How to protect your critical infrastructure

Filed Under: Featured, Security threats

NCSAM 2013National Cyber Security Awareness Month is drawing to a close, and the final week has been focused on the growing intersection between cyber and physical security when protecting the nation’s critical infrastructure.

Here at Naked Security our focus during NCSAM has been on what we can do as individuals to better protect ourselves, so we thought we'd personalise this final week's theme and look at how you can protect your critical infrastructure.

Most of our readers come from North America and Western Europe and are probably lucky enough to expect taps that flow, lights that switch on and telephones that ring (when they should). This reliability can breed complacency: we only realise the importance of something when it’s no longer working.

Of course achieving such reliability isn’t simple. If you work in IT you can probably appreciate how much effort goes into keeping a service running 24/7/365 even in relatively benign conditions. Throw in some adversaries and things get a lot harder.

Likewise, it’s easy to overlook the security of IT infrastructure that "just works". Worse yet, it’s likely to be the low level stuff that nobody wants to touch. It’s probably not been patched for years yet it’s absolutely critical for your business.

Here are a few areas to consider:

Power. Today’s uninterruptible power supplies and power bars are pretty clever bits of kit. Unfortunately, anything that’s clever probably has a significant attack surface. Pay particular attention to anything that has an IP interface. It’s likely running an embedded system that needs patching just like your servers.

Server management cards (IBM RSA, HP iLO, Dell DRACs etc): these things are notoriously flakey and hard to manage.  If an attacker gets access via one of these cards it is, by design, as good as physical access and game over for your data. They all ship with default passwords which are just a quick Google away, and the difficulty of managing them (often requiring a server reboot) means it’s easy to forget to change them. Worse yet, they also tend to run IPMI (the Intelligent Platform Management Interface), turned on by default. You might not even realise you’re running it but serious security flaws have recently been found in many vendors' implementations.

Given the difficulty of managing these embedded systems, it’s a very wise idea to keep them well firewalled off from your main network and the internet. Only trusted administrators should be given access to their network. However this needs to be supplementary to patching and password management. Isolated networks can sometimes give a false sense of security. Given the complexity of server cabling or VLAN configuration you should plan for mistakes. At some point one of these devices will find its way onto the wrong network.

Lastly, it’s worth pointing out that your switches and routers are computers too. Cisco, particularly, have had a tough time recently with multiple serious IOS vulnerabilities. Again, a separate management network can help but if a vulnerability is exploitable via any IP interface, patching, good passwords and secure management protocols are absolutely essential.

If you want to read more about protecting your network and IT systems then you might enjoy our Practical IT guides to firewalls and handling perimeter expansion and disintegration.

, , , , , ,

You might like

2 Responses to How to protect your critical infrastructure

  1. Linda · 706 days ago

    Advise: ALWAYS secure your network hardware and software by the strongest means available. NEVER rely of 'default' settings - they are open to all effectively. Use encryption, the strongest available, ALL the time.

    These tips apply equally to businesses and to home users, perhaps more tom home networks as so many are left set to default or have no security at all!

  2. Rob · 705 days ago

    Not sure on all your comments about Server management cards.

    HP ILOs do not ship with a default password. Each server has a random password which is physically attached to the server.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Ross studied computer science at the University of Edinburgh, and is an IT security manager at Sophos.