CIR BC Strategies for Infrastructure

CIR BC Strategies for Infrastructure

This article discusses the preventive, mitigation and recovery strategies for protecting the infrastructure.  These strategies include:

1. Malware Protection
2. Boundary Firewalls and Internet Gateways
3. Secure Configuration
4. Infrastructure Management
5. Mobile Device Management

1. Infrastructure: Malware Protection

Using malware protection software can protect an organization’s information assets from malware infections. Cyber security attackers utilize the internet to send malware (HM Government, 2014) to the organization’s computer.

There will be no malware infection unless the user opens an infected email, browses a compromised website, or opens an unknown file on a removable storage media. Hence, the organization has to deploy dedicated software to monitor, detect and disable the malware.

1.1 Basic Technical Cyber Protection for Malware

The minimum requirement is to:

• Install malware protection to any computer terminal/laptop that is capable of accessing the internet
• Update malware protection software regularly so it remains relevant
• Configure malware protection software to scan files automatically scan files upon access (downloading/opening files, accessing files from a removable storage media/ network folder) and to scan web pages when browsing
• Configure malware protection software to scan all files regularly
• Install malware protection software to deny access to malicious websites
  

2. Infrastructure: Boundary Firewalls and Internet Gateways

To protect organizational information, applications, and computers within the internal network against unauthorized access and disclosure from the internet, boundary firewalls, internet gateways, or equivalent network devices are used.

Cyber security attacks can gain access to the organization’s computers and acquire information easily if a boundary firewall, internet gateway, or equivalent network device is not installed.

Commodity cyber security threats – attacks based on capabilities and techniques (HM Government, 2014) that are freely available on the internet – can be protected against with the installation of a boundary firewall where inbound and outbound network traffic to authorized connections are restricted through the application of configuration settings known as firewall rules.

2.1 Basic Technical Cyber Protection for Boundary Firewalls and Internet Gateways

The minimum requirement is to:

• Change the weak default administrative password that is easily exploited to an alternative, strong password
• Obtain approval from an authorized individual for each rule that allows network traffic to pass through the firewall and document its purpose
• Deny access to standard unapproved services at the boundary firewall
• Remove/Disable obsolete firewalls promptly
• Restrict access to the administrative interface from the internet

2.2 Alternative Controls

In scenarios where the organization has engaged a third-party vendor, and the administrative interface needs to be accessed from the internet, the interface should be protected by additional security measures such as:

• Strong password
• Encryption of connection
• The restricted number of authorized individuals accessing the internet
• Enabling administrative interface only during this period

3. Infrastructure: Secure Configuration

Inherent vulnerabilities threatening the organization’s computers and network devices can be reduced if configured to provide only the services required to fulfil their roles.

When an organization first purchases new equipment (hardware or software), they are not secure. Usually, they come with an administrative account with a predetermined default password, one or more unnecessary user accounts enabled, and pre-installed but unnecessary applications.

If not configured (changing passwords), these platforms provide cyber security attacks easy access (HM Government, 2014) to an organization’s assets.

Once the organization starts implementing security controls to these devices, protection against cyber security attackers is increased, minimizing inherent weaknesses.

3.1 Basic Technical Cyber Protection for Secure Configuration

The minimum requirement is to:

• Remove or disable unnecessary user accounts
• Set strong passwords for all user accounts
• Remove or disable unnecessary software
• Disable the autorun feature
  
• Install personal firewalls on desktop PCs and laptops, which are configured to block unapproved connections

4. Infrastructure: Infrastructure Management

IT infrastructures within the organizations help with the operations of daily activities. Production and efficiency of the business are increased with the utilization of the infrastructures. However, since they create and utilize data during functioning, the data is at risk of influence from cybercriminals.

Although security controls (Zanderigo, 2017) have been installed on the infrastructures, the organization has to monitor the infrastructures continuously to ensure that they are secured and not vulnerable to cybercriminals to exploit.

Specific organizations are obsessed with getting the best security controls from the market for their IT infrastructures. They are willing to spend the resources to obtain them, and once they do, they are under the illusion that they are well-protected with the existence of the controls.

Organizations fail to realize that resources spent on acquiring new security tools, removing old tools, and installing the newly acquired tools can be better spent on fine-tuning existing tools. A finely-tuned defensive control is more efficient at mitigating cyber security incidents than a newly-added control because the organization is assured that the existing control will be capable of performing its duties.

Adding new security controls (Rick, 2017) is necessary with the increased dependency on technology. However, the existing controls should not be neglected. The current controls, together with newly-added controls, should be fine-tuned to their maximum efficiencies to secure the IT infrastructures within the organization.

4.1 Blacklisting/ Whitelisting IT Infrastructures

Blacklisting refers to an inventory of known malicious entities such as unauthorized infrastructures, known malware, users, processes, and IP addresses that should not have access to the organization’s systems as they pose a threat to the organization.

Information required to develop a blacklist (Finjan Team, 2017) can be gathered from surveying employees within the organization, security intelligence, and first-hand experience. However, creating a blacklist is not as beneficial.

Security controls have already been developed for the cyber security threats identified in the blacklist; organizations by now would know these threats and implement the appropriate security controls. A blacklist is useless to the organization for sophisticated or unknown cyber security attacks.

Whitelisting is the complete opposite of blacklisting. Acceptable entities allowed access to the organization’s system is identified instead. The creation of a whitelist is based on a ‘zero trust’ principle where only authorized infrastructures are allowed access; anything else is denied access.

The whitelist (Finjan Team, 2017) has to be updated regularly, including newly introduced technologies or removing obsolete, redundant infrastructures. Although it is significantly better at dealing with unknown cyber security threats, the effort and resources required are comparatively more demanding as security controls will have to be implemented for every identified infrastructure.

5. Infrastructure: Mobile Device Management

The trend of employees bringing their mobile devices to work has been growing. As employees enjoy the flexibility of working from their devices, the organization also enjoys the benefit of increased efficiency at lower equipment costs.

However, new security concerns arise (Continuum, 2017) as personal devices are connected to the corporate network. Organizations can introduce Mobile Device Management (MDM) to secure their employees’ devices.

As the employees continue to utilize their devices when connected to the corporate network, vulnerabilities are exposed for cybercriminals to exploit, which are not under the radar of the IT department. Hence, measures such as installing malware protection on the employees’ laptops must be developed and executed to ensure that the personal devices are protected from cyber security attacks.

Currently, connectivity between devices and the network is gradually increasing. However, these devices or the Internet of Things (IoT) are not built from a software or security point of view. They were installed for their functionalities, generating attack vectors for cyber criminals to exploit.

Regardless of the device's purpose, they are still connected to the organization’s network, increasing the complexity of security as the devices (Raja, 2017) may include employees’ applications or information.

Developing policies to segment access based on the purpose of devices or having separate networks is crucial for effectively managing IoT device connectivity. Knowing who is and what devices are connected to the network and the activity of the connection are some good practices that organizations can adopt.

Component of Prevention/ Mitigation CIR BC Strategies

BACK TO: Mitigation and Response Strategies	CIR BC Strategies for Infrastructure	CIR BC Strategies for People	CIR BC Strategies for Policy
CIR BC Strategies for Process	CIR BC Strategies: Respond	CIR BC Strategies: Recover	CIR BC Strategies: Defence Lines

Do You Want to Continue BCM Training onsite or online?

Competency-based Course		Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 7 Developing Mitigation and Response Strategies 7.6  Infrastructure

Note:  This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.