Saturday, 28 August 2010

CISSP Defence in depth: How to protect the IT Systems in a corporate network

This is a big subject, and the detail could easily fill several books. Here I am going to discuss (very briefly) some of the ingredients that should be used to protect most corporate networks.

Some of these get forgotten about, so, "Calling all Sysadmins and Security Managers!" - worth checking this list to see if you have these appropriate controls.

People enforcing Security
The first thing you need is reliable and trustworthy people in the IT Security team.
These people need a good understanding of the risks and vulnerabilities.

I would also say, that one of the most important attributes is that these inforcers of security need to be process-driven. A lot of the ingredients outlined below are repetitive processes and procedures, checks and balances. Some of them are boring after a while, (backups and patch management for example) but thoroughness and attention to detail are key.

Physical Security
This is the second thing you need. If you don't have security in the physical world, it doesn't matter how many processes, procedures, and technical controls you put in place. No point deploying all the things we discuss below if criminals can simply walk in off the street and walk out with your server under their arm, or if a fire burns down your building because your extinguisers don't work, or you didn't detect the fire.

Review your physical security. If you were a criminal, how would you steal some of the companies equipment or data? What disasters could happen, what would be the impact and what controls can be put in place for reasonable cost?

Key things to think about:
  • Building Access Control
  • IT area Access Control
  • Laptops, iPhones/Blackberry theft
  • Fire, flood, hurricanes, earthquakes, pestilence and plague
  • Power outages

Laptop encryption
Though a technical control, I would consider laptop hard-disk encryption as part of your physical controls. What you are protecting the data from, is the situation of someone having physical access to a stolen laptop. If you don't have HDD encryption, gaining access to the data on a laptop is trivial.

Operating system login controls do NOT protect the data on the hard-disk from being accessed. If you want to protect the data on laptops you must have hard-disk encryption.

Backups
This is fundamental data security. If you don't have effective and USEABLE backups of your data, you basically don't have any data security.

Think that all data and systems are transient and temporary, and every piece of hardware will fail eventually. Also, upgrades, configuration changes, and user errors, can easily wipe-out your precious data.

These days, a vast amount of the "value" of a company is in the data they hold. Many companies would fail as a business if their IT systems were not available for a week.

Regularly review and test your backups, and have reliable off-site storage for your data.
Also remember that, just because you can recover files from a tape, does not mean it will be quick, easy, or even possible to get that data back into your live systems.

I have had experience of situations, where backup data was on tape, but it was not possible to recover into the live environment, because of the time involved, or because of complex database replication issues. Bear these issues in mind, and practise data recovery.


Documentation and change control
These often get forgotten about or done poorly, especially in small to medium businesses. If you don't have documentation, how are you going to put things back together "WHEN" they break? Is your documentation secure, structured, backed-up and stored off-site?

Change control is there to help the documentation update process, and protect you from breaking your own systems.

Additionally this helps to communicate changes to extended teams and end-users. You don't have to have full ITIL processes, but you do need appropriate processes to offer the correct level of protection for your business.

Do the appropriate level of change control. This will often be a little more than you feel you have time to do, but do it anyway because it will save time in the long run.

Firewalls
This is the cornerstone of logical security on the network. Rules need to be regularly reviewed. Portscanning and network scanning should be performed to ensure that the ruleset is correctly enforced, and that there are no accidental loop-holes or inappropriate access.

Don't forget that outbound rules are just as important as inbound rules, especially since the increase in client-side attacks over recent years.

It is as important to protect your DMZs and backend systems from the outside, as it is to protect them from potentially compromised systems on the LAN.

Anti-Virus
All systems should have appropriate virus protection.

Are the AV definitions up-to-date on all your systems? If not, then this protection is not effective, and arguably useless.

Choose a good vendor, as there are vast differences in the regularity of updates, and the scope of protection. Some of the largest IT Security vendors have products that are surprisingly weak. Review third-party comparisions and choose appropriately.

Email and Web content filtering proxies
These are the biggest and fastest vectors for malware and virus infection. Choose good solutions, and update your policies regularly.

Block executable code on Email and Web proxies, because viruses WILL get through. Most virus and malware detection is signature-based, which means that it cannot be detected until it has already been seen in the wild.

That in turn means that, somewhere in the world, systems have already been infected hours before the Anti-virus companies can offer detection signatures to their customers. If you get new malware before the signatures are published, your AV-tool will offer you no protection at all. Block exes on your proxies.

Patch Control
This is often a problem area for many companies. It is timeconsuming for IT Departments, can introduce new problems, and is largely hidden from the rest of the business as a "benefit".

However, the risks are high, and unpatched systems are easily compromised by attackers and viruses.

Regularly patch both operating systems and applications. Put in place a regular patch management program, and produce metrics to monitor how up-to-date your systems are.

Don't just rely on WSUS to tell you that your systems are up-to-date, scan your subnets with a vulnerabilty scanner, and don't forget about non-Microsoft systems.

Don't forget about applications on Servers or Clients. Out-of-date client software, such as old versions of Microsoft Office or Adobe Acrobat Reader can be big weaknesses.


Vulnerability scanning
This assists your patch management and configuration management processes.

You may think you have all your systems up-to-date, but unless you have done some vulnerability scanning and analysis, you are probably wrong.

Vulnerability scanners can be expensive, but they can also be free (openVAS for example). Regularly scan your systems, and review the scans to remove false positives and act when systems have real vulnerabilities.



Intrusion detection
Detecting attacks, in both the physical and logical world are important.

This may not be a standalone system. It may be built into your corporate firewall, or firewalls on individual systems, or part of your Antivirus tool.
I would recommend deploying dedicated intrusion detection in many cases. This can be done relatively cheaply (with something like snort).


Review logs and alerts, as there is no point spending money and time setting up monitoring systems if you don't do anything about it when alerts happen.

Remove false positives from your monitoring so that the logs and alerts are usable.

No comments:

Post a Comment