Saturday, January 28, 2023

Notes from the Field - Center for Internet Security Control 12 - Network Infrastructure Management

A company I audited last fall had an insecure design for its Amazon Web Services architecture, which hosted a financial web application. The web servers were public facing as were its PostgreSQL servers. Prime targets for attackers. In most information security audits I perform, companies usually protect their web servers with layers of protection that include DDoS and reverse proxy services from companies like Cloudflare. AWS load balancers are also commonly used and placed in front of the web servers.The web servers and database servers are assigned private IP addresses, not directly exposed to the internet and attackers.

The Four Seasons
The Sun and the Four Seasons

The client agreed that their architecture was not ideal. They had been in a hurry a few years before to get the web application into production and they were new to AWS at the time. They figured they would fix it later. They never did. There was always some new project or priority that caused them to delay the redesign. As they say, if you don't have time to do it right, when will you have time to do it over? 

Unfortunately, this scenario is more common than you might expect. While most of the clients I work with have skilled and experienced network/cloud architects and systems administrators who have implemented secure infrastructures, too many still don't. They do what works and hope to secure it later. That will eventually catch up with them. 

In this post I discuss Center for Internet Security Critical Control 12 - Network Infrastructure Management. The Center for Internet Security Controls are 18 critical information security controls all organizations should implement and all information technology and security employees should be familiar with to protect their networks, systems, and data. 

The overview for Control 12 isEstablish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

Control 12 includes 8 safeguards: 

12.1  Ensure Network Infrastructure is Up-to-Date
12.2  Establish and Maintain a Secure Network Architecture
12.3  Securely Manage Network Infrastructure
12.4  Establish and Maintain Architecture Diagram(s)
12.5  Centralize Network Authentication, Authorization, and Auditing (AAA)
12.6  Use of Secure Network Management and Communication Protocols
12.7  Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
12.8  Establish and Maintain Dedicated Computing Resources for All Administrative Work

Why is this control critical? Secure network infrastructure is essential in defense against attacks. Organizations must have an appropriate architecture that they can effectively secure. Understand that securing company and customer data is the highest priority for information security and technology professionals. Data breaches can cost companies tens or hundreds of millions of dollars from lost business, fines, legal settlements, and reputational damage. The 2013 Target data breach cost the retail giant at least $200 million in legal and other fees. Equifax agreed to pay $575 million as a result of its 2017 data breach. Both companies paid out more to recover from the breaches.   

Let's discuss a few of the safeguards listed above. Safeguard 12.1 overlaps with Control 07 - Vulnerability Management. It boils down to using supported network gear and services, installing the latest security patches and firmware updates. Clear enough. Still, in on-premises environments, clients often have firewalls with firmware that has not been updated in years, leaving them vulnerable to attack. As important as firewalls are, people forget to maintain them. If you rely on a firewall to protect your perimeter, properly manage the firewall.    

For Safeguard 12.2 - Establish and Maintain a Secure Network Architecture, I refer back to the example of the client about which I opened this post. How should companies design their AWS environments for their web application? Here's a good document and diagram from AWS advising how to properly architecture an environment. It includes additional services to leverage that you can optionally use, such as a WAF, Content Delivery Network (CDN), and an Elastic Load Balancers (ELB) to better protect your web, applications, and database servers or RDS instances. It does a good job of visually demonstrating the levels of protection and the different subnets companies can use for the different types of systems and services. 

Safeguard 12.4 - Establish and Maintain Architecture Diagram(s) seems to some industry professionals I've worked with to be a waste of time. They either don't have diagrams or they are outdated. A diagram is used to visually represent your network, systems, location of data and the flow of data in and out of your environment. The diagrams often list the ports that are open to which systems from the internet internally. You can look at it and generally understand what's going on. You can then compare the diagram to your actual network, inventory, and firewall and security rules to determine if they align. 

Do you know what happens when companies don't have network diagrams? There are usually some forgotten firewall or security group rules allowing traffic in where it shouldn't be permitted. Or there's a server sitting in the DMZ that shouldn't be there. But the infrastructure director didn't know about it because they were told by staff that everything was set up right. Without a diagram, they have to get under the hood themselves to check things out. And they may never do that.    

Safeguard 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work is one of the controls that distinguishes secure and insecure environments. If this safeguard is in place, many of the others are as well. In secure environments, companies require VPN access to their backend on-prem or cloud environment. Administrators then connect to a jump box, a server used for administrative tasks for the company infrastructure. The jump box is on a separate subnet from the production systems. From the jump box, the sys admins can SSH or RDP to the server they need to administer. In less secure environments, administrators can SSH or RDP directly from the internet to the servers they need to administer, no VPN or jump box. This is a dangerous practice as attackers can attempt to SSH and RDP to those same servers if they are not protected by VPN and jump box layers.

Periodic Firewall and Security Group Rules - Companies should conduct monthly or quarterly reviews of firewall and security group rules to verify they are appropriate. Network staff often test different services and tools before implementing them. That usually requires a change in firewall rules, such as opening a port for a new service or testing remote administration. Unfortunately, companies don't always don't disable or delete the rule after the testing is completed or when the technology is no longer used. The port that was opened for one technology is now open for a different server, leaving it vulnerable to attack. 

For more details on the safeguards to protect your network to prevent a data breach, see the Center for Internet Security Controls document. 

Next month I will discuss Center for Internet Security Control 13 - Network Monitoring and Defense.

No comments:

Post a Comment