search
explicitClick to confirm you are 18+

Some General Principles of Cyber Security (overview)

linuxgeekJul 10, 2017, 2:08:55 AM
thumb_up9thumb_downmore_vert

 

Cyber Security is really more of a mindset, a series of principles and guidelines, not an end in and of itself. If someone says their network is “secure”, either they're lying, they don't think you understand cyber security and in reality they mean their network is “reasonably secure given whatever restrictions they're required to operate under”, or they just don't even understand that there is no such thing as “secure”. There's just different degrees of “secure”.

 

So what are the principles of this mindset? How do we make our servers and networks more secure or, conversely, what actions will make our servers and networks less secure?

 

  • Understand and reduce your risk footprint – This includes networks, servers, and services on those servers. It also includes all the desktops, laptops, printers, phones, tablets… anything on your networks. Different network segments will have different degrees of risks. For instance, DMZ segment might have more threats than an interior network segment or a user-space segment. Also, a server setup with only the bare minimum software running only the bare minimum of services will have a smaller risk footprint than a system with everything but the kitchen sink installed and running with default configurations and passwords. And don't forget that your risk footprint isn't limited to just your hardware running on your networks. What about cloud applications your organization uses? What about the systems/networks used by vendors who have access to your networks? What about the personal systems of employees using a VPN to connect to your networks?

  • Filter your network traffic – Yeah, this seems obvious today, after all what else are firewalls for. But it's not just inbound traffic from the internet or between your DMZ segments and internal segments that should be filtered, but it also includes egress traffic as well as traffic between different internal networks.

  • Monitor your systems and networks – There's many types of monitoring, and they're all important to Cyber Security. You need to do performance monitoring, keeping track of network traffic stats, firewall stats, and server performance stats so you can look for anomalies in those stats. You need to do status monitoring of network devices and servers watching for up/down/degraded status. This data is not only important to the IT staff but will be important when you're doing an investigation trying to piece together what happened to which devices/services and when. And of course there's any number of system intrusion detection solutions and network intrusion detection solutions.

  • Log, log, log – Log anything and everything. The more logs you have the more data you'll have when you're trying to piece together what happened while handling an incident. These logs need to be secured, should be reasonably hard to modify and reasonably easy for an analyst to search through. Like many things in IT, this will be a balancing act, balancing between competing forces. The more things you log, the more data you'll have available to try to find “interesting” in during an investigation, but the more storage it'll require and the more cpu resources it will require to search through quickly.

  • Mindset – You need to be able to think like your adversary. This is a multi-faceted statement. It means if your networks and/or servers are likely to be attacked by hackers working for a nation state or for a competitor, you need to be aware of this. But whoever your primary adversary is likely to be, they won't be the only adversary. Everyone connected to any network is likely to find themselves under attack by organized crime, petty criminals, or anonymous (pun intended) vandals. Each of these adversaries will likely have different motivations and different targets. Knowing your adversaries intentions will help you guard against them and could also help you identify an attacker by what they went after.

  • Know and safeguard your crown jewels – This may sound obvious, but in reality it isn't. It's not as simple as setting up ACLs on your file-servers and restricting access by groups. You need to know what the crown jewels are and take proper means to safeguard them. For instance, one of the obvious crown jewels is designs, plans, or source code for whatever widgets your company makes. SOX audits make it clear that another crown jewel is the data about employees necessary to steal their identity, banking/payroll data, etc. A less obvious crown jewel might be customer data. This may sound like less of a risk but suppose one of your customers is a Law Enforcement or Intelligence Agency? The places you deliver widgets to might be a black site in which case it's a good bet they'd be upset if your company leaked that data to a hacker employed by an unfriendly nation state. And remember, some of this data may reside in some cloud app. How's it stored? Is it encrypted at rest? Who's got access (physical or remote) to the servers hosting that cloud app? One needs to balance risk vs the sensitivity of the data.

  • Password Authentication Sucks – Let's be honest here. Passwords suck. Users pick poor passwords and when we force strong passwords on them, they write them down or save them in plain-text files. Users are also easily tricked into entering their credentials into a fake login web page. And applications with those “remember my password” options often wind up being “save my password in a predictable location with crappy or non-existent cryptography” features. You'll need something better than just a username and password to secure more sensitive data and services. Setup some form of strong 2-factor authentication.

  • Educate Your Userbase – As long as we don't tell them about what the risks are, they'll keep making mistakes. This is easier said than done as attempts to educate are often mis-interpreted as interfering or making the lives of users difficult. But if done properly, a campaign to educate your users on phishing, for example, will not only help prevent them from falling for the phish-du-jour but could turn them into a valuable intel resource – get them to start reporting phish to your analysts instead of falling for them. When some big hack appears in the news, find out how it happened and then explain it to the executives. Then the next time you're warning them about the risks of granting some HVAC vendor unfettered access to the networks they're more likely to pay attention to your warnings.

  • Audit Your Servers, Services, and Networks - Everyone makes mistakes. Firewall rules get inserted in the wrong place, services thought disabled re-appear. You should periodically scan your networks, servers, and services from various points in the netwerk (ie, from inside the firewall, outside the firwall, from in a DMZ segment, etc) not just for vulnerabilities, but also to audit what's running on which servers and accessible from where. Look for changes. Any new service that wasn't there before should be investigated. And don't forget that a vulnerability scan isn't the same thing as a penetration test.

 

publicall-rights-reserved