10 Commandments for securing Infra
Security is the key concern for a digital company and when circumstances are unusual, security becomes supremely important. It is important to keep running at optimum levels during the lockdown while our employees are working from remote locations and it is equally important to ensure that things work when they return to office.
We at Dailyhunt took some extra steps to ensure that our infrastructure and data is secured during the lockdown and post that as well. Here is a summary of few key steps:
- Device Distancing
- We all are practicing Social Distancing and at Dailyhunt we are also practicing Device Distancing. What it means is that any end user device may not connect to any other end user device on Wi-Fi or on LAN. The benefit of this strategy is that even if one end user device is compromised/infected, it will not be able to spread the infection to other devices.
- However, end user devices need to connect to many servers and thus it is critical that all the servers are protected from the threats using an advanced Threat Protection Solution.
- Server Isolation
- Just like real life, it is important that even your servers are isolated from the rest of the devices in an isolated environment, I.e. DMZ.
- DMZ alone may not protect your servers if the unused/unnecessary ports are open and if any vulnerable services are running on these ports. Restrict the ports to leave only those ports open that are absolutely necessary.
- Run regular scans in your network to check if any unwanted ports are open. You may use Nmap, Nessus for the same
- Deploy IDS/IPS solution
- This will help you ensure that none of system files are changed by unknown processes/users or ports are open/closed without appropriate reasons. This helps you react faster than running periodical scans. Wazuh, SIEMonster or AlienVault are few free/open source solutions for this purpose
- Patch Management
- Even if only necessary ports are open, your systems may not be secure if the applications behind them are running on insecure/old/vulnerable versions. Centralizing Patch Management helps mitigate such issues. Ansible with Jenkins is a good, free and open source solution to help you with this part.
- Don’t forget to update the firmware of your network devices like Routers, switches, Access Points etc.
- Migration of services from Vulnerable to less vulnerable systems
- Windows as an OS has been most vulnerable to threats than other Operating systems. Check which services are running on your Windows Servers and migrate them to Linux based operating systems. Few examples are DNS, DHCP, Network Policy Server. You may use BIND, DHCPD or RADIUS on Linux to replace the Windows based services for the same.
- Shut down those services that are not required during lockdown
- Are there any services that you are running perhaps on-prem/over cloud that are not accessed by employees/required during lockdown? If so, you may consider shutting them off to reduce the risk surface.
- Train the team
- This is the best time to train your teams to have a security-oriented approach in everything they do. Find out free courses on the net, conduct sessions for hands on experience and connect them with industry experts.
- Vulnerability Scans/Pen Tests
- Scan your network for vulnerabilities and patch them ASAP. There are many free/open source solutions available for this purpose. I.e. Nmap, Nessus
- Don’t forget to keep an eye on your syslog server to analyze and capture threats in time
- Endpoint Protection Solutions
- Investing in an advanced EPP Solution seems like a very expensive idea. To calculate if it is worth or not, consider that 10% of your systems are encrypted with ransomware, now to get them back, what would you need to do? Answer will come to you quickly. There are many advanced solutions in the market, pick and choose based on your threat model and budget.
- Data Backup
- No device is 100% secure so disasters may happen. What is important is to recover from them as soon as possible. Therefore, Data Backups are your last line of defense. Get your employee’s data backed up over Cloud and get your server/network data backed up as well.