STEP LOGIC Offers Advice on Improving IT Infrastructure Security
In view of the increasing number of cyber attacks, STEP LOGIC Information Security Services Center has compiled a set of recommendations for bolstering cyber-protection of IT infrastructure in domestic companies.
In addition to basic steps to improve security, the checklist also contains an algorithm of actions to prepare for possible DDoS attacks and termination of support for Microsoft products.
Recommendations will be revised according to changes in the market situation. Check the website for updates.
If you have additional questions or need advice from the Information Security Services Center experts, please email security@step.ru
Basic IS Recommendations
1. Complete all transitions you have going on in the IT infrastructure as quickly as possible. Minimize updates and global settings.
2. Try to achieve the maximum stability of the infrastructure and the required fault tolerance level.
3. Transfer your data and services from foreign cloud systems to local computing resources.
4. Set up your own spare parts inventory or conclude a service contract to minimize the risks of service downtime in case of equipment failure. To that end, choose a partner with a large stock of equipment and spare parts.
5. If there is no technical support from the manufacturer, services can be provided by a service partner. Without the manufacturer involved, some limitations are obvious; however, this approach will reduce the risks to an acceptable level, at least for the period of migration to another manufacturer.
6. Conduct safety rule audits. Limit access to/from the Internet as much as possible. For all Western solutions, cut off access from your network to the update and licensing servers wherever acceptable, and consider temporarily disabling software updates until the situation stabilizes. Consider adding domestic firewalls at the border with the Internet (staged protection).
7. Conduct an IS settings audit: check whether all components (information security tools and system/application software) have the existing security measures (access control, logging, authentication, anti-virus protection, etc.) enabled and their settings put in accordance with the business process needs and manufacturers' recommendations, as well as security standards (hardening guide).
8. Scan your infrastructure for open non-legitimate and vulnerable services. To get an objective picture of your security level, perform an additional scan from the Internet.
9. Change passwords on your equipment. Use only complex passwords, at least 12 characters long (numbers, letters, upper/lower case).
10. Take special care to protect remote users, especially administrators: use two-factor authentication and improve protection of remote access protocols including, but not limited to, RDP.
11. Conduct backups of data and configurations to ensure rapid recovery. For better security, keep backups in an isolated environment that cannot be accessed from the Internet, and/or on removable media.
12. Wherever possible, limit the use of external resources, APIs, downloadable widgets and services developed and hosted by foreign organizations (e.g., Google Analytics).
13. Implement segmentation and microsegmentation for granular traffic control, primarily to limit access (including for internal users) to infrastructure services (AD, SCCM, DNS, etc.).
14. Protect your key services with appropriate solutions. For example, in order to protect web applications and servers, you can filter traffic using the Web Application Firewall (WAF).
15. Save the software modules, libraries and other resources you use that are located in foreign repositories
(GitHub) to local resources.
Additional Recommendations
1. Prepare for possible DDoS attacks, as the departure of major providers of relevant solutions has left some organizations unprotected. Limit the number of connections (rate-limit), attempts to open new sessions from one IP address and half-open (embryonic) connections; implement geographical restrictions.
2. Introduce IS incident monitoring in your infrastructure, at least for the crucial services and applications.
3. Improve email protection.
4. Develop and test contingency (disaster recovery) plans, including for data loss and disconnection of key equipment.
5. Update IS threat/risk assessment models to reassess the likelihood of IS threats related to supply chain risks, country risks, and availability/serviceability disruptions. Review and update measures aimed at managing these risks.
6. Block traffic from other countries, if appropriate; for example, if your customers and target audience are exclusively in the Russian Federation.
7. Block traffic from the TOR network.
8. Introduce the practice of controlling the actions of administrators (especially important!) and users. Consider implementing Privileged Access Management systems.
9. Limit user access to Internet-based information resources by means of proxy servers or content filtering (introduce a white list of resources and services).
10. Brief users on IS concepts to raise awareness of current attacks and intruder techniques.
Recommendations for Microsoft Products
1. Email system based on Microsoft Exchange
- Set up content filtering to block messages containing potentially dangerous attachments with CMD, BAT, EXE, PS1, VBS, SCR, HTA extensions.
- Activate the sending domain authentication mechanisms (DKIM, DMARC, SPF).
- Check that the Microsoft Exchange antivirus signature databases are up to date; update them, if necessary.
- Make sure that the Exchange Admin Center (/ecp) cannot be accessed from the external and internal networks. Make access of system administrators possible only from intranet IP addresses.
- Notify users of the IS rules for external emails.
- Consider implementing the Data Loss Prevention mechanism built into Microsoft Exchange.
- If you use the WSUS Update Server, block the download of any updates to Windows and related products released after 2/23/2022.
- Develop and apply a group policy to disable the Windows Update Center service for all servers, client PCs and laptops using the Windows OS.
- Verify and implement the use of trusted Russian upstream DNS servers.
5. Check the correctness of backup tasks for all major information management systems and services and make sure they are up-to-date.