WHITE PAPER

The Definitive Guide

to IT Security

As technology becomes the driver behind businesses

of all sizes, organizations large and small are realizing
that their operations are critically dependent on their
IT infrastructure. This guide aims to help bring some
focus to this complex world, and should provide a
solid foundation for your IT security strategy.

From data loss to denial of service, cyber attacks are able to shut down an

organization's ability to do business - carrying heavy penalties in lost revenue

and productivity, not to mention the fallout from public embarrassment,

regulatory penalties, or even criminal charges. All this being said, the

realization that IT security is an important part of a business's strategy is

causing concern from IT departments that traditionally have very little

experience in cybersecurity strategies. Considering the fast paced nature,

where so-called "zero-day" attacks are occurring with alarming frequency, it's

enough to cause many a sleepless night for IT managers and business owners

all over the world.

 WHITE PAPER
The Definitive Guide to IT Security

IT environments today are generally woefully lacking in visibility, with most environments
employing very basic security controls - usually just a firewall and some anti-virus. The following
is a logical diagram of the components a well-thought out secure infrastructure should contain:

HEADQUARTERS

IPS

FIREWALL

VPN WAF SIEM SCANNER ENDPOINT BACKUP LOGGER

WORKSTATIONS WIRELESS GUESTS COMPLIANCE SERVERS PHONES

VLAN 10 VLAN 20 VLAN 30 VLAN 40 VLAN 50 VLAN 60

VPN

VPN
VPN

INTERNET

REMOTE OFFICE REMOTE OFFICE

2
 WHITE PAPER
The Definitive Guide to IT Security

As can be seen from this diagram, there are two remote encrypting this traffic, thus trusting the privacy of an

offices connected back to the headquarters site via ISP-provided private network, means you are allowing raw

encrypted site-to-site VPN's. This is traditionally known as unencrypted packets to leave your network (and thus

the "hub-and-spoke" model, and in some cases the control). Considering that ISP's typically provide these

connectivity between offices is connected via a layer-2 networks by encapsulating over layer-3 routers, that gives

network provided by the ISP (e.g. MPLS). Note here that plenty of opportunity for eavesdropping on such

even if the ISP is providing a "private" link, we highly connections.

recommend still running an IPSec VPN over the links. Not

Taking each component individually, lets examine their functions,

and why they are critical in the network.

IPS/IDS

Typically sitting at the edge of your network, the IPS (or Intrusion Prevention System) watches your

traffic in real time, and attempts to block requests that are deemed a security risk. This component is

essential for real-time network protection, and many compliance auditors will insist on it being

available. One thing to note here is that the IPS can only read (and thus protect) unencrypted data,

so an IPS with a built-in SSL proxy is critical for complete coverage. This typically works by

terminating any SSL sessions at the IPS, decrypting, analyzing, then re-establishing the SSL session

with the remote website. Unfortunately this will necessitate pushing out a root certificate to all of

your internal systems. This is required to prevent user browsers from displaying the "invalid

certificate" warning since the IPS has to pretend to be every SSL site that users are going to. This is

also known as a Man-in-the-Middle proxy (MITM), and while it can take a little time to properly roll

out, it is highly recommended as a significant amount of malware comes in over SSL connections.

3
 WHITE PAPER
The Definitive Guide to IT Security

FIREWALL

The ubiquitous firewall typically requires no introduction - or explanation of why it's critical. This

device ensures that internal services stay internal and are inaccessible - except where permitted - by

external users. Firewalls should be used to control traffic between all internal zones, and rules should

be reviewed regularly to ensure old rules are not left lying around. Ensure that your firewall can

handle the throughput of your network, and is a stateful firewall. You should also utilize your firewall

to segregate your network in to multiple firewall zones for each segment (VLAN) of your network, and

limit the traffic between zones to allow legitimate traffic only, and anything accessible from the

outside should be in their own private DMZ network. This will limit the effectiveness of any malware

that infects your network, and slow down - or halt - its spread throughout your organization.

VPN

The VPN device handles all VPN traffic for end users and remote sites. The VPN server should be

powerful enough to handle multiple concurrent connections at a strong encryption level. Typically

we recommend IPSec (using AES encryption) which is used for site-to-site connections, and client-

based connections come in over SSL VPN technology (again, over AES). All users should use VPN

tunnels to access any administrative ports, and if possible, web servers should be configured to

deny access to administration URL's to specific source IP addresses. This reduces the number of

ports across available for compromise, and significantly reduces your attack surface area.

