IT Security Refresh: More Practical Tips for a Good Foundation (Part 2)

Author
Terry Slattery
Principal Architect

IT in security is big business. With a solid IT security foundation, you can protect your organization from threats – saving time and money.

In Part 1 of this series, we discussed NSA’s recommendations for three foundational steps that reduce the number of cyber security attacks. They include:

  • Multi-Factor authentication – authentication based on what you know and what you have.
  • Role-Based access – access to systems based on your role within the organization.
  • Application whitelisting – Permit systems to communicate only with those systems that are necessary for its function.
    These steps are just the beginning, and other steps should be taken.

3 Additional Steps to Stop Malware

Building upon the NSA foundation, NetCraftsmen suggests three additional steps to limit the spread of malware.

1. Network Segmentation

Network segmentation is like role-based authentication for network devices and applications. Like watertight compartments that keep a ship from sinking, segmentation keeps systems separate, making it more difficult for malware to propagate horizontally. The company accounting system should be on a separate subnet from other business functions. A poor design would have servers for multiple functions on the same subnet.

You should even consider segmentation within an application suite. Let’s say you have an application architecture that uses Web, application, and database tiers. Each tier should be on a separate subnet, with either firewalls or ACLs that permit only the required communications between tiers and denies all other traffic.

Also, consider distributing each tier’s servers on more than one subnet to increase the application’s resilience. A problem that affects one subnet shouldn’t impact the servers on another subnet, implying a network – and its servers – should be based on a redundant design. In an ideal world, you would have a fully redundant application where you can control the data flows from clients to the web servers and between each application tier. If there is a problem with one part of the application infrastructure, simply shift traffic to the unaffected parts of the infrastructure.

2. Patch Frequently, Often

Patching, patching, and more patching. Malware likes to find old, unpatched systems. The WannaCry ransomware propagated to over 250,000 systems that hadn’t installed a patch that Microsoft made available a month prior. Weeks after WannaCry, the Petya ransomware used the same attack mechanism – demonstrating that timely patching is critical for good security.

Patch everything, including network equipment, application software, database software, operating systems, and IoT systems. Don’t forget systems like UC controllers and building facilities controllers, the latter of which are notorious for running old software. Nothing should be excluded. Automation tools make patching easier and faster.

Don’t be surprised if some application architectures aren’t easily patched. For example, an electronic health records application in a hospital that needs to be continuously available or a manufacturing line that runs 24×7, both difficult to patch. Regardless of the application, you need to determine how and when to patch it.

Another dilemma, how do you handle a system where no patches are available, perhaps a vendor no longer supports it?. We recommend protecting this system as much as possible by firewalling it from other systems and using application traffic whitelisting (one of NSA’s recommendations and a component of network/application segmentation).

3. Create Backups

What do you do if ransomware managed to find its way in? Do you pay for the encryption key? Hackers provide no assurances that they will hand over the encryption key, though they generally do to encourage payment. What’s the cost? In a CSO Online article, the author discusses the risks of paying hackers and how they typically demand one Bitcoin per server. A widespread attack can cost hundreds of thousands of dollars, just for the encryption key.

Even if you pay for the encryption key, you still have to eliminate the vulnerability or risk another attack. Fortunately, there is a strategy to avoid paying for the ransomware key: making frequent backups of all important files. You must verify that the backups can be used to quickly restore services. Don’t be one of those organizations that attempted to restore a backup in the middle of a crisis, only to find that it wasn’t usable.

I recommend verifying the time that it takes to restore a complete system (OS, application, and data). Consider the amount of effort and time required if you had to restore ten, twenty, or fifty servers.

If you’re thinking that you don’t have to reinstall everything from scratch, consider that ransomware often waits days or weeks to spread within an organization before it encrypts the data files. Loading a complete system backup may re-install the ransomware along with your unencrypted data, with predictable consequences.

Other common practices can increase your risk to ransomware. For example, sharing documents on network drives also exposes those files to ransomware. A good alternative is a cloud storage vendor that keeps copies of data files for easy retrieval. You should test the file recovery mechanism and understand how much effort it requires and look for ways to automate the recovery.

Finally, where are the backups stored? You don’t want your backups on the same storage system that the ransomware can access. Instead, use a process that stores backups where ransomware can’t encrypt them.

Defense in Depth

Unfortunately, there isn’t a simple solution to network security. A combination of tools, people, and process are needed. Your network security system should be based on defense in depth. Note that the above recommendations, combined with the NSA recommendations, begin to cover many of the attacks that we see today.

Are you thinking that this level of security is too expensive? Consider the consequences. Addressing a successful attack requires reloading all the affected systems so that you know that you’re not reinstalling hibernating ransomware. It’s always better and less costly to implement preventive functions than to use remedial functions.

Additional Steps

There’s one more article coming. We’ll cover a few additional steps that help avoid malware and introduce the Cyber Defense Matrix, which allows you to judge the coverage of your IT security systems.

To read the original blog post, view No Jitter’s post here.

Leave a Reply