Like the onion, effective security is all about layers. The term commonly used to describe this approach is "Defence In Depth". There is no single security solution out there that will provide you with all the security you need to protect even the smallest of environments. Security is about implementing multiple controls in layers throughout your network or environment, each layer providing a new obstacle for any would be attacker or self-propagating malware to overcome. We don't want to focus all our security controls on the perimeter of our network, but implement controls right the way through to core, thus providing a Depth of Defence.
This concept of Defence In Depth is not a new one! Our ancestors of the Middle Ages used the concept to great affect when they sought to protect themselves. The Castle of the Middle Ages got its strength from the principle of Defence In Depth. At its furthest perimeter was a moat and steep embankment to deter or slow any would-be foe. On the edge of the moat was a huge stone perimeter wall with only a single point of entry through which control could be maintained over who was permitted to enter the safety of the Castle. But this is not where the security ended, rather just the beginning.
Within the exterior wall, was a further high stone wall, and at the heart of the Castle was the Keep, a Castle within a Castle, and the last line of defence. Finally, the Castle was built on a strong stone foundation to provide that all round defence. To top it all, the Castle was built on high ground with guards posted to the highest points, giving advanced warning of any incoming foe long before an attack begun.
Building Our Cyber Security "Castle"
So, if effective security could be achieved in the 15th Century, why have we forgotten to apply these basic concepts in the 21st Century Cyber Security?
If we take the most simplest of networks, a single web server, we can still use Defence In Depth to achieve effective around security. Starting at the perimeter with a network firewall that uses stateful packet inspection, allowing unknown traffic through only ports 80 and 443. We are likely to need to remotely administer our server over Secure Shell (SSH) for which will change the default port and implement restrictions on allowed IP addresses only. We will also introduce multi-factor authentication (MFA) through the use of asymmetric key pairs for each user. Any further administrative access requirements, such as remote database administration will be secured in the same manner.
Now let’s add our second layer, in terms of our Castle analogy this is our inner wall, and for a web server we will do this in the form of a Web Application Firewall (WAF). Now all internet traffic that would pass through our network firewall will be routed to our WAF provider where each packet will be full interrogated before being allowed access to our web application, with malicious packets blocked before they reach our server. It’s highly likely that we will have some form of web-based Content Management System (CMS), a prime attack surface for any would-be foe. So, lets hide this to a URL known only to those who require access and using a URL that does not include such identifiable key words as Admin, or Log-In. Then we’ll apply IP address restrictions and MFA.
Now to turn our attentions to the host server itself (our Castle Keep). By implementing user permission on the root directory or out web root(s) that have limited permissions within the web root only and are not members of the root (sudo) or administrative group, we can restrict any attacker who breaches our perimeter defences to within the web directory only. We can further protect the server by preventing the root account from being able to login, meaning that any user must authenticate first and then escalate their privileges to root and re-authenticate if required. Restricting root access to only those have an absolute need for that level of access.
Finally, we should build our web server on rock, a dedicated environment would be best, to prevent our security efforts being undermined from within. Once secure, we can introduce our sentries upon the ramparts to provide us with advanced warning of any attack. At each layer of our security we will introduce live alerting of malicious activity as our defences are probed and detailed records and logs for all our security controls (recording at least 12 months of activity). Should our defences be breached, no Castle is completely infallible, we need to detect our attackers and their actions as soon as possible and this we will achieve with File Integrity Monitoring (FIM).
Beyond the "Castle" Perimeter - Threat Intelligence and Monitoring
But how do we gain the benefit of building our castle on a hill - the 360 degrees of advance warning? This will require external sources, such as security blogs, dark web monitoring, and vulnerability alerts. It is unlikely that you will be unfortunate to be the victim of a zero-day attack.
Most attacks investigated by 3B Data Security’s DFIR team could have been prevented if the administrators had monitored current attack trends and stayed on top of all security patches and identified vulnerabilities relevant to their environment. The attack landscape is ever changing, as those with malicious intent find new ways to breach our defences. Unlike our ancestors of the 15th Century, our Castles need to continually evolve to the new and emerging attack trends.
Don’t delay, build yourself a Castle today and defend your infrastructure!
If you would like any further information on achieving defence in depth, or securing your specific environment, please contact 3B Data Security who have a range to services and expertise to suit all networks and environments.