Securing your computer network (part 2) #CyberSecMonth

Partitioning, protecting and controlling: the secrets to securing your network

Internet access has become almost indispensable in a professional context. Unsecured access to the Internet can become the source of many problems:

• Execution of malicious code
• Downloading dangerous files
• Taking control of the terminal
• Leaking sensitive data
• And many other threats.

The conclustion is clear : It’s imparative that you secure your organization’s network in order to ensure the integrity of the information system!

Adopt the right reflexes to secure your network:

Dissociate the services visible from the Internet from the system:

Hosting services visible on the Internet internally is a practice that requires a lot of vigilance on the part of the organization. Indeed, administrators must be able to guarantee a high level of protection. If the organization cannot do this, it can still use outsourced hosting for its services visible on the web.

To keep your network secure internet hosting infrastructures must be physically partitioned from all other system infrastructures. It is also recommended to set up an infrastructure for interconnecting these services with the Internet. In order to filter the flows related to these services from the entity’s other flows. These flows must imperatively pass through a reverse proxy server with many security mechanisms embedded.

Professional messaging, a channel to prioritize:

Messaging is the main vector of infection in the workstation. Particularly when opening attachments containing malicious code or clicking on a link that redirects to an equally malicious site. First and foremost an awareness phase must be conducted internally to help secure your network. In the second step, you have to verify the authenticity of the message through another channel (phone, sms …).

The redirection of professional messages to a personal account should be avoided. In terms of security this practice represents a data leak. A remote access solution to professional messaging is a good alternative against this problem. In case of hosting on the email system, it is important to have an antivirus scanning system to prevent the reception of infected files. As well as activate TLS encryption of exchanges between email servers and between user workstations and hosting servers.

Remain vigilant about partner relationships:

Organizations sometimes need to establish a dedicated network interconnection with a supplier or customer, especially to exchange data. These exchanges must pass through a private network or a site-to-site tunnel (Ipsec). By principle, partners cannot be considered secure, so it is essential to perform IP filtering with a firewall as close as possible to the flow entries on the entity’s network. The flow matrix should be reduced if necessary for operational purposes, maintained and equipment should comply with it.

Don’t forget the physical security of the entity:

Physical security mechanisms are also part of an organization’s security strategy to securing their network. It is important to put in place adequate physical security measures and to continually raise awareness among users of the risks associated with circumventing rules. In addition, network outlets in public areas should be restricted or even disabled if possible to prevent intrusion. This device makes it possible to avoid any intrusion on the network.

The access to server rooms and other technical rooms must be secured with secure locks and badge systems. Unaccompanied access by external service providers should be prohibited or, failing that, access should be traced and limited to strict time slots. It is important to regularly review access rights in order to identify unauthorized access or to update them (departure of an employee, change of service provider, etc.). In short, you need to know your information system in order to be able to control access to your infrastructure.

How to apply these solutions to secure your network?

Securing the computer network is not easy without special skills. To act effectively, you need good methodologies and appropriate tools. These tools can be obtained easily and quickly, unlike methodologies that are more complex to address. These methodologies can be obtained through the internal training plan or with the assistance of an expert such as Tranquil IT.

The first step we recommend is to contact a PASSI to carry out a complete audit of your fleet. They are classified into different categories:

• Architecture audit
• Configuration audit
• Source code audit
• Intrusion test
• Organizational and physical audit

ANSSI certifies the audit bodies on each of these criteria individually. Not all PASSI are qualified for all criteria, refer to the PASSI list for more information. Once your audit is complete, we can help you apply the audit body’s recommendations to secure your network.

Take advantage of our expertise

Tranquil IT has 15 years of expertise in the local network security sector. We can easily help you to apply the recommendations of an Information Systems Security Audit Service Provider (PASSI). We combine our DevSecOps methodologies with a combination of tools that we master to act efficiently and securely on a fleet. We therefore use SRP (Software Restriction Policies) to establish security barriers, Samba Active Directory for user rights management and WAPT for to control your applications. The combination of these three tools allow us to guarantee the security of your IT park.

The European CyberSecurity Challenge 2018, a winning challenge?

The French team quickly positioned itself in the top three on the first day of competition. Finally dethroned in the middle of the day, France was able to establish itself as a major player in the competition. The French team again took first place on the second day, the end of the competition was extremely tough and the scores were very close. Germany will finally finish first in this competition, but we can still congratulate our French team who finished second on the podium, an impressive performance for its first participation. The revenge will take place in 2019 in Romania!

• The basic rules to protect yourself – BFM.TV
• Ransomware : How to know and remove them – Asgard

Find all our recommendations on Twitter and LinkedIn and on hashtag : #TousSecNum, #CyberSecMonth, #ECSM2018 et #ECSM. Also follow our hashtag #CyberConseil to follow Tranquil IT’s advice and discover the following graphics.