Working from a strong foundation is the key to a successful security program
When a major security vulnerability is disclosed, everyone stops what they are doing and takes notice, especially when that vulnerability comes with its own logo. Now don’t get me wrong, newly disclosed vulnerabilities are important. They provide exciting opportunities for researchers and they do, if only temporarily, focus management’s attention on the often overlooked information security.
Don’t worry, this isn’t another blog about the pros and cons of vulnerability hype. Instead, I’d like to focus on the importance of keeping one eye on the basics, while the other is scrolling through the Twitter feed for the next upcoming disclosure. Because all too often, it is not the latest security vulnerability, but a failure to properly secure and deploy systems that is the root cause of a costly network breach.
Below are several recommendations to help keep your network more secure, and your company safe from new vulnerabilities (or old vulnerabilities newly discovered). These recommendations apply whether you are deploying physical servers, or provisioning resources in the cloud. I’ll first go over some general recommendations, and then dive into some a little more specific. While many of these may seem like security 101, they are perhaps some of the most common failures that lead to compromise.
- Every server, every time – Ensure that ALL servers are deployed in a secure manner, not just the “important” ones. All too often, an unsecured development server is the cause of a major breach.
- DMZ – All public facing servers should be placed in a DMZ to separate them from internal devices.
- Virtualization – While virtualization can be a double-edged sword, when implemented correctly, it can have many security benefits. Network virtualization, micro-segmentation and easier segregation of functions can have a tremendous impact on security.
- Defense in depth – Employ multiple network and host-based security solutions to secure the server.
- Start secure – Start with a fully hardened, locked-down server and network configuration, and then allow only the ports, services and accounts that are required.
- Test, then deploy – Configure and test your server in a secure environment before placing it in a production environment. Depending on the function and security level of the server, this may involve a simple audit, a vulnerability scan, or a full penetration test.
- Change control – Once configured, document the known-good configuration. Implement a strict change control policy and document all changes.
- Limit roles – Often, the more roles that are added to a server, the less secure it becomes. Carefully consider the risks and benefits before adding multiple roles to a single server.
- Monitor – Employ solutions, such as ActiveGuard®, to actively monitor and record the health and behavior of the server.
- Windows firewall – Make sure the Windows Firewall is enabled and that only trusted ports and applications are permitted through the firewall.
- Encryption – All sensitive data on a server should be encrypted at rest and in transit. Avoid unencrypted protocols such as Telnet and FTP.
- Administrator account – Disable the default administrator account and create administrative accounts for individual users.
- Domain credentials – Carefully weigh the risks and benefits of using domain credentials on the server. Loss of domain credentials may lead to a compromise of the entire domain.
- Passwords – Ensure that passwords are at least 12 characters long, do not include dictionary words, and use upper case, lower case, numeric and special characters. Do not reuse passwords.
- Limit service privileges – Do not run services or applications with full administrative permissions. Services or applications should be run with the minimum permissions necessary to operate.
- Network appliances – Employ ingress and egress filtering by port and IP at the firewall. Tune your WAF or IPS to allow only known-good traffic.
- Patching – Implement a patching policy to ensure that Windows and third party patches are tested and deployed as soon as possible.
- Disable services – Windows comes with many services on by default. Disable any unneeded Windows or third party services and roles to limit the attack surface.
- Web browsing – Web browsing is among the most common means of compromise and should be prohibited on servers unless there is an absolute business need.
While no security program can ever be 100% effective, ensuring that these basic security tenants are fulfilled can provide an extra layer of assurance and allow security staff to focus on the security issues that matter most to the organization.
Read more on Solutionary Minds about: