From system hardening and network zoning to active security monitoring
This blog article reproduces the presentation by Ralf Kempf at the event “Cybersecurity for Maritime Infrastructures” organized by Maritimes Cluster Norddeutschland e.V. (“Northern German Maritime Cluster”, held October 30, 2019, in Bremerhaven).
Today, cyberattacks on companies can easily cause damage in eight or even nine figures. Such attacks often take the form of spam e-mail, written with perfect spelling and grammar, that appears to have been sent by a colleague or a friend. The recipient is usually instructed to click a link or enter a password. And then it’s already too late: The malware spreads throughout the company.
Yet companies can protect themselves even against such professionally prepared attacks. I repeatedly encounter cases where companies spend lots of money on physical access protection, but leave all doors wide open when it comes to e-mail. If someone wants to enter the building, they have to show their ID – but anyone can gain access via e-mail or USB stick. There will always be an employee who clicks an enticing link – that’s just human nature – but it’s negligent for companies to give them the opportunity to do so in the first place. IT security can be vastly improved with just a few, very simple security precautions. You could prevent e-mails with Office attachments from being delivered right away, for example. Instead, these e-mails could initially be placed in quarantine for review. Another simple step is the deactivation of macros. In short, companies should always ask the following key question:
How can I make my systems more secure and more resistant to external attacks?
This is where system hardening comes in – that is, the removal of all software components and functions that aren’t absolutely necessary to deliver the service. This involves the following:
- Pre-installed software and other software that isn’t needed for work should be deleted on user devices and servers.
- Server processes should run exclusively with an unprivileged account, without any further permissions. A global admin account should never be used for this purpose.
- File system permissions and their inheritance should be configured specific to the company’s needs. For example, a warning could be triggered if too many documents or entire directory structures are opened in less than a second. This is a clear sign that a script is doing so, not an employee.
- Changing passwords regularly is a must. Another absolute basic is to install the regular updates and patches that the major vendors and manufacturers distribute, usually on a monthly basis.
- Data should only be transmitted if it is encrypted, for example, via SSL or SNC.
- Only up-to-date software without vulnerabilities should be used. Taking inventory of the installed software is a prerequisite for ensuring this.
While ISO 27.001 provides a framework for hardening internal IT systems, it does not provide any precise technical specifications. A security office will find specific descriptions of measures in ISO 27.002, however. Unfortunately, there are only a few such measures for SCADA (supervisory control and data acquisition) systems, and none at all so far in the area of maritime systems. That’s why I will now present our recommended process for securing your IT systems, based on three steps: system hardening, network zoning, and active security monitoring.
System hardening at all levels: essential for secure IT systems
Safeguarding always means securing the equipment first, then restricting the users and their permissions, and then monitoring and updating the system as a whole. Yet what seems obvious in theory – and I’m speaking from experience with many, many customers over many years here – is difficult in practice. Because the companies don’t need just time and money; they also have to have the will to change things. Many of them are reluctant and say, “we can’t change that because then process x won’t work anymore.” But I’m convinced that processes like this can be converted effectively and more easily than feared. All it takes is good planning and a bit of courage.
So what does the specific procedure for security projects look like?
- Company security policy:
First of all, the requirements have to be defined. What software and hardware is being used? A security policy can be derived from this.
- Technical security policy:
The company security policy, which tends to be more general, then serves as the foundation for deriving the technical security policy, which contains specifications for identity access, perimeter security, zone defense, and software and hardware configuration. This should involve developing specific checklists, which can then be deployed and controlled as automated scripts.
- Taking inventory of the systems in a configuration management database (CMDB): A central CMDB not only records the ERP and office software structures, but also enables inventory of operational technology (OT) infrastructures.
- Keep defenses up to date:
All policies and standards must be based on the state of the art of technology. Since vendors and manufacturers release new patches constantly, this is a central task.
- Use the Windows group policies:
The Windows group policies are very effective for safeguarding servers and computers and configuring user permissions, such as which programs users can use and which documents they can open. You can also define here, for example, that file extensions should always be displayed and that external scripts should NEVER be executed.
- Take network separation and firewalls into account:
Most companies already have effective solutions when it comes to external firewalls. However, internal network separation with access controls is still not implemented sufficiently in 90 percent of all cases.
- Check for vulnerabilities regularly:
Solution vendors, as well as open source initiatives, provide excellent tools that let you review all settings constantly.
Network zoning: protect the infrastructure consistently
Network zoning is a simple, cost-effective way to make your infrastructure secure. Under this approach, networks for devices, office solutions, and data center operations are separated, for example. Internal perimeters are established as firewalls between them. Critical systems should never be run in the same zone where critical PCs – those with Windows and the Office suite – run. Networks abroad should generally be distrusted as long as you don’t know them intimately.
Security monitoring: active, consistent monitoring of all IT systems
Once you’ve done your homework in the hardening and zoning areas, you’ll also want to monitor the results, to identify vulnerabilities and attacks early on. This is a very comprehensive task, which can’t be achieved with a single SIEM or monitoring tool alone. The important thing is to configure the monitoring systems such that they don’t send a constant stream of unimportant alerts, but instead only report events that are actually relevant or critical. This entails using two different monitoring types:
- Cyclical configuration monitoring
Configuration of the IT landscape, its users, and their authorizations is usually monitored cyclically.
- Continuous real-time event monitoring
Continuous monitoring should be implemented for transaction management and change management, as well as for analyses of logs and system response. Under event monitoring, the system logs are analyzed continually, based on indicators for which specific rules are defined. Vendors and manufacturers suggest certain models, which companies can adapt to their own needs. To avoid any gaps in real-time monitoring, it is crucial to monitor all user devices. Because behavior patterns will be recorded, this must be clarified ahead of time with the works council or union reps and an explanation be provided to employees.
Deploy strategic protection against attacks
As you can see, a cybersecurity strategy can’t simply be developed overnight. But it isn’t as complicated as it seems, either. My tip is to simply dive in – preferably with a partner that can support you in coordinating all the parameters and measures. As a result, you can be sure that your systems aren’t only protected against malware distributed through harmful e-mails, but also against other threat vectors.
If you have any questions or would like more information about protecting IT systems, don’t hesitate to approach us at any time: firstname.lastname@example.org
You’ll find more information about protecting your SAP system landscapes on our SAST SOLUTIONS website.
By Ralf Kempf, SAP security expert and Managing Director, SAST SOLUTIONS by AKQUINET
video cut of the event in german: