Cyber Security: Secure-by-Design Recommendations

Created: 6/15/19

Updated: 11/27/19

Below are some basic “Secure-by-Design” recommendations that should be followed to ensure a “Secure-by-Design” Defense-in-Depth:

This list is not all inclusive, but it’s a good baseline.

  • Digital forms of configurations that can be stored encrypted and highly available
  • Avoid Telnet, FTP or other forms of communication sent in clear text
  • Secure management protocols such as SSH, and TLS 1.2 or higher for in-motion traffic
  • Blocked UDP 3544, unless otherwise needed for IPv6
  • Blocked TCP 53, 88, 135-139, 445 and UDP 88, 137, 138 on all public WAN zoned firewalls, when possible – Wannacry mitigation
  • Allow only UDP 53 and TCP 80, 443, and 3389 (if using default)
  • Change RDP port from default 3389 for all critical servers, especially public facing servers. Example: here.
  • Access control lists for all critical servers
  • Controlled access thru ACL’s such as ACL’d Jumpboxes
  • Out-of-band Management Fabric, not in-band, think vLAN hopping or double tagging, when possible (cost restraints)
  • Consider moving native vLAN from default vLAN to high unused vLAN, prevents double tagging
  • Out-of-band Storage Fabric, think is encryption of iSCSI a good idea? – if your arrays can’t handle the encryption overhead put them OOB of production traffic in a secured data rack
  • Enable complex passwords on SSH, Telnet, and Console line access on network switches
  • Enable port security with sticky macs on ports with shutdown violations, when possible
  • Disable unused ports on switches, when possible
  • Disable dynamic auto-negotiation trunking protocols on switch ports, this prevents unauthorized probing
  • Enable Routing authentication between switches and firewalls of Advanced routing like OSPF with HMAC-SHA-256 or higher, when possible. Don’t use MD5 or HMAC-SHA-1
  • Deployment of 802.1X aka PNAC, when possible
  • Deployment of 2FA on all forms of business, critical systems are of upmost importance 1st like email, remote access, documentation then servers and desktops.
  • Ensure a comprehensive backup plans is deployed, 3-2-1 is recommended: 3 places of backups, two local, and one cloud; one being the file server or storage appliance, one being a local backup array, and the other being a cloud backup array and then ensure encryption is applied and backups are tested monthly
  • Recommended minimum backup routine (1) last Saturday of each month ‘grandfather’ backup,  (4) weekly Saturday ‘father’ backups, and (5) weekly ‘son’ backups (cycled weekly) for 1 month
  • Implementation of “In-Motion” Encryption; article on topic, here.
  • Implementation of AES-256 bit encryption on storage arrays including backup arrays for data at-rest
  • Highly available storage of Storage “At-Rest” Encryption keys for both local (iSCSI/FC/FCoe NAS/SAN) storage and local/cloud backup arrays
  • Determine if Bitlocker Encryption is a viable solution for DLP, applies only to Windows Systems, use if possible (note be mindful of O/S version with Bitlocker)
  • Ensure Bitlocker Encryption keys are stored highly-available, if applicable
  • All updates for server, switches, firewall, etc and firmware’s should be digitally signed and verified against their hash after downloading and before executing
  • Apply all security updates possible for servers and stagger other updates as needed, at a minimum
  • Use TPM v1.2 or higher chips
  • Secured document management for all passwords and configurations stored with high-availability
  • Audit and logging on all users, desktops, servers, switches, firewalls, and other network devices
  • Least privileged of system and file access
  • Command shell restrictions, example blocking command prompt for standard users via group policy
  • When sharing folders determine if adding a $, example “foldername$” at end of folder share should be configured, this prevents folder share from being visible to standard users when navigating SMB UNC mappings
  • Remove bloatware from desktops and servers provide from computer maker by default, exploits have been found with bloatware from Dell OpenManage as an example.
  • All executable programs require administrator permissions to install on all accounts, especially on IT admin accounts
  • Standard user logins for all users to “live” in, including IT admins
  • Administrator accounts made with complex passwords of 20+ characters that are used to “elevation” even by IT administrators
  • Removable media turned off by group policy
  • Deployment of web cam covers
  • Enforcement of only encrypted flash drives used
  • Auto logoff of users after 3 minutes of inactivity via group policy
  • Enforcement of complex and unique passwords with long lengths of  15+ charterers made up of words vs the traditional shorter passwords with symbols, upper case, lower case, and numbers
  • Balancing of Windows Server Active Directory FSMO Masters. Example: here.
  • When a PKI is used, create the root CA in a standalone deployment as a member of a custom workgroup, not domain joined. Once Enterprise Intermediate CA is online, turn off root CA and keep offline unless to do system update quarterly
  • Ensure that DNS “zone transfers are only allowed on Name Server for the specified domain” only.
  • Manually add a rule for NTP servers like pool.ntp.org over UDP port 123 as the only allowed NTP server’s to connect to your network; as an example. Also ensure your PDC FSMO Master only uses these NTP servers for time. Examples: here, and here.
  • Use of PKI certificates, when possible
  • Acceptable Use Policy
  • Clean Desk Policy
  • Email Policy
  • Social Media “Information Sharing” Policy
  • Acceptable Data Encryption Policy
  • Data Loss Prevention Policy
  • Removable Media Policy
  • End User Password Complexity Policy
  • Anti Virus and Anti-Malware Policy
  • Data Logging Policy
  • Internet Usage Policy
  • Edge Firewall Policy
  • Server Room Access Policy
  • Server Security Policy
  • Audit Policy
  • Mobile Device Encryption Policy
  • Software Installation Policy
  • Equipment Disposal Policy
  • Workstation Security Policy (If HIPPA Compliant)
  • Remote Access Policy
  • Router and Switch Security Policy
  • Wireless Communications Policy
  • Digital Signature Acceptance Policy
  • Security Awareness Training Policy
  • Disaster Recovery Plan Policy
  • Security Response Plan Policy
  • Data Breach Response Policy

This list will be updated over time.

Refer to NIST 800-54 Rev 4

Cheers! 😀