Security is just plain hard! Target's massive breach was followed by news about MongoHQ, then Neiman Marcus, and now eBay has become the latest enterprise to fall victim to hackers. The bottom line is that almost anyone using a point-of-sale (POS) device may be at risk. The economic impact of these breaches can be brutal. Look at the recent Adobe and Michael's breaches. Both of these companies have considerable resources, but still did not do enough to protect against such attacks. As a result, they didn't protect their consumers.
A comprehensive security approach can help, however, in reality most companies can't take enough preventative measures to thwart a breach. If a hacker has you in their sights and you don't have a significant security program, it is extremely unlikely that you will be able to withstand a sustained, concentrated attack on your network infrastructure from an elite adversary. The good news is that for most organizations outside of major financial institutions or government agencies, cyber criminals generally go for the low-hanging fruit and will move on if it's not an easy process to break in.
This article will not focus on network-based security, because with so much infrastructure moving to the cloud, that network perimeter isn't being controlled by the end user organization anyway, but rather the cloud provider. With that in mind, let's focus on three major foundational areas of security.
Control and protect user credentials
The first and perhaps the greatest threat vector is compromised user credentials. Users sometimes pick weak credentials and brute force attempts crack them. Your servers are being hammered by login attempts from all across the world, after all. Unfortunately, users reuse credentials across other sites. The other site is hacked and that username and password is attempted all across the internet.
Phishing attempts are also a key source of compromised credentials. Phishing techniques are increasingly sophisticated and are a constant cause for concern for DevOps and IT folks. On the internal side, employees that have departed the organization often maintain access to various VPNs, servers, and other devices. For organizations with large infrastructures, removing a former employee from all access is essential.
Finally, providing the right access to the right users is a must. It's easier to give everybody blanket access, but as your organization grows, that's a huge risk. Protecting your employee's credentials isn't just their job, it becomes your job, too. It's perhaps the number one threat to your infrastructure.
Patch. Patch. Patch.
The second key vector is patching. It is an age-old exercise that DevOps and IT admins just hate. Patching machines is time consuming, tedious, and fraught with risk. Patches can fail; they can break applications; or, they can crash machines. Unfortunately, patching is also essential to staying secure. Up-to-date code is much harder to compromise than old code with known defects. If your code is current, it will force attackers to use zero-day exploits on your systems.
Start with the operating system and ensure that it is up-to-date on all of your devices. Build a schedule and stick to it. After the OS is secure, move on to applications. Start with your highest profile apps. Your database servers, application servers, and networking infrastructure. Those are top targets, as they enable access to critical data or systems. Work outward to your end-user applications and develop a process to know that your devices are up-to-date. Finally, if you have custom applications, those also need to be monitored for out-of-date components and for reported bugs that could be leveraged to compromise a system. Some companies are even rolling new images or AMIs of their devices and pushing those out using automated configuration tools.
Monitor outbound traffic
Finally, monitoring outbound connections – sometimes called egress monitoring is paramount to establishing a secure infrastructure. This activity isn't necessarily a “threat” vector but more of a mechanism designed to quickly detect a compromised host. Most advanced persistent threats (APTs) do gain control of a device, and they have it talk back to some “command and control” device. There are any number of different ways to compromise a device, and after stopping some of the most common vectors it becomes prohibitively expensive to keep trying to prevent a breach.
Detecting a compromised device is also important. The key is to detect it as quickly as possible and to disable it. One technique gaining popularity is to monitor outbound connections from a device and restrict outbound connections. Any connections that are initiated by the device to another can be reviewed. These connections often fall into patterns. Your database server talks to an app server. Your app server may talk to a third party service that you've purchased for log processing, for example. Most servers don't initiate a lot of random outbound connections.Each of these areas are critical for DevOps and IT admins to get their arms around. Step back and take a moment to understand where the top attack vectors come from and how to detect if there is a problem. Controlling user credentials, patching, and monitoring outbound connections should always be at or near the top of your list. If you build an approach to handle those tasks, you will be well on your way to protecting your organization.