Recent ransomware security breaches have held many companies hostage for their data. These incidents have brought to light the importance of understanding how to mitigate these threats while protecting your most valuable systems. With the fresh sting of more than 100,000 MongoDB, CouchDB, Hadoop, and Elastiche datasets being held ransom, businesses need to take the necessary steps to ensure that their data remains protected. In most reported cases, the breaches were preventable and could have been negated by taking a few steps to secure the applications in question and/or the servers they live on. In other cases, architectural changes exist that would have prevented these exploits from occurring at all.
Securing the Application
Securing the application is an important step to take in order to prevent canned exploits from working at all. The main step in most of these cases is to remove default configuration parameters. What this means is removing any default access credentials, as well as remote access to the default ports of the application. While the security of virtualized local development environments may be less strict, steps must be taken to secure the application and infrastructure before deployment to world-accessible environments. Configuration management and automation software can be very helpful in such situations.
In addition to securing the infrastructure the application lives on there will always be some portion of the application or API that will be client facing. It is important that standard OWASP threats to web apps are taken into consideration while development and intrusion detection testing are underway. These standard security points are being updated as threats come in and can be found on the OWASP site. Following these best practices will mitigate the number of threats to the system. Regular 3rd party audits/ penetration testing should be performed against the application on a regular basis. Some of these are automated, or you can commission 3rd party companies such as Pythian to audit the security of your forward facing system.
A large part of most applications is the data, this includes all data required to operate the system and is not limited to just client specific data. It is important to have a proven battle tested HA/DR (high availability and disaster recovery) infrastructure in place for the application. Getting the advice of an outside company that works with this on a daily basis and sees many different architecture setups can prove invaluable. At Pythian we work with clients to ensure a proper setup on a daily basis. In some cases this requires the application to be aware of this system, and some application coding changes may be necessary. Other systems can simply implement 3rd party pieces such as proxies between these layers in order to automate the failover and safety of this portion of the application. One example would be for something such as MySQL having ScaleArc Proxy, MaxScale, or ProxySQL servers between the application and the backend database servers which are properly setup for HA/DR. This can mitigate risk and reduce overall downtime if a portion of the system becomes infected. Giving the ability to go back to a known working uncompromised copy as the exploited hole is closed. It is always good practice to backup/snapshot often in order to make PIT (point in time) recoveries.
Securing the Infrastructure
Connections to these exploited systems could have been mitigated with a layer of security between the outside world and the data stores and by removing default access credentials. Maintain only predefined, single points of entry to public endpoints, public API’s or front-facing websites should be exposed and all communications between internet facing and backend components should be encrypted.
The key points to consider are (at minimum):
- VPN connections between data centers
- VPN/VPC internal network segmentation
- Bastion/Jumpbox hosts as a single platform entry point
- Appropriate firewall rules and granular ACLs
- Blacklisting capability for malicious IPs and IP ranges
- Only expose ports and services that must be exposed
- Use intrusion detection systems (IDS)
- Only run what is required and needed in the platform and application
- Environment separation via network segmentation or via VPC separation
- Periodic professional penetration testing
- Access controls for users (maintained by configuration management)
- Intrusion detection should be maintained via config management software
- Physical infrastructure security/access control
- Centralized Monitoring (Dashboard of Events in the System)
- Centralized Credential Management
- Configuration Drift Detection
- DR (disaster recovery) Plan and Planning
Managing Security Effectively
Security is an ongoing process that relies on the ability to quickly deploy security patches, configuration changes and software updates. As such, the ability to rapidly and consistently roll out security fixes, policies and configurations across the entire infrastructure in all public-facing environments is essential. A configuration management system can simplify the update process and help ensure consistency and agility in configuration management, using technologies such as; Chef, Puppet, Ansible, Salt Stack, DSC.
Additional points to consider:
- Maintain a central infrastructure-as-code repository
- Maintain granular VPN/VPC access controls
- Centralize monitoring, automate log stream analysis and have it trigger alert on abnormalities
Managing and securing your application and infrastructure can be a large undertaking depending on the current state of your application/infrastructure architecture as well as the ability of your team. Don’t take this lightly as it can create great repercussions for your business and the security of your clients.
At Pythian, we work with organizations around the world to help them achieve mission-critical business goals while keeping their most valuable systems safe. We are here to help with any technical questions no matter how big or small they may seem. Contact us to learn more.