IT Security Controls

12.7.2016

Below are listed recommendations and selected security controls related to IT and Operation and Maintenance networks.

Processes related

- Global procedures

- TTM/SDLC process

- Identity Management process

- Vulnerability Management

- Firewall rules management

- Patch Management

- Change Management

- Incident Management

Organization related

- Security Operation Center

- RACI

Infrastructure related

- Firewalls

- VPNs/VPNC, IPSec,

- Transmission encryption

Desktops related

- Antivirus, HIPS, Firewall

- Proxy, IDS, SSL inspection

- Mail security

- MS Domain Group Policy

- 802.1.X

- Thin clients

Servers related

- Hardened templates

- Compliance profiles

- HIPS

- Proxy

- Data anonymization

Security infrastructure

- Log Management

- Vulnerability scanners

- Remote connection monitoring (Session recording)

- SIEM

- DLP

- Honeypots

- Proxy

- OTP / RSA

- CA

- Physical security

Global Procedures

Define the minimum security baseline:

- minimum logging level

- minimum authentication level

- data encryption requirements

- separation of privileges

- retention of data policy

- sharing of account restriction, system account, application accounts

- Remote access

- Encrypted protocols requirements

- ...

Audit the systems to match for this requirements.

Try to prepare the audit policy which could be checked on the systems in automated way. I.e. compliance check by vulnerability/compliance check scanners (auditd, syslog config check, ...)

Security Operation Center

Dedicated team should be assigned for security operation

Receiving and monitoring the events from:

- SIEM

- IDS, IPS events

- Access to Log Management

- Netflow

- Session recordings

- Any other security consoles

- Defined rights and process for incident investigations

- For common events, the working instructions should be created

Inventory

Important is to have a maintained IP plan.

- owners of the subnets should be identified

- identify every host and the owner of the host (engineering, operation team, vendor/support)

- the SW and application could be additionally identified

The well documented IP plan is required mainly to schedule the automatic scans, understand the FW logs and netflows and also during the incidents investigations.

Identity Management

Process & Technology:

- Provisioning, deprovisioning process of new users

- Management of user roles and user rights

- Auto Provisioning of multiple systems / most common systems (domain, intranet, VPNC, Citrix, LDAP, …)

- Regular auditing of the user rights / roles

- Possible to extend to provision e.g. Linux, DB accounts

Firewall rules management

Process & Technology:

- Defined global security rules & policy for ACLs (e.g. telnet not allowed, ACLs should be opened from more secure segment, to less secure, interactive protocols not allowed inside datacenter …)

- Process & workflow how ACLs are created and removed

- Regular auditing of ACLs from firewalls (products exists on market)

- Autoclose ACLs if hitcount is 0 for some time

- netflow or at least firewall logs required

- also anomaly detection possible from netflow (products exists on market)

Desktop security

- Security procedure for user

- Technology:

Encrypted filesystem

Local firewall (block network interfaces if no connection to management server: I.e. connection not over VPN or not in corporate network)

HIPS

Antivirus

DLP (at least block USB or monitor)

Mail security

Procedure & Technology:

- Default sign mails with certificate (Outlook settings, Group Policy)

- Default encrypt emails (Outlook settings, Group Policy)

- Antispam & Antivirus on Mail gateway

- Possbile DLP on mail gateway

Vulnerability Management

Procedure & Technology:

Procedure:

- Define procedure across the company (including RACI, e.g. see SANS Implementing a Vulnerability Management Process)

Technology:

- Install vulnerability scanners

- Regularly scan from most exposed perimeters (Internet, Office LAN, inside data center/without ACLs towards selected systems)

- Put systems into such regular scanning / vulnerability management (selection in TTM process)

- Auto create tickets and assign them

- Perform compliance checks at least with minimum set of rules. Create custom or use available compliance profiles.

Log Management

Procedure & Technology:

Procedure:

- Define what and how should be logged

Technology:

- Syslog / logstash

- Elastic search + Kibana

- Or commercial products

SIEM

Event correlation, creation of security incidents

Many commercial products available

Requires SOC + log management

Session Recordings

Procedure & Technology

Mainly for interactive sessions

Technology:

- ICA, RDP, HTTPs/HTTP, SSH (Commercial products exists)

- Possible to do policy based routing to recording platform or bastion mode

- Also for HTTP/HTTPs inside intranet / office LAN try to use HTTP proxy (SSL inspection) to record the sessions

- Advanced: Possible anomaly detection from recorded sessions

Proxy

Most time well implemented, but some recap

- should authenticate user

- should block bad reputation links

- could contain categories which are not allowed because of corporate policy

- block self-signed certificates (Block let's Encrypt CA and possibly some other CAs)

- embedded antivirus

- possible SSL inspection

- possible embedded DLP Servers should also use proxy, no direct access

Malware protection

Basic:

- Antivirus (not sufficient)

Medium:

- IDS on proxy (e.g. Suricata + Emerging threats) to detect some back-connects (if proxy is running on vSphere, just use VDS port mirroring)

- Better to have IDS on every gateway to external domain (every proxy server, DNS servers)

- Analyze DNS queries

Advanced:

- Auto-sandbox solution, analyzing executable content download over proxy, SMTP gateway, etc.

DLP

- SSL inspection on proxy (not very popular by employees)

- Internal CA from group policy

- Proxy decrypts SSL and forward it to DLP server using ICAP or embedded DLP on proxy server

- DLP agents on desktops

- DLP on mail gateway

=> need to define regular expression and sensitive words, could be like CDRs, MSISDN, IMSI, … But attacker with knowledge could evade this detection

Honeypots

Easy, put few into selected VLANs

Very effective to get initial visibility

There are free, commercial or you can use just psad for linux on existing servers

Integrity checks

Regular integrity checks of core routers or critical systems

- also ask vendor to propose solution

- regularly check the integrity of firmware or OS on core routers or systems which process the significant amount of user traffic

- install HIDS with integrity checks on critical systems (e.g. use OSSEC)

OTP

For remote access or sensitive systems use One Time password solution

- use commercial or possibly try free (LinOTP)

- or just use Google PAM and Google Authenticator or Radius PAM with freeRadius (OATH perl module) and LDAP backend

Pentests & Red Team exercises

- Pentest are very effective to understand the attacker perspective

- Put in place procedure that internal security department is allowed to perform ad-hoc or regular pentest on testbed or non critical infrastructure

- Allow also social engineering tests towards employees to increase the security awareness