Computer Security & Maintenance Self-Assessment

Category

Detail

Perimeter Security Appliances / Firewall: hardware

The paradigm of stateful packet inspection firewalls at the perimeter is a dead paradigm due to its complete lack of effectiveness at defending against modern threats.

The only affordable yet effective paradigm in contemporary scenarios starts with a rigorously featured, programmed, and maintained perimeter security appliance. That device will often be the core router in the small to medium enterprise space allowing for security and logging to the subnet layer.

If the organization is required to comply with HIPPA or PCI, then DLP protections may be required at the network layer. It is typical to implement DLP controls at the following layers:

• Inside of Office 365 using Trend Micro's Cloud App Security
• Inside of Office 365 natively assuming that the licensing has that feature. Not all Office 365 plans include DLP or encryption capabilities.
• Inside of any cloud file transfer services such as OneDrive for Business, Skype for Business, or DropBox for Business
• Optionally at the host-based security agent level
• At the network layer

Typically, organizations will want services such as Trend Micro's Cloud App Security to protect their cloud assets and email from advanced persistent threats such as ransomware and other malware. Often, quality security products provide an abundance of security protections for the same price when properly implemented.

When architecting strategies for protecting against breaches, one must be very cognizant over what technology has visibility into the breach mechanism vector in what scenario. A perimeter security appliance can only protect what it has visibility into. As a result, organizations may opt to buy a bundle-pack of Trend Micro Smart Protection Complete which would allow for the optional enhanced security agent on their systems even when the systems are not at the workplace.

Security appliances can provide excellent protection to remote devices as long as the user of that device consistently establishes a force tunnel SSL VPN session to the network protected by the security appliance.

The goal is to block malicious content BEFORE it gets to the endpoint (computer, server, mobile device). Reactive strategies are no longer viable.

While a quality host-based security product will usually block and stop propagation of malware, the malware can still do damage in the milliseconds of time between execution and blocking. This has been seen many times starting in 2016.

Therefore, perimeter security appliances are essential even in residential settings to defend against current threats.

Firewall: host-based

• Host-based firewall solutions should be advanced and capable of full stateful packet inspection with proxy visibility into the packets looking for IPS and IDS vulnerabilities. This is often referred to as Advanced Firewall.
• Organizations that wish to have application control at the host level will use a host-based security client that includes that capability. Doing so ensures that staff are not able to copy organizational data to unauthorized destinations such as DropBox.
• Poorly written business applications can often be incompatible with these advanced firewall security inspection techniques. These poorly programmed systems are primarily found in the healthcare industry. Care must be taken to provide adequate network traffic protection to systems where advanced firewalling cannot be used at the host level.
• The built-in Windows firewall should always be enabled and configured by policy, even on standalone machines not members of a domain. Trend Worry-Free Business Security Advanced firewall has additional features. They actually coexist extremely well. QPC has been using both together with success for over 10 years.
• If you get software application support from a software vendor such as a POS system provider, be very careful to set the Windows Firewall by policy as most POS system vendor support techs will disable the firewall in an attempt to troubleshoot things, but then never re-enable it. It is best to simply find out from them what ports and protocols they need rules setup for, set those in policy, and then know the settings are correct. Remember that PCI compliance is the organization's responsibility, NOT the POS vendor's responsibility.

•  Org owed and managed assets on wireless should be on a trusted wireless subnet that is able to communicate to other trusted subnets, but all of that traffic should be logged into a SIEM logging server.
• Guest devices should be on a completely isolated wireless network that enables those devices to interact only with assets on the internet and not each other. As a result, the guest wireless must not be setup like a DMZ or optional network, but more like a fully custom zone with station isolation. Also, full SIEM logging of that wireless traffic is required.
• The network must be designed in such as way as to allow the security appliance to have full visibility into all wireless traffic, secure it, filter it, and log it. This means that the VLANs associated with wireless cannot exist exclusively in a switch stack, but must really originate from the security appliance and simply be extended into the switches. Larger organizations that can afford to have the security appliance capabilities on the switches themselves can put the VLANs exclusively on the switches. However the cost profile of that solution is typically one that only Fortune 500 companies and up can afford. So that is not practical for SME.
• HIPPA and PCI mandate full wireless segmentation, security controls, and logging of traffic. Therefore, the org must either have their own SIEM logging solution or contract to have that service.
• SIEM logging server should be setup to send at least weekly reports to key individuals.

Host-based security

A host-based security product travels with the device. If a laptop has Trend Worry-Free Business Security client installed, then that client goes wherever that laptop goes. This offers sophisticated protection even when the laptop is not behind a secure hardware-based perimeter security appliance.

Security agents must be installed on all servers. Technicians who claim that security agents should not be installed on servers are ignorant of the techniques employed to enable the security agent to protect the system while still allowing special applications such as SQL to perform as expected.

