Best IT Security Practices and Architectural Considerations - My 2 Cents
Latest Sensational Find in IT Security Industry: Fileless attacks against enterprise networks
Source: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
Always dig deeper... Memory dump and even egress traffic monitoring using tools to dump random packet captures can help as it is a common practice to monitor only ingress traffic and not egress in a server network.
Restricting the access to open outbound network connections from critical servers should be restricted and well monitored using real time alerting mechanisms
As well there should always be a service layer between the outbound exposed web services and database servers where proper input validation and sanitization should be present avoiding any interpreter based attacks (XSS, SQL & CMD Injection Attacks)
Always maintain a very tight network security at individual server level on what clients can establish TCP connections to the critical resource servers like database servers using strong ACLs. One can always use the built-in iptables in any *nix servers. (Please refer to UFW- Uncomplicated Firewall for Debian based servers and Firewalld for RH Based Servers)
Sensitive data like passwords and PII related information should be properly hashed using methods like Bcrypt that uses Blowfish keying schedule, not a symmetric encryption algorithm while storing them in databases
Try designing your database architecture in such a way that not all the sensitive information is stored in a single database server.
Try using session tokens which are rotated in a timely manner and proper server side session validations and timeouts are present
While setting up SSH Logins, ensure that every user authenticates using RSA Key + Alphanumeric Password and store the RSA Keys using git encryption methods like git-crypt so even if the RSA Keys are stolen the attacker has to still go through 2 steps of auth in case of GIT breach and 1 step of Auth in case of server breach in order to completely use the RSA Keys to travel further in the network from one server to another. One basic way of avoiding service discovery bots on your SSH Service is to use a custom port and not the standard 22 TCP Port, but this is just the start but there are sophisticated Service Discovery Bots which can even map the custom ports and detect the service running on it. Fail2Ban is a very good solution in detecting SSH based attacks from bots when configured the right way!
Always follow best coding practices in terms of security. Refer to OWASP Best Secure Coding Practices
OWASP has a very good exhaustive list of on what should be the ideal approach regarding any kind of security incidents add best practices
Using a well tuned and maintained web application firewall is a very good practice in order to avoid and block many sophisticated method based attacks from external requests or internal server to server calls. Some of the well known and maintained OpenSource Web Application Firewalls are ModSecurity and NAXSI
I shall be soon publishing more articles on how can we protect our applications over cloud against DoS, DDoS attacks, BadBots, Monitoring, Alerting and Analyzing our captured Traffic Logs using an ElasticSearch based Infrastructure soon.
Thats all I can think of at the time of writing this article and we can of course do a very deep analysis and fine-tuning based on individual cases.
