IT Security Controls
12.7.2016
Below are listed recommendations and selected security controls related to IT and Operation and Maintenance networks.
Processes related
- Global procedures
- TTM/SDLC process
- Identity Management process
- Vulnerability Management
- Firewall rules management
- Patch Management
- Change Management
- Incident Management
Organization related
- Security Operation Center
- RACI
Infrastructure related
- Firewalls
- VPNs/VPNC, IPSec,
- Transmission encryption
Desktops related
- Antivirus, HIPS, Firewall
- Proxy, IDS, SSL inspection
- Mail security
- MS Domain Group Policy
- 802.1.X
- Thin clients
Servers related
- Hardened templates
- Compliance profiles
- HIPS
- Proxy
- Data anonymization
Security infrastructure
- Log Management
- Vulnerability scanners
- Remote connection monitoring (Session recording)
- SIEM
- DLP
- Honeypots
- Proxy
- OTP / RSA
- CA
- Physical security
Global Procedures
Define the minimum security baseline:
- minimum logging level
- minimum authentication level
- data encryption requirements
- separation of privileges
- retention of data policy
- sharing of account restriction, system account, application accounts
- Remote access
- Encrypted protocols requirements
- ...
Audit the systems to match for this requirements.
Try to prepare the audit policy which could be checked on the systems in automated way. I.e. compliance check by vulnerability/compliance check scanners (auditd, syslog config check, ...)
Security Operation Center
Dedicated team should be assigned for security operation
Receiving and monitoring the events from:
- SIEM
- IDS, IPS events
- Access to Log Management
- Netflow
- Session recordings
- Any other security consoles
- Defined rights and process for incident investigations
- For common events, the working instructions should be created
Inventory
Important is to have a maintained IP plan.
- owners of the subnets should be identified
- identify every host and the owner of the host (engineering, operation team, vendor/support)
- the SW and application could be additionally identified
The well documented IP plan is required mainly to schedule the automatic scans, understand the FW logs and netflows and also during the incidents investigations.
Identity Management
Process & Technology:
- Provisioning, deprovisioning process of new users
- Management of user roles and user rights
- Auto Provisioning of multiple systems / most common systems (domain, intranet, VPNC, Citrix, LDAP, …)
- Regular auditing of the user rights / roles
- Possible to extend to provision e.g. Linux, DB accounts
Firewall rules management
Process & Technology:
- Defined global security rules & policy for ACLs (e.g. telnet not allowed, ACLs should be opened from more secure segment, to less secure, interactive protocols not allowed inside datacenter …)
- Process & workflow how ACLs are created and removed
- Regular auditing of ACLs from firewalls (products exists on market)
- Autoclose ACLs if hitcount is 0 for some time
- netflow or at least firewall logs required
- also anomaly detection possible from netflow (products exists on market)
Desktop security
- Security procedure for user
- Technology:
Encrypted filesystem
Local firewall (block network interfaces if no connection to management server: I.e. connection not over VPN or not in corporate network)
HIPS
Antivirus
DLP (at least block USB or monitor)
Mail security
Procedure & Technology:
- Default sign mails with certificate (Outlook settings, Group Policy)
- Default encrypt emails (Outlook settings, Group Policy)
- Antispam & Antivirus on Mail gateway
- Possbile DLP on mail gateway
Vulnerability Management
Procedure & Technology:
Procedure:
- Define procedure across the company (including RACI, e.g. see SANS Implementing a Vulnerability Management Process)
Technology:
- Install vulnerability scanners
- Regularly scan from most exposed perimeters (Internet, Office LAN, inside data center/without ACLs towards selected systems)
- Put systems into such regular scanning / vulnerability management (selection in TTM process)
- Auto create tickets and assign them
- Perform compliance checks at least with minimum set of rules. Create custom or use available compliance profiles.
Log Management
Procedure & Technology:
Procedure:
- Define what and how should be logged
Technology:
- Syslog / logstash
- Elastic search + Kibana
- Or commercial products
SIEM
Event correlation, creation of security incidents
Many commercial products available
Requires SOC + log management
Session Recordings
Procedure & Technology
Mainly for interactive sessions
Technology:
- ICA, RDP, HTTPs/HTTP, SSH (Commercial products exists)
- Possible to do policy based routing to recording platform or bastion mode
- Also for HTTP/HTTPs inside intranet / office LAN try to use HTTP proxy (SSL inspection) to record the sessions
- Advanced: Possible anomaly detection from recorded sessions
Proxy
Most time well implemented, but some recap
- should authenticate user
- should block bad reputation links
- could contain categories which are not allowed because of corporate policy
- block self-signed certificates (Block let's Encrypt CA and possibly some other CAs)
- embedded antivirus
- possible SSL inspection
- possible embedded DLP Servers should also use proxy, no direct access
Malware protection
Basic:
- Antivirus (not sufficient)
Medium:
- IDS on proxy (e.g. Suricata + Emerging threats) to detect some back-connects (if proxy is running on vSphere, just use VDS port mirroring)
- Better to have IDS on every gateway to external domain (every proxy server, DNS servers)
- Analyze DNS queries
Advanced:
- Auto-sandbox solution, analyzing executable content download over proxy, SMTP gateway, etc.
DLP
- SSL inspection on proxy (not very popular by employees)
- Internal CA from group policy
- Proxy decrypts SSL and forward it to DLP server using ICAP or embedded DLP on proxy server
- DLP agents on desktops
- DLP on mail gateway
=> need to define regular expression and sensitive words, could be like CDRs, MSISDN, IMSI, … But attacker with knowledge could evade this detection
Honeypots
Easy, put few into selected VLANs
Very effective to get initial visibility
There are free, commercial or you can use just psad for linux on existing servers
Integrity checks
Regular integrity checks of core routers or critical systems
- also ask vendor to propose solution
- regularly check the integrity of firmware or OS on core routers or systems which process the significant amount of user traffic
- install HIDS with integrity checks on critical systems (e.g. use OSSEC)
OTP
For remote access or sensitive systems use One Time password solution
- use commercial or possibly try free (LinOTP)
- or just use Google PAM and Google Authenticator or Radius PAM with freeRadius (OATH perl module) and LDAP backend
Pentests & Red Team exercises
- Pentest are very effective to understand the attacker perspective
- Put in place procedure that internal security department is allowed to perform ad-hoc or regular pentest on testbed or non critical infrastructure
- Allow also social engineering tests towards employees to increase the security awareness