Back to Information Security Basics

With all the products that we in the information security industry have available to us these days, I find that quite often organizations forget to implement some of the basics. It is not always necessary to have the latest big-ticket product to secure your assets. Quite often, good security hygiene starts with simple changes to existing assets within your organization. In this article I will outline three simple concepts that, when applied properly, can increase any organization’s security posture a great deal at low to no cost.

Basics One: Default Deny

When organizations set up network infrastructure they quite often use a Default Permit policy and then lock down ports that they know they don’t need. Reasonable in theory, in practice they often neglect to block other ports which then become an open avenue of attack for malicious actors. This is the first thing that you can change to make your organization more secure: adopt a Default Deny policy instead. Look at your current firewall configuration and ask yourself if you truly need port 3306 open so that MySQL can talk to the internet. Most of the time the answer is no, because your application server talks to the MySQL server on the internal network. Go through your firewall configuration and ask yourself that same question for each port that allows ingress. Odds are, you only need two or three ports open. The second part of Default Deny that is often overlooked is the egress rules. For each machine on your internal network, ask yourself these questions:

• Can the machine connect to external websites without going through your proxy?
• Can it use SSL versions that are not explicitly permitted?
• Can it send traffic that does not adhere to the RFC/Protocol?
• Can it query external DNS servers?
• Does the machine even need to be able to communicate outside of your private LAN?

When setting up a network it is better to come from a deny everything standpoint for both ingress and egress, and then add permissions for only that which is identified as mission critical. This will ensure that only the bare minimum communications with the Internet are in place. This greatly reduces the organization’s potential attack surface, and greatly increases the complexity for any malicious actor.

Basics Two: Network Segmentation

Once the necessary communications for an organization’s assets have been identified, the next step to implementing security basics is to segment machines into separate private LANs or vLANs. By separating network segments based upon the need for communication with the Internet you can more easily configure external firewalls and start working on Default Deny policies between the internal segments. Default Deny doesn’t stop at the Internet: you should also apply it between machines and network segments. Network segmentation also makes it harder for malicious actors who have gained a foothold in your internal network to pivot to critical systems. For example, you may have a web server, user workstations, and a network Domain Controller. Now, presume a malicious actor uses the latest vulnerability to compromise your web server. With segmented subnets between user workstations, Domain Controller and web server, you have made it far more difficult for the malicious actor to move from your web server to your Domain Controller and thereby gain administrative access. They must first traverse across network segments which is more difficult when Default Deny is in place.

Basics Three: Access Control Lists

Access Control Lists (ACLs) are the last of the three basics when setting up a secure environment. ACLs act to control who has access to what. This applies to creating Default Deny policies, it applies to network segment communication, and it applies to user permissions. The sign of a good ACL is that it applies the Default Deny concept to all aspects of your environment. Taking Default Deny a step further with your edge devices, like your firewall, configure ACLs to block known bad IP blocks. Does your company deal with China? No? Block all IP blocks assigned to China. Do you have any need for Ukrainian traffic? Block them if not. It is much better security hygiene to block IP blocks and allow individual exceptions for business partners or clients than it is to leave it all open to allow one company to communicate with your network.

Another place where ACLs matter is in the context of user permissions. A widely recognized principle is “Least Permissions” which means to give users only the bare minimum amount of permissions needed to perform their business functions. There is no need for members of your sales team to have administrative access to their own computer. That that just makes it easier for malicious actors to gain access to your company network. There is no need for Bob from Accounting to have administrative access to the firewall. In fact, he doesn’t need access to it at all. The goal with Least Permissions is to analyze what access levels users need to perform their job, group them by permissions needed, and create ACLs that are specific to each group. Specific implementation will depend on the type of systems your organization uses. A very common technique in Windows-based enterprise networks is proper configuration of the Group Policy Objects (GPO. This will make it so that – for example - your CEO isn’t able to install software that isn’t approved or necessary for the CEO job. This reduces the risk of malware being installed on the CEO’s computer because it is masquerading as the photo viewing software that they like to use when backing up vacation photos.

Basics: Conclusion

Organizations do not always need to spend thousands of dollars on the newest security product to keep themselves secure. Instead, by going back to the basics, they can greatly increase their organization’s overall security posture by properly implementing security controls in the software and hardware that they already have. By changing from a Default Permit to a Default Deny policy, an organization can prevent unwanted communications between systems both internally and externally. Implementation of network segmentation allows organizations to reduce the risk of lateral movement by malicious actors and accidental communications from systems that are not supposed to be externally accessible. And through ACLs that follow the Least Permissions rubric, organizations can reduce the risk of user error leading to a data breach and greatly increase the complexity threshold for any attacker who wishes to attack their systems. Proper usage of these three concepts can greatly improve an organization’s security posture and reduce the risk presented by a cybersecurity incident.