Security in Depth: Where to begin

A frequent question commonly asked when working in Security is "Where do I begin?"
Talking about Information Security can easily turn into information overload, which is why communication skills are essential for working in the industry. So in order to answer this big question, I have come up with a Security Checklist, which is an overview of where to begin, without overlooking essential things.

Patch everything, immediately: It doesn't matter if there is a business requirement for some software, if it’s vulnerable and there’s publicly available exploit code or an easy to use exploitation tool available then it is going to be compromised.

Update default passwords: This in my opinion is common sense; however, funny thing about common sense is its quite hard to come across these days. Honestly if you want a one way path to being compromised and even being a part of a botnet, ignore this advice. This includes your firewall, servers and any IoT device that you buy and connect to your network.

Don't Reuse Passwords: Reusing passwords means once one device is compromised, what else can be compromised? Use a password manager such as KeePass (KeePassX for Apple) to keep track of passwords, don't write them down or you open yourself to a different arsenal of problems.

Network Segmentation: Devices should be segmented logically by type; set up choke points between device types and heavily filter based on port and protocol. Consider how an attacker moving from one segment to another can be restricted. Consider how you can prevent an end-user device compromised by a phishing attack from reaching the servers. What about the mobile devices too? What can they access?

Manage in and out of band: If your management plane is separated either logically, or physically from your data plane, it makes the task of an attacker monitoring or modifying that traffic one step harder.

Use Secure Protocols: Using good protocols is essential i.e. SSH not telnet, SMTP/S not SMTP etc. It compliments managing in and out of band.

Disable What You Don't Need: Continuing off of the last note, disable any protocols you don't need. This can help mitigate against being attacked. For example: NetBIOS-NS and SMB.

PSK for wireless is not good enough: PSK networks be cracked off-site (once a handshake has been captured, which can take seconds) but also there are key distribution and key management issues. Also consider administrator login details for each AP, this has to do with default passwords. You should look in to deploying 802.1X which utilises client-side digital certificates and active directory authentication. You should have a plan for protecting against stolen or infected end-user devices and you should have a plan for access revocation.

Proper Mobile Device Management: Remote erase, a secure pin number and encryption-at-rest are essential. Your company policy will give you the specifics of whether fingerprint access is acceptable, but you should accept that devices will be lost and stolen. The data on the device should be protected as should the access the device has in to your internal network – such as VPNs. Encrypt the data on the device so that it cannot be accessed or modified; enable remote wipe which may help with damage limitation; have the ability to be able to revoke a devices access to the VPN. This is all part of proper MDM.

Restrict User Input: If you’re writing a web application then contextually filter user input through a white-listing approach to match each expected input – e.g if you're asking for a postcode does the input look like a number? Does it limit the inout to 4 characters long?

Restrict User Access: Network Access Control applies to both wireless and wired networks and should be rigorous. Don’t restrict access based on something public and easily forged such as MAC addresses but instead utilise something like client-side certificates or active directory integration to determine whether machines should be allowed access. For web applications and external infrastructure restrict access to administrative interfaces to administrative machines only.

Weak Encryption will be Broken: There’s a lot more to cryptography that just what encryption algorithm you’re using. With implementation issues, algorithm issues, hashing issues, padding issues, PRNG issues. There’s a lot of complexity and a lot that can go wrong, on top of this clients seem to take ages to fix default support for weak encryption. Get rid of old and weak ciphers quickly and remove broken ciphers immediately. Try to keep a real world understanding of the risks of each attack and new weakness, and how bad the issues are. Some issues are minor, whereas attacks like RC4 NOMORE are a big deal.

Trust but Verify: Test your systems. It doesn't matter how great you think the level of your security is, test your systems, and test them manually. We believe human driven testing far beats automated testing.

Before attackers come, have a plan to response: If a company is not adequately prepared for the efficient handling of an incident then a time of tension becomes one of crisis. Having procedures, and plans for when an attack comes is essential. This is the same as going to war, it just happens to be with the use of computers. Would you go into a war unprepared?

"Appear weak when you are strong, and strong when you are weak" - Sun Tzu, The Art of War