By: Vivek Soni
August 17, 2020
Understanding Infrastructure Security
By: Vivek Soni
August 17, 2020
What is Infrastructure?
All assets, whether physical or intangible, that may impact the economy, safety, health, and well-being of an enterprise, can be referred to as its infrastructure. The infrastructure is of the utmost value to an enterprise, and its destruction could have a debilitating impact. The critical infrastructure may include its data center, network devices, servers and workstations, and other information technology (IT) assets.
What is Infrastructure Security?
Infrastructure security refers to the protection of the infrastructure, which spans across the organization and plays a crucial role in achieving its business objectives. The infrastructure should be protected against natural disasters, terrorist activities, sabotage, cyber threats, and any activity that can harm the infrastructure. A secure and robust infrastructure will act as a foundation for a successful enterprise. As attackers find new ways to exploit vulnerabilities, organizations need to monitor, maintain, and bolster their security capabilities rigorously.
IT is a very important component of the infrastructure. To fulfill their objectives, organizations are increasing their dependency on IT. This raises the concern of the security of the information that is contained within the IT Infrastructure. Companies face a range of cyber threats, from malware to sophisticated attacks that may impact day to day operations.
The goal of a secure infrastructure is to maintain confidentiality, integrity, and availability of data. A common dilemma faced by security practitioners is how to find a balance between security and functionality. It's obvious that if stringent security measures are in place, the functionality will be considerably reduced.
Steps for building a secure infrastructure:
The first step is to understand the enterprise, it's working, and the environment in which it operates. The second step is to identify threats that may impact it. After getting all this information, the development of a secure IT Infrastructure can proceed. The important components of an effective security strategy are its people, processes, and technology.
People: Employees are often considered a weak link in any organization. Many personnel does not take security as seriously as they should. Due to this uncaring attitude, the human factor has played a big role in making organizations vulnerable worldwide. The vulnerability here is a lack of knowledge that is exploited by threats, like cybercriminals. In phishing attacks, the victims are tricked into providing sensitive information.
Another example is a phishing attack where victims are convinced to provide sensitive information by an urgent and official-sounding voice mail. These attacks are external.
Some very destructive attacks come from inside the enterprise. In the case of a disgruntled employee or terminated employee who has access to systems, it can cause intentional harm by stealing confidential data or damage to the integrity of data. If the terminated employee is an IT person, attacks can be severely disruptive. There are many principles like segregation of duties, immediate removal of access for a terminated employee, and mandatory vacations to employees that can minimize insider threats.
Development, maintenance, and implementation of security policies play a crucial role in securing infrastructure. The security policy should outline the security aspects essential for an organization. All the employees must be trained in the organization's policies. After the training, the policies should be enforced by employee compliance monitoring. It should be incorporated into the employee's performance evaluation. It should also be a part of an orientation program for new hires.
To tackle the risk people pose to the organization, the only solution is awareness and training at regular intervals to keep them aware of potential scams and the ways organizations can be vulnerable. If they are well informed, they can act as the first line of defense. Some of the recommended cyber hygiene points which employees should know:
- Encourage the use of strong or complex passwords that are unique to each account. The use of passphrase for passwords is beneficial to avoid forgetting passwords.
- Passwords should not be written anywhere on the workstation. Also, It should not be shared with anyone.
- Immediate reporting of any unusual behavior of systems and/or employees. They should be aware of how and whom to report.
- Do not click on suspicious links, which may come in the form of an email. These mails can either lead to malware entering into systems or lure a user into a trap that steals their credentials.
Through the use of access management policies, IT teams can ensure only authorized users have access to data. The principle of least privilege and role-based access can control unauthorized access in the organization.
Processes: Processes define how organizational activities, structure, and documentation will work together. Any security policy or strategy can only come into effect if we have effective and efficient processes. Processes should ensure to protect and preserve the confidentiality, integrity, and availability of organizational information. Furthermore, processes should be written clearly, so they are easily understood. A good place to start developing processes is by adopting a framework, such as the National Institute of Standards and Technologies (NIST) Cyber Security Framework. This framework provides a structure through which processes can be developed, implemented, and monitored.
For a process to be beneficial to the organization:
- It shall align with the policy and should be an enabler to meet the business objectives of the organization.
- It shall be well documented and communicated to appropriate stakeholders.
- It shall be reviewed periodically to ensure efficiency and effectiveness.
- It shall be adaptable to changing requirements of a business.
