.8 from all end stations. Ideally consider using 1.0.0.3, 1.1.1.3 etc. cloud flare family DNS wherever possible.

In terms of Server access from LAN to DMZ again rules should be very strict. Only users who need access to a given server port / application should be allowed in firewall. We should not have all ports open for any server for a user or particular ports open for a server from all users as much as possible.

Servers should not have access to LAN. So basically DMZ to LAN should not be allowed

Firewall public access should be very secure. Change default admin username or create a admin user with non-obvious username and disable default admin. Use very strong password for perimeter firewall. Ideally enable MFA for firewall admin access.

VPN users also should have limited per-user access only. For example if VPN user1 only needs access to one server on particular port then over VPN that user should be allowed to access only that required server:port and nothing else.

From other branches / locations / units also the access to HO or vice-versa over IPSec should be severly limited as per requirements. We should not have open IPSec tunnels which allow entire subnets at one location to access subnets at other location without firewalling.

MFA everywhere

For all critical components which support MFA such as immutable storage appliance, firewall, Server Windows / Linux OS, Backup application, public cloud accounts, Email etc. we need to implement and use MFA

Password management tool

Passwords should be shared using password management tool. We should not have shared text files / excel files / password protected excel files etc. for passwords

Data leak prevention / VDI

If organization has very important IP that can be stolen then they should also consider investing in DLP or VDI. In case of DLP we need to categorise each asset (Laptop, Desktop etc.), each user, each file, each application with some security level - Low, Medium, High etc. and then only DLP can ensure that users with low level of access should not be able to read/write/modify sensitive information.

Similarly in case of VDI we can allow users to work on remote VDI desktop without allowing copy / paste, file migration, etc. This can help a lot in protecting IP from being leaked.

Mobile device management with disk encryption

All office assets should be under MDM umbrella. All office laptops should have disk encryption with option of remote-wipe / remote disabling.

Auditing

All critical infrastructure such as backups, firewall policies, administrative accounts for firewall / AD / Email / OS etc. should get periodically audited. We should also look for potential back doors (Eg public keys, Sudo access) that might have been left by an application, past employee, attacker, etc.

Creation of administrative users, firewall security policies, etc. should be tracked via ticketing and change management. All actions done on critical infrastruture during audit should be traceable back to a change request / related approval.

Security awareness

There should be proper official security awareness training for all employees such as dont reply to phishing emails, dont download cracked / unlicensed / unvalidated software on office machine, dont click on email links sent by unknown people, dont get fooled by fake promises of awards / gifts / discounts, etc.

There must be a second channel (alternate) for validating authenticity of all critical messages before any action is taken on them. For example if finance team is asked to do some bank transfer via email / Whatsapp, they should call via landline or try to meet in person and get the order verified before initiating the transaction.

Note that anyone can send email with any from address; any timestamp etc. Dont believe email just by looking at a few parameters

Latest threats due to GPT, Deep fake, etc. technologies that did not exist a decade ago and are very easy to setup for malicious people

Secure file sharing

We should avoid having world-writable shared folders accessible by everyone in organization. These shared folders become very easy way for malware to spread. We should have password-protected shares and each person should have read/write (limited) access to the share only as per business requirement.

This file sharing system should support versioning, sync to cloud and audit trail at the minimum.

Home > Security tips > Securing organizations IT infrastructure from modern threats