Threat Vector: Public Facing Infrastructure
Public infrastructure can lead to private information.
Organizations that need part of their IT infrastructure to interact with the outside world use cybersecurity controls like having a DMZ (Demilitarized Zones) to manage threat exposure to the internet. Even though DMZs are useful for managing traffic from outside the organization, they are not a complete solution on their own.
In this blog we will discuss what kind of threat vectors impact public-facing infrastructure. We will also discuss potential ways that organization can mitigate these threat vectors.
Exploiting Public Facing App Servers
Servers that clients and 3rd party partners use through the internet have applications that are all capable of being exploited. Whether the resources in your DMZ are being accessed by everyone or just specific customers, it is important to ensure that a secure development lifecycle is used to help secure all public facing apps.
Treating a DMZ as a Trusted Network
A DMZ may have infrastructure that belongs to the organization, but that does not mean that it should be trusted as if it is infrastructure in the internal network. The DMZ is directly connected to the internet, which makes it significantly more likely to be approached by malicious actors than infrastructure in the internal network.
The zero-trust model has become popular because of issues caused by networks that may seem secure but have some form of exposure that makes them untrusted. Treating a DMZ as an untrusted network will help with developing more in-depth security management.
Securing Remote Access
Cybersecurity engineers need to limit public exposure of virtual machine (VM) and container IP addresses because it is not uncommon to see newly created VMs, containers and virtual networks to become targets of port scanning and malicious malware attacks within minutes of being turned on.
For that reason, it is recommended to use a cloud-based bastion host service, which restricts access to host VMs that have been specifically hardened and are actively monitored for cyberattacks. Additionally, the infrastructure sitting in the DMZ and behind it is more secure because of using private IP addresses for SSH/RDP.
Using a Single Firewall Model
A single firewall model involves setting up a firewall between the DMZ and the internal network, while a 2 firewall model uses a firewall in front of both the DMZ and the internal network. It is recommended to use a 2 firewall model because the DMZ needs security controls in order to maintain security.
Using One Size Fits All Firewall Configurations
Some servers need less restricted access to the internet than others, which is why a single boundary firewall in front of the DMZ may not be enough. Updating the firewall rules of the clustered servers or individual servers based on the roles will further limit the amount of allowed traffic based on server type without losing functionality.
Admin Accounts Used in the DMZ and Internally
It is a common practice to have shared admin accounts when managing IT infrastructure. This is not ideal for security, but if the IT staff insist on continuing the practice because of its convenience, they should at least be restricted so that internal and DMZ admin accounts are not shared. An admin account on an external network is more likely to be compromised than an internal admin account.
Limited DMZ Monitoring Activity
It may be tempting to put most of the incident monitoring resources toward the resources with sensitive information in the internal network, but there are many reasons to put effort into monitoring DMZ activity. The DMZ is a likely starting location for a security incident and public facing infrastructure is often vital for business operations.
Importing server, firewall, and network device logs into a SIEM system would allow your organization to monitor what type of activity is going on in the DMZ. If your organization does not have enough monitoring capacity, they should consider using an MSSP like CyberMSI to help with monitoring and incident management.
We will continue to share best practices and lessons learned in future posts in the threat vector series. Managing practices in parts of your organization like the DMZ will help with preventing access to the private part of your network.
In closing, consider these three questions when mitigating threats to public facing infrastructure in your organization:
- Do we have an inventory of our public facing infrastructure including all the ingress and egress points?
- Are adequate security policies in place to address the security concerns discussed in this blog?
- Is the organization treating our DMZ as a untrusted network using appropriate cybersecurity controls and tools?