Question

You’ll create a security infrastructure design document for a fictional organization. Your plan will be evaluated according to how well you met the organization's requirements. Points will be awarded based on how well you met these requirements, considering the security implications of your choices.

The following elements should be incorporated into your plan:

Authentication system

External website security

Internal website security

Remote access solution

Firewall and basic rules recommendations

Wireless security

VLAN configuration recommendations

Laptop security configuration

Application policy recommendations

Security and privacy policy recommendations

Intrusion detection or prevention for systems containing customer data

Answer 1

Authentication

1.1- Use Strong passwords: Make sure to choose a password that has mixed cases (capital letters and small letters), special characters and numbers. Preferably, the password should be at least eight characters. (do not use the suggested passwords).

1.2- Change your passwords regularly: This is what defines a password expiration policy. The frequency of changing a password depends on what the passwords are used for.

1.3- Use public key authentication when possible: It's recommended to use public key authentication to replace the password authentication mechanism if possible.

1.4- Implement two-factor authentication when possible: Implement an additional security level for your authentication mechanisms.

1.5- Store your credentials and keys securely: You can use a password manager to securely store your passwords or store them locally on an encrypted partition using encryption tools such as TrueCrypt, BitLocker, FileVault for Mac, ...).

2- Users & groups

2.1- Delete users and groups that are no longer in use: Check the list of the users and groups configured for your server and/or applications and delete all the ones that are no longer in use.

2.2- Enforce role separation: If your server and IT infrastructure are managed by a group of people (administrators, web developers, ...), or if part of your IT infrastructure management is outsourced, role separation (also called separation of duties) will help restrict the amount of power held by a member of the team. It helps to also put a barrier in place to prevent fraud or errors which may cause security issues. A user account should have just enough access to do what they need to do for their role and not more.

3- Services & packages

3.1- Remove services and software packages that are not required for your server: To avoid an unnecessary security risk related to those packages and services now and in the future.

3.2- Limit the access to your services when possible: Some services should be only accessible from few IP addresses. So instead of leaving the service open and accessible from all around the world, you should limit the access using the firewall (see below), the service configuration parameters or using TCP wrappers.

3.3- Secure the services running on your server: Apply the security best practices provided by the services packages providers. (Example: cPanel, Plesk, SQL Server, Apache, ...)

4- File system, Files and directories

4.1- Set the right permissions: The right pemissions have to be set for all folders, files and partitions on your file system. Do not use the SUID bit unnecessarily especially for files owned by root. It is better to use 'sudo' when unprivileged users need access to an administrative function.

4.2- Assign the right ownership: To protect your valuable data and ensure the integrity of your file system, you have to identify and assign the right ownership to the users and groups allowed to read, modify or even execute commands and scripts.

4.3- Monitor your file system's integrity : For the protection of critical systems, monitoring file integrity is important especially if you are required to be compliant (PCI-DSS, ...). File integrity monitoring will help you answer some questions: Who made the change, What has been changed, When it was changed, What was the previous value, ...

4.4- Scan your server for viruses, rootkits, backdoors and local exploits: Specifically for customers specializing in shared webhosting, where different users (end clients) are allowed to upload files, manage their websites, install packages and software (CMS, plugins, ...) in their space. Most shared hosting environments contain a huge number of compromised websites, unpatched packages, and used by users who do not take the necessary actions to protect their websites. Scanning your server to detect, prevent and clean the filesystem from any malicious files (Backdoors, viruses, ...) is important.

4.5- Encrypt your data when needed: If you are required to be compliant (PCI-DSS, ...) or you only want to protect your valuable data and prevent unauthorized viewing of those assets, sensitive data encryption is best practice.

5- Operating System and Software

5.1- Apply the vendor’s recommended security best practices: Most of the software providers have Knowledge Management Systems where you can find a list of recommendations and best practices to secure your installation.

5.2- Keep your software and operating system up-to-date: This is one of the basic principles of any IT infrastructure administration. Keeping your infrastructure packages and software up-to-date will help you avoid any trouble (end-of-life) or security issues caused by outdated packages and software.

5.3- Apply vendor’s Security Patches as soon as they are available: This is applicable for any type of software or package installed by you or your clients on the server. For example, if you have installed third party software packages, such as Joomla! or WordPress or other software, be sure to keep them updated and patched.

6- Firewall, IDS and IPS

6.1- Secure your infrastructure using a firewall: You can choose between software or hardware firewalls to protect your servers.

6.2- Ensure that the firewall is running: To keep your servers and IT infrastructure secure, the firewall has to be up and running at all times.

6.3- Secure your infrastructure using a WAF (Web Application Firewall) when needed.

6.4- Use an Intrusion Detection System (IDS) when needed: Different solutions and flavors exist to implement a host-based or a network-based IDS based on your needs and compliance requirments.

6.5- Use an Intrusion Prevention System(IPS) when needed: Choose an IPS that includes detection and prevention phases.

7- Regular Audits & Vulnerability scans

7.1- Audit your servers and check the logs regularly: Auditing your server regularily is an important component of your IT infrastructure Management Lifecycle. This will help you to ensure that the minimum security requirements are always met and your users and administratora are compliant with your security policies. It will also enable you to identify any security issues that have to be fixed.

7.2- Scan your server for vulnerabilities: To identify vulnerabilities in your software and packages installed on your server(s), regular vulnerabiliy scans are important. Hackers are always scanning the internet to discover vulnerable servers and websites. Be proactive and fix any security issues before they are exploited by the bad guys.

8- Backup

8.1- Ensure your data is backed up regularly and securely: It is useful to keep regular backups in case your server has been compromised. Both WHM and Plesk have easy-to-use backup systems to create user data backups.

iWeb also provides Idera/R1Soft backups, either in shared or dedicated format.