Securing the network (part 2) #CyberSecMonth
Partitioning, protecting and controlling: the secrets of a secure networkInternet access has become almost indispensable in a professional context. Unsecured access to the Internet can become the source of many problems: malicious code, downloading dangerous files, taking control of the terminal, leaking sensitive data, and many other threats. Securing the organization’s network therefore means ensuring the integrity of the information system!
To better protect themselves, organizations must be more than vigilant about connecting to the Internet. It is important to set up “barriers”, whether to access the network or between workstations, to ensure the security of the system and to be able to act more easily in the event of a cyber attack.
Adopt the right reflexes:
Dissociate the visible services from the Internet from the system:
Hosting services visible on the Internet internally is a practice that requires a lot of vigilance on the part of the organization. Indeed, administrators must be able to guarantee a high level of protection. If the organization cannot do this, it can still use outsourced hosting for its services visible on the web.
Internet hosting infrastructures must be physically partitioned from all other system infrastructures. It is also recommended to set up an infrastructure for interconnecting these services with the Internet to filter the flows related to these services from the entity’s other flows. These flows must imperatively pass through a reverse proxy server with many security mechanisms embedded.
Professional messaging, a channel to prioritize:
Messaging is the main vector of infection in the workstation, particularly when opening attachments containing malicious code or clicking on a link that redirects to an equally malicious site. Beyond an awareness phase to be conducted internally, it is necessary to check the authenticity of the message through another channel (telephone, SMS, etc.) in case of doubt.
The redirection of professional messages to a personal message is to be avoided since this practice represents a data leak. A remote access solution to professional messaging is a good alternative against this problem. In case of hosting the email system it is important to have an antivirus scanning system to prevent the reception of infected files but also to activate TLS encryption of exchanges between email servers as well as between user workstations and hosting servers.
Remain vigilant about partner relationships:
Organizations sometimes need to establish a dedicated network interconnection with a supplier or customer, especially to exchange data. These exchanges must pass through a private network or a site-to-site tunnel (Ipsec). By principle, partners cannot be considered secure and safe, so it is essential to perform IP filtering with a firewall as close as possible to the flow entries on the entity’s network. The flow matrix should be reduced if necessary for operational purposes, and maintained equipment should comply with it.
Don’t forget the physical security of the entity:
Physical security mechanisms are also part of an organization’s security strategy. It is important to put in place adequate physical security measures and to continually raise awareness among users of the risks associated with circumventing rules. In addition, network outlets in public areas should be restricted or even disabled if possible to prevent intrusion.
The access to server rooms and other technical rooms must be secured with secure locks and badge systems. Unaccompanied access by external service providers should be prohibited or, failing that, access should be traced and limited to strict time slots. It is important to regularly review access rights in order to identify unauthorized access or to update them (departure of an employee, change of service provider, etc.). In short, you need to know your information system in order to be able to control access to your infrastructure.
How to apply these solutions?
Securing the computer network is not easy without special skills. To act effectively, you need good methodologies and appropriate tools. Tools can be obtained easily and quickly, unlike methodologies that are more complex to address. These methodologies can be obtained through the internal training plan or with the assistance of an expert such as Tranquil IT.
The first step we recommend is to contact a PASSI to carry out a complete audit of your fleet. They are classified into different categories:
- Architecture audit
- Configuration audit
- Source code audit
- Intrusion test
- Organizational and physical audit
ANSSI certifies the audit bodies on each of these criteria individually. Not all PASSI are qualified for all criteria, refer to the PASSI list for more information. Once your audit is complete, we can help you apply the audit body’s recommendations to secure your network.
Take advantage of our expertise
Tranquil IT has 15 years of expertise in the local network security sector. We can easily help you to apply the recommendations of an Information Systems Security Audit Service Provider (PASSI). We combine our DevSecOps methodologies with a combination of tools that we master to act efficiently and securely on a fleet. We therefore use SRP (Software Restriction Policies) to establish security barriers, Samba Active Directory for user rights management and WAPT for application control to ensure the security of your IT assets.
The European CyberSecurity Challenge 2018, a successful challenge?
The French team quickly positioned itself in the top three on the first day of competition. Finally dethroned in the middle of the day, France was able to establish itself as a major player in the competition. The French team again took first place on the second day, the end of the competition was extremely tough and the scores were very close. Germany will finally finished first in this competition, but we can still congratulate our French team who finished second on the podium, an impressive performance for its first participation. The revenge will take place in 2019 in Romania!
"Is this real life? Is this just a fantasy?"Attention, this is not a dream, WAPT 1.8 is (finally) here! Just like you, I have had to be patient before I began writing about the new version; But, it is with great pleasure that I get to present you with newest...
At Tranquil IT, we work on a daily basis with system administrators who are looking for fast and efficient solutions to manage and secure their IT assets, which is certainly why they come to meet us (hello WAPT). And if there is one problem that any AdminSys is likely...
As with many organizations, we took advantage of the calm summer to refocus ourselves on our new projects and recharge our batteries. Now that the September rush has passed, the blog is back in action! I know what you might be thinking after this introduction : " WAPT...