A good host-based security product offers these features:

• unload/uninstall password to prevent malware from uninstalling/unloading the client
• web content filter
• ability to define AV scan exceptions
• ability to define and customize web content filtering including exceptions
• advanced firewall with IDS, notifications, and exceptions
• web reputation filtering
• behavior monitoring and action
• anti-ransomware features
• device control (specifically blocking USB flash drives from autorun)
• AV scanning of POP3 traffic
• scan for and remove adware/malware-related cookies
• logging and centralized monitoring (ABSOLUTELY required for HIPPA and PCI)

Remember that the goal is to block malicious content BEFORE it gets to the endpoint (computer, server, mobile device). Reactive strategies such as attempting to clean up the system after a breach are no longer viable. The only clean up approaches that are effective are full system restores from prior system images, or full rebuilds from scratch where partitions were wiped and possibly firmware on hard drives was reflashed.

Web content filtering

Web content filtering should be comprised of three layers on any secure network.

1. DNS-based blocking of disallowed domain names
2. Perimeter web-content filtering via http and https proxy filters, application control, IPS filtering
3. Host-based security software web content filtering

Patch management

All patches for software on computers should be installed within 48 hours of the security patch being released to the public.

An organization or individual needs to have in place:

• A system for rapidly testing and deploying patches to systems
• A system for inventorying the installed version of software for quality control and audit purposes
• A system for ensuring that all applications that could be cause for a systems breach are patched in a timely fashion (Adobe Reader, Java, browser plugins and extensions, browsers, email clients, and any other software that interacts with internet resources)
• HIPPA and PCI both have requirements that endpoints must be fully patched within a certain time of the patch's release from the software vendor. Effectively, if there is not a system in place to be able to deploy these patches in a timely fashion and PROVE by report/audit method that all of the systems are patched, then the organization cannot be deemed compliant.

QPC provides patch management and proactive maintenance services to clients under systems management contract.

Backups

• Ability to restore data from a variety of types of disasters
• Ability to perform bare metal restore on servers WITHOUT reinstallation of OS or backup client software
  One must think very carefully about how many steps must be completed PRIOR to being able to START the final recovery process.
• Ability to restore the smallest component necessary
  For instance, if you only need to restore a DHCP database or configuration, then you should have backups in place to restore just DHCP. You would not restore a whole server just to get the DHCP configuration back.
• Applications should be backed up using the backup tools native to the application.
• Your back up strategy should be designed to minimize the time consumed by actions that must be taken prior to starting a restore.
  For instance, it would be catastrophically bad to use backup software for server imaging that required the manual reinstall of the OS and backup agent software prior to being able to start a server restore.
  It would be much wiser to use imaging software.
• Data must be organized.
  You can't back up data that you don't know where it is. So data that you care about should be in an organized and centralized location to make the back up process efficient and easy to monitor.
• Access to offsite recovery media in a timely fashion must be considered.
  It is catastrophically bad to utilize an offsite backup mechanism that involves download speed of less than 100 mbps over an internet connection, waiting for a hard drive to arrive via courier, or utilizing an intermediary that cannot guarantee 24x7 availability.
  As a result, it is often most effective for organizations to have two facilities and BE their own offsite storage location.
• HIPPA requires that any backups of PII and PHI be encrypted at rest and in transit.

Hard drive monitoring and maintenance

Hard drive maintenance can normally be achieved by running "defrag c: -v" from a command line on Windows systems. Optimization requires Diskeeper.

Monitoring requires the use of S.M.A.R.T.
For systems managed by QPC, all of these functions are automatically handled by the management server.

Endpoint security practices

• Users must not browse the internet or do email as an administrator-level account
• Do not join laptops to unsecured public wireless networks
• Manage cookies using tools like CookieWall, IECV, and MZCV
• Another technique for security is to use Trusted Sites
• Use plugins and extension for web browsers that enhance security and train end users on how to use them

Password security

• Don't use the same username on multiple websites
• Never use the same password on multiple websites
• DO use a password management tool such as Password Safe and secure it with two-factor authentication, such as YubiKey
• Always use password complexity
• Use multifactor authentication on absolutely everything where that is an option.

Block known sources of malware using multiple methods

Advertisements are attractive targets for hackers to use to distribute their malware. Inappropriate, free games, or criminal content websites are also frequently hacked to serve up malware. Therefore, a good strategy is to use multiple methods to block these sources of malware.

Because advertising content is injected in all kinds of websites, you cannot simply decide to not receive the content. You need to have an active blocking mechanism in place that will filter out bad content.

• block using a custom hosts file
• block using cookie filtering/blocking methods
• block using OpenDNS
• block using web category content filtering at the hardware firewall and host-based security product levels
• AdBlock Plus and Privacy Badger are nice add-ons for Firefox
• ScriptSafe for Chrome is an excellent browser security tool
• Internet Explorer has the best cookie handling techniques as well as trusted sites methods

Organizations that wish to prevent their data from being compromised or leaked should use role-based access control, adequate backups, all the other security measures listed in this article, endpoint encryption, and DRM (digital rights management).

DRM and endpoint encryption rules ensure that when data is on a mobile device is encrypted and not able to be copied, moved, or stolen. It is security without hampering employee productivity.

DRM rules prevent data from being copied or exported to non-approved locations by employees regardless of their intention. DRM also enables selective wipe of organization data from mobile devices in a BYOD environment without otherwise damaging the employee-owned device.

Role-based access control is always used in combination with the concept of least-rights privilege. This concept is codified in the NIST SP-800 standard and is a requirement for HIPPA and PCI. RBAC and least rights has actually been a concept used since the beginning of secure computing and is just common sense for all scenarios.

In RBAC, an organization defines roles, assigns individuals to those roles, and then defines the access that the role itself has. Individuals are not assigned to resources, only roles are. In that way, as an employee changes roles, their role membership is changed easily and quickly. When this method is not used, employees perpetually accumulate rights that virtually no one is courageous enough to remove from that employee's access rights for fear of breaking something.

With the relationship between a role and access to a set of resources defined, RBAC removes anything personal from the decision of removing access from an individual user. The question of access simply goes to the manager of the employee asking what roles does that employee have? Access is then granted based upon role membership. Management would have already made decisions about what resources people with those roles should have access to.

HIPPA and PCI clearly define that data must be protected by encryption at rest and in transit. Types of data are defined. It is often prudent to just encrypt everything that can be encrypted.

Organizations must realize that means their copiers also. A copier has a hard drive that keeps a copy of the last several thousand items that it has print, scanned, or copied. Therefore, the hard drive must be encrypted. A typical encryption module in a copier is a one-time $400 expense, so it is not cost-prohibitive whatsoever.

For HIPPA, and PII or PHI being transmitted via email must be encrypted in transit. There are many mechanisms to accomplish that, but an organization should use a system that enforces encryption automatically based upon industry standard rules and not based upon employees putting the string "#encrypt#" someplace in the email. If an organization assumes that employees will 100% of the time remember to do that correctly, they are bound to have many HIPPA violations.

The biggest need for encrypted email is in healthcare is where it is common to use email for medical offices to share information like treatment records, etc. with referring medical offices. Hospitals generally have medical information sharing systems on dedicated network links already setup. Those are very expensive and practical only for large organizations like hospitals, so smaller medical offices must rely upon encrypted email.

Trend Micro Worry-Free Business Security Services edition provides a moderate featured client for Android and iOS. When an organization buys WFBiz Sec, they automatically get mobile device licenses.

Trend Micro offers many other tools that can offer even more advanced protections for mobile devices. Usually, an organization will invest in Smart Protection Complete, and then decide what components they will implement. One of those components provides an always on VPN for mobile devices that provides them with complete protection against internet-borne threats. When that is combined with Office 365 Enterprise Mobility Suite, an incredibly feature rich protection level can be achieved.

Many organizations are faced with the challenges of being HIPPA or PCI compliant, but their own software vendors make that extremely difficult. We see these challenges primarily in healthcare systems and POS systems.

It is best to understand these problems by example.

Many practice management applications are poorly written using old security models where the only way the software vendor will guarantee that the application works is by enabling full administrator privileges for the user accounts using the software.

Allowing users that can browse the internet and do email to have administrator access to their system is a 100% guaranteed way to be in violation of HIPPA or PCI. Therefore, this is a completely non-viable answer. Practitioners are put in a very difficult spot where their software vendor will not correct the deficiencies in their poorly programmed software, so the practitioner must accept the full liability knowing that they are in breach of the compliance regulations.

One way to deal with this is to literally block internet access from those systems and require staff to use RDP/RDS to do things like email and internet. We have yet to see a scenario where anyone other than highly skilled IT personnel can make this model work though. Putting the practice management application in something like RDS is typically not viable due to the heavy integration that it must have with the local subnet (again deficiencies in how the software is programmed) as well as devices locally connected to systems (x-ray and other sensors).

In the case of a computer that is connected to a CT scanner and is supposed to be dedicated to that purpose, find out from the hardware/software vendor what applications and websites that machine needs to get to. Write a security appliance policy that specifies that the CT scanner computer can access the LAN, but not the internet except for the minimal destinations required to allow the CT scanner software support personnel to remote control and manage that device.

Resources to help you understand the cyber security kill chain and how its use protects the organization's assets.

PII - personally identifiable information

PHI - protected health information

SME - small to medium enterprise

POS - point of sale