Are your firewall and server really secure? Is your Infrastructure locked up tight thus making your data perfectly safe? Read further for a Layman’s guide on the subject. Written by FunctionEight Ltds COO Phil Aldridge and recently published by both the British Chamber of Commerce Singapore as well as the British Chamber of Commerce Hong Kong.
This article should be considered with particular reference to recent circulars from the SFC to all Licensed Corporations (LC’s) on Cyber Security; a vulnerability assessment (and subsequent remedial works if required) would be an ideal first step towards implementing an overall solution that would be in line with the SFC’s expectations. To discuss this further please feel free to contact FunctionEight at firstname.lastname@example.org or the author directly at email@example.com
By Phil Aldridge, COO of FunctionEight Limited
As a corporate you will undoubtedly have invested in a good quality firewall and server. You employ a company to look after them, but in reality do you have any idea how secure your systems are? Have you had any Third Party Security Assessments done? In this short article, I will aim to explain, in non-technical terms, what the real situation may be.
Let’s start with the firewall; the device that protects all your IT infrastructure from the outside world. All firewalls basically do the same thing, it is more about how big your company is and how many users you have as to what size firewall you purchase. A firewall should essentially be configured to only allow the things that the company needs to be open and everything else should be closed.
Each application that you use requires one or more “ports” to be open to work properly. Think of each port as a window in a house. In a basic setup, you might have 50-100 windows in your house. Now, what is constantly happening in the background is that there are people attempting to break into these windows. If someone can break into one of the windows, they can get into your house and steal your possessions.
These windows need to be protected and the way this is done is that the Firewall manufacturer regularly releases what they call firmware updates for the firewall. The new firmware releases are not normally automatically updated on your firewall and the problem with that is that the glass in your windows becomes weaker and weaker such that it is easier and easier to break-in. The firmware update will replace the glass in your window with reinforced glass or even bulletproof glass. The other reason to upgrade the firmware is to protect the new windows that have appeared that you did not know about. Sometimes new windows appear and people are throwing bigger and bigger stones at these new windows. The risk of them being broken into is high and that is why the firewall companies release hot fixes to the firmware to quickly install strong glass in these new windows.
For one of our clients, we recently employed a third party company to throw as many stones, rocks and boulders at their windows, to see which ones they could break into. Of course, we had applied the firewall company’s latest firmware, so we were confident that the windows in the house were all bulletproof. To our surprise, when we got the report, we found out that there was a window in our clients house that not only ourselves but the firewall manufacturer themselves did not even know existed. To their credit, the firewall manufacturer quickly produced a hotfix which we applied to protect that window. The break-in attempts were redone and this time, the report showed that all was ok.
The lesson here is that even though you have protected your house as much as you can, you may still be at risk. We highly recommend a third party be engaged to test the strength of your windows and ensure all is ok.
Now to the server. The big box that probably sits in your office, makes a lot of noise, flashes lights and you have no idea whether it is ok or not. Most probably the server is a Microsoft Windows Server, hopefully version 2008 or 2012. If yours is 2003 then you need to take urgent action to update it because the support from Microsoft ended for that version almost one year ago. There are about 400,000 servers globally still using 2003.
The interesting thing about Microsoft Servers is that an out of the box standard configuration is extremely insecure. Even if you have applied all the security patches and updates that Microsoft issue you are at significant risk.
Let me explain it this way, imagine your house has a front door and you want to ensure that everyone from your 12-year-old nephew to your 98-year-old grandmother can unlock the door and get in. You will have to deploy many different ways of opening the door. Your nephew will probably want to open the door using retina scanning technology and your grandma by sliding the bolt across on the door. Everyone has their own way to open the door that they are familiar with. There are lots of different ways and of course each one provides a very different level of security.
The way Microsoft Server works out of the box is that it provides all the different types of locks and mechanisms to lock the door so that everyone with the appropriate key can open the door. Of course the older the locking system the easier it is to forge the key or break the lock. Microsoft believes in backward compatibility of systems. So when you install their server you have to then decide which family members and friends you want to access your house and for all of those who do not need access you need to block it.
Imagine now your grandmother is no longer with us, but you still have that old sliding bolt on the door. It is a significant unnecessary security risk and needs to be removed. The same applies for the Microsoft server. You do not need to support Internet Explorer 6 or 7 or windows XP or Vista if no-one you know uses those systems. Block them and enhance the security of your systems.
When we recently inherited a client from a competitor we ran some scans on their server and found that every single type of lock and security mechanism was still attached to their door. As a result, when we performed an external security assessment on their server before taking over the contract, the results were a comprehensive F for Fail. After showing this to the client and performing some remedial works, we left only those locking mechanisms on their door that were necessary for their staff to perform their normal duties. Now their server gets an A rating from a recognized security reporting authority. Testing how secure your Microsoft servers are is easy. We highly recommend this be done on a regular basis as new locking systems are developed all the time as others become obsolete.