A recent case study required students to provide recommendations for addressing security in the overall technical design of a fictitious company called ABC Healthcare. Since it was a fake company, students were instructed to propose solutions as though budget constraints did not exist. Here was my response:
ABC Healthcare should implement a secure technical design by first addressing basic security hygiene as identified in the CIS/SANS Top 20 critical security controls. The CIS updated the controls in late 2015 to help organizations better prioritize their efforts based on changes in the threat landscape (Wade, 2015). This discussion will focus on 18 of the 20 technical controls as they relate to the case study.
(CSC 1 & 2): IT Security cannot protect the network without knowing what is allowed to be on the network. Therefore, ABC should use an automated asset discovery tool, such as IP360, to compile an inventory of authorized/unauthorized hardware and software on the network.
(CSC 3): After the authorized inventory is established, ABC should ensure that all software and hardware on the network are deployed in a secure manner. The Center for Internet Security publishes secure configuration guides for almost every operating system, including network devices. Additionally, Microsoft Baseline Security Analyzer is a free tool available “to identify missing security updates and common security misconfigurations” in Windows operating systems (Microsoft, 2016). The company can also use a secure configuration compliance solution, such as Tripwire, to validate that the hardware and software adhere to established security requirements.
Special care must be taken to ensure that publicly facing web servers are configured securely. Since these servers are accessible over the open web, they are common targets for hackers using automated tools to scan the web for vulnerable web servers.
The SQL servers contain the ABC’s most valuable data, so they should be protected by network and host based firewalls. They should also sit on a different VLAN from the publicly facing web server.
(CSC 4): ABC Healthcare should implement a robust vulnerability management program. Depending on system criticality, daily or weekly automated authenticated scans should take place to ensure that all pertinent asset information is enumerated during the scans. Additionally, system owners should be identified and held accountable for remediation of critical and high vulnerabilities within 30-60 days of disclosure. To help prioritize efforts, a tool such as Rapid 7’s Metasploit can be used to determine whether the vulnerabilities are being exploited in the wild. If exploits are not available, then there may be little to no risk of compromise. Hence, remediation efforts should be focused on high risk assets.
(CSC 5 & 16): Administrative accounts give individuals the ability to modify, execute, read, write, and have complete control over systems. As a result, these are high risk accounts. ABC should run regular audits to verify that only select people with domain administrators and others with elevated privileges have administrator access. Additionally, activity on administrator accounts should be closely monitored to identify anomalous or malicious behavior by insiders.
I watched a great demo of an open source tool called Bloodhound at Defcon24. According to the developers:
“BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment” (Robbins, Vazarkar, and Schroeder, 2016)
In addition to privileged account monitoring, Splunk’s user behavioral analytics platform (UBA) uses advanced threat modeling techniques to provide insight into user behavior. UBA “helps organizations find known, unknown, and hidden threats using data science, machine learning, behavior baseline, peer group analytics and advanced correlation” (Splunk, 2016).
(CSC 6 & 16): Security audit logs from systems and network devices should be sent to an offsite centralized location, such as a security incident event management (SIEM) tool, for ongoing analysis of logs to identify suspicious behavior. Specific events, such as excessive login failures and administrator access outside of normal business hours, should be isolated for investigations.
(CSC 7): Phishing emails and malicious payloads delivered via web browsers continue to be the leading cause of malware infections. ABC should deploy a content filter, such as Websense, to limit the websites users can visit. The company should also deploy a secure email content filter, such as Barracuda, to stop spam and phishing emails from reaching end users. ABC should also consider blocking all attachments with Macros from entering the network. Finally, a data loss prevention tool should be used to filter outgoing emails to check for sensitive data, such as social security numbers.
(CSC 8): Malware and virus defenses are an integral part of the company’s defense in depth strategy. Hence, ABC should deploy an anti-malware tool, such as Symantec’s Endpoint Protection, to provide signature and behavioral based virus and malware protection.
(CSC 9): ABC should perform regularly scheduled ports and services audits to ensure that no unnecessary ports and services are enabled. The reviews should include documented justification for the ones that are enabled. Any port or service without a business justification should be disabled.
(CSC 10): ABC should be performing incremental and daily backups, and the backups should be securely stored offsite. The company should also incorporate regular testing of backup and restore during disaster recovery exercises to ensure that the backups are collecting data as expected and functioning properly.
CSC 11-13): Routers, firewalls, and network intrusion prevention should be configured securely using access control lists and packet inspection where feasible. Routers should be configured to drop traffic to unknown destinations; allow or deny traffic based on protocols, ports, and packet headers; and block local broadcasts or multicast packets from bad IP addresses (Greenert, 2002).
Firewalls should be configured to allow only the traffic necessary and approved and drop all other traffic. It should also facilitate the use of network address translation, which is used to change the internal IP address to a public NAT’d address. Firewalls should be positioned in multiple places, including the connection points where internal database servers connect to web servers (Greenert, 2002).
Network intrusion prevention should be placed in front of the firewall to stop or redirect attacks. It should be configured to failsafe mode to minimize a network outage in the event of device failure (Pappas, 2008).
(CSC 14): Account provisioning, decommissioning, and regularly scheduled user access reviews should be conducted to ensure that users only have access required to perform their job functions.
(CSC 15): Users are increasingly accessing patient data over mobile devices. ABC should ensure that wireless networks are segmented for personal and corporate issued mobile devices. Users should be forced to authenticate using WPA2 and the networks are securely configured with 802.1x.
(CSC 18): Application security should be addressed by implementing an application security testing tool, such as Burpsuite, into the software development lifecycle. ABC can also train developers to use the source code analysis laboratory to test against CERT secure coding standards (Software Engineering Institute, 2016). An additional measure is to configure the vulnerability management tool to perform automated scans of web applications. McAfee’s app vulnerability scanner tests for items that fail the OWASP Top 10 test. A web application firewall should be implemented to protect publicly accessible applications containing sensitive data. The company can also benefit from the OWASP Mobile apps checklist to keep mobile apps safe from vulnerabilities.
After implementing basic security hygiene, ABC should also implement the following security enhancements:
- Deploy a multi factor authentication solution, such as RSA one time password token, to all systems containing data governed by HIPAA or SOX.
- Encrypt all sensitive data in transit and at rest. Remote workers should be required to access systems over a virtual private network. VPN securely authenticates users to corporate systems via an encrypted tunnel over the internet (Grenert, 2002).
- Place a proxy server between trusted (internal) and untrusted (internet) networks for load balancing and prevent attackers from communicating with internal resources.
- Apply logical segmentation of network equipment, security tools, critical servers, test/dev servers, databases, medical devices, wireless, and guest networks. Depending on criticality, they should be on separate VLANs and protected by firewalls.
- Prevent all insecure systems from connecting to the network with network access control tools that block devices that do not comply with security requirements.
- Implement host based intrusion detection and prevention on all systems.
- File integrity monitoring should be implemented to detect unauthorized changes of critical system files as this is an indicator of compromise.
- Networked medical devices should be included in the vulnerability management program. Vendors should be required to responsibly disclosure vulnerabilities and offer patches within 30-60 days.
- Physical security mechanisms should include badge readers for access to sensitive areas, security guards, theft prevention, fire safety, and security cameras.
If you’re ever tasked with a security design in a corporate setting, these are the kinds of considerations that employers are looking for. Note that I got an A on the assignment, but this was submitted in an academic setting. Your design will depend on many factors, with budget likely taking priority in your approach.