Processes should be addressed on an administrative, technical, and physical level. The below list of processes is not comprehensive, but rather a sample of common processes that most organization should consider adopting:
- IT Asset Identification and Management
- Risk Management
- Access Control
- Vulnerability Management
- Incident Management
- Media Protection
- Data Privacy
- Contingency Planning
- Change Control
- Configuration Management
- Auditing and Monitoring
- Awareness and Training
Technology: All of the tools, applications, and infrastructure that make processes more efficient and effective can be considered technology. Today, companies are getting more and more reliant on technology solutions. Technology offers solutions that can be integrated and automated into the companies security framework, which ensures consistency across all its processes. It should be viewed as a critical component in accomplishing its mission and not merely as an IT or IS solution. It acts as a process enabler and a force multiplier, helping organizations to accomplish more work in less time, for less cost, and with greater accuracy.
The Concept of Defense in Depth: A series of defensive mechanisms that are layered to protect valuable data and information. It offers multiple layers of defense. It is a strategy that provides multiple, overlapping defensive measures in case one security control fails or a vulnerability is exploited. It is a comprehensive approach designed to provide strong protection against elaborate attacks that use multiple techniques to penetrate organizational security measures. It also supports "Assurance Process Integration," the most important goal of IS Governance and ultimately Corporate Governance. The security architecture of Defense in Depth protects the physical, technical, and administrative aspects of one's network.
Physical Access Controls: These controls limit intruders to access to the IT system physically. Fences, security guards, lock protected doors, locked CPUs, and guard dogs are some examples of physical access control measures.
Technical Access Controls: These controls are comprised of software or hardware solutions, designed and adopted for protecting systems and networks.
Below are a few examples of technical access control measures:
Firewalls: Firewalls are a network security system that controls the incoming and outgoing network traffic based on predetermined security rules, which establishes a barrier between a trusted internal network and an untrusted external network.
IDS/IPS: It is a device or software application that monitors a network or system for policy violations or malicious activity. These activities are normally reported to an administrator or collected using security information and event management system.
Honeypots: It is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. It consists of data and systems that appear to be legitimate parts of the site and may seem to contain information or a resource of value to attackers. However, it is isolated and monitored and enables blocking or analyzing the attackers. They are meant to lure and distract an attacker, using deception, to increase the likelihood of detection and threat mitigation.
Encryption: It is a process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Only authorized partners can decipher a ciphertext back to plaintext and access the original information.
Web Proxies: It acts as a gateway between you and the internet. Its intermediary server separates end users from the websites they browse. It provides varying levels of functionality, security, and privacy, depending on your use case, needs, or company policy.
Anti-Virus: It is a computer program used to prevent, detect, and remove malware. It was originally developed to detect and remove computer viruses.
Patch Management: It is a process that helps acquire, test, and install multiple patches on existing applications and software tools on a computer. This enables the system to stay updated on existing patches and determining which patches are the appropriate ones. Managing patches thus becomes easy and simple.
Data Loss Prevention: This is detecting potential data breaches/data ex-filtration transmissions and preventing the breaches by blocking, detecting, and monitoring sensitive data while in use, in motion, and at rest.
Administrative Controls: These controls are security measures consisting of policies or procedures applicable to all employees. These controls make sure that laws and regulations are met. Below are a few examples of administrative controls:
Change Control and Configuration Management: Configuration Control focuses on the specifications of both the deliverables and the processes. Change Control focuses on identifying, documenting, and controlling changes to the project and the project baselines. A Change Management plan documents how changes will be monitored and controlled.
Awareness and Training Programs: These programs ensure the employees are aware of the cyber threats and what part they play in keeping their enterprise safe.
Data Protection Policy: It defines the commitment of any enterprise to treat the information of interested parties such as employees, customers, stakeholders, and others with the utmost care and confidentiality. This policy ensures that the information is gathered, stored, and handled fairly, transparently, and with respect towards individual rights.
Enterprises today are concerned with a lot of issues. They desire to minimize business disruptions in a cost-effective and timely manner. They require the technological environment to be secure, functional, and reliable. They are more concerned with the risk to its business objectives and the impact of the risk if it materializes. The process of risk management helps to identify, assess, respond, and monitor the potential risk. There are a lot of frameworks that can be a starting point to build the processes.
Implementing a security solution merely does not protect the enterprise, but cooperation from departments, people, and the processes can make the solution work effectively and efficiently, thereby securing the enterprise.
Organizations need up-to-date security solutions that can protect their confidential information and data from ever-increasing threats. This is possible by having integrated security across the organization. Defense in depth best exemplifies integrated security. It begins at the core network areas and must be assimilated into the entire organizational structure to meet the organization's mission.