Security architecture reviews are non-disruptive studies that uncover systemic security issues in the assessed environment. They are ideally suited for organizations wanting to maximize their return on any security technology investment by evaluating their needs and validating the security of their existing deployments. The result is an actionable roadmap to help remediate identified security deficiencies.
The focus of the architecture review was the enterprise IT infrastructure as well as evaluating the security posture of the supporting services and platforms.
Restricting access to unneeded services that are published directly to the internet
- Mapping all services and systems that are published out to the internet
- Restricting access to unneeded services that are published directly to the internet.
- Restricting access to sensitive operational business system (such as business/logistic systems/other) allowing access from known IP addresses, other opting is adding another layer of identification prior to accessing web applications (for example: using certificate base for allowing access) or where possible allow access only via VPN connectivity.
Environment separation, enterprise IT and OT systems
- Services that are exposed to the internet must have a middleware / Frontend server located in the DMZ, not allowing direct internet access to a server which resides in the DC LAN.
- Mapping and planning network separation for all Operational technologies (OT) from the enterprise IT networks (e.g., conveyor system, controllers, label printers, UPS etc.) based on their classification and location.
Security Controls – Firewall rules
- Preventing inter-sites connectivity (communication between branches)
- Preventing servers direct access to the internet excluding relevant services (such as updates etc)
- Any access from all your branches to the datacenters must be examined and filtered by the IPS feature.
- Preventing access to and from guest networks (WIFI etc.)
- Limiting access to DC sites based on needed services only (limiting access based on needed services and hosts – specific source and destination rules with specific ports to be accessed).
Security Controls – Patch Management
- Exposed servers must be updated with relevant security patches for medium and high / critical severity vulnerabilities.
- After mapping assets and prioritization of critical components and crown jowls, It is recommended to remediate vulnerabilities by patching or fixing of cybersecurity weaknesses that are detected in the enterprise assets, networks, and applications.
Security Controls – Hardening Assets
- Define the hardening policy for each infrastructure components, considering the component functionality.
- Consider periodically restarting the host from the latest CIS hardening baseline to ensure the system is continuously hardened
Remote access security
- MFA – Application based Multi factor authentication (OTP) for every user with VPN access rights.
- Apply Host checker capabilities for every device connected to corporate resources via VPN
- Allow only corporate owned and managed devices to access to the corporate resources via the VPN services
- Deploy an EDR on every corporate owned device with that is used access corporate resources via existing VPN services.
Security Controls – Detection&Prevention / Endpoint / Network
- Deploy an EDR across all user’s devices and servers, starting with the critical and high availability systems
Administrative Access – Employees and 3rd party service provider
- Establish a dedicated IT management network (Isolated segment from other networks) that will contain dedicated administration server / terminals. Access to the administrative terminal servers will be allowed only via VPN connectivity even from within the network (enforced with MFA).
- Map every available administrative interface and restrict access to every administrative interface (including Windows servers, communication gear, firewall, Storage devices, Esxi etc.) in a way that will be allowed only from the administrative terminal servers.
- Administrative access to online services should be restricted from a dedicated Public IP address.
- SaaS / Online services in use must have enforced MFA for any administrative access
Security Controls – Web application Firewall
- Exposed web applications that are intended to be accessible to the internet directly are required to have an active Web application firewall capabilities (such as Cloudflare, Incapsula, other).
Security Controls – Securing online services, Access & MFA
- Application based MFA enforced on all users.
- Application restriction is required to be turned on.