4
 WHITE PAPER
The Definitive Guide to IT Security

WAF

The Web Application Firewall (WAF) is a form of IPS, in that it proxies all traffic from the outside to

internal web servers. These servers include off-the-shelf servers, such as Microsoft Exchange, as well

as custom sites - either built from scratch, or based on a framework such as Wordpress. Web

Application firewalls examine specific HTTP requests, and perform checks to stop common web

attacks such as Cross-Site-Scripting (XSS), Cross-Site-Request-Forgery (CSRF), SQL Injection,

Command Injection, and much more (e.g. the OWASP Top-10). Again, these devices can only do their

work if the traffic can be unencrypted, so this device should include SSL offloading, where the WAF

takes care of the SSL connection to the client, and speaks to the backend web server over a seperate

encrypted connection.

SIEM/SENSOR

Tying all the previously mentioned components together is the Security Incident & Event

Management (SIEM) system. This system should be able to ingest data from all sources - IPS/IDS,

Firewall, Logger, VPN, Vulnerability Scanner, and Endpoint agents - as well as monitor raw packets on

your network (internal IDS), analyze netflow data, and correlate all these data sources to provide

actionable alerts across your network. The SIEM is essentially the brains of the security strategy, and

is a very important component to tie everything together. Additionally, each remote site should have

a Sensor device that looks at local switch mirror ports, collects local data, and forwards it to the main

SIEM at the HQ location.

5
 WHITE PAPER
The Definitive Guide to IT Security

VULNERABILITY SCANNER

The vulnerability scanner is critical for proactive security. This device will scan the network

periodically (typically recommended at least once a week) to seek out vulnerable systems, or services

that should not be open. Finding and fixing a vulnerability before it is exploited is the ideal situation,

and makes it that much harder for your network to be compromised. An ideal scanner will include

both network and web application testing, and should be tunable to select how aggressive the scan

is. The rules should also be updated often.

ENDPOINT

Endpoint protection comes in many flavors, but this system essentially manages the agent's locations

on end-user workstations, as well as servers in your datacenter. Agents should be deployed to as

many systems as possible to ensure that security is being monitored locally. In addition to Anti-Virus

and Anti-Malware agents, there should also be a Host Intrusion Detection (HIDS) agent installed. This

agent will ensure that logs are converted and sent to the Logger, and critical system files are

monitored (e.g. Windows registry and system files). The HIDS agent should also detect rootkit activity.

Additionally, on critical systems a File Integrity Monitoring (FIM) agent should be installed. This reports

back file changes, adds and deletions for specific sensitive directories, and is another critical

requirement for many compliances, such as PCI and HIPAA. Finally, full-disk-encryption should be

deployed to all critical systems, and especially any laptop systems that leave your network. Laptop

theft is one of the most common way of data loss occurring, and if you value your corporate data, and

want to ensure that it stays out of the hands of unauthorized users, encrypting the drive is critical.

6
 WHITE PAPER
The Definitive Guide to IT Security

BACKUP

When all else fails, make sure you have good backups. The security solutions above are all essential

to detecting and preventing data loss in your network, however, no solution on the planet is 100%

effective. With new threats emerging every hour of every day, and your own users being a big

potential security risk as they bring in unauthorized USB keys, use personal email accounts, and trawl

the latest social media sites, being 100% secure is a fantasy. It's often said that the most secure

system is one that is unplugged and buried a mile underground, but even that cannot be guaranteed

to be entirely safe! Backups then are the biggest failsafe you can have. If, for example, you are

attacked by a new flavor of Ransomware, it's much easier - and cheaper - to simply pull from the last

backup, than pay the ransom. Backup strategy should encompass all servers, network device

configurations, security device logs, and anywhere users store data - their workstations, file shares,

cloud storage system, etc. Do not trust that a cloud file sharing service is backing up your data. Even if

they are, they rarely release it if you are compromised! The backups are purely for their own internal

recovery. Additionally, cloud CRM and ERP systems are often neglected. These systems should be

backed up regularly to your own backup systems too, as they contain all the operational data to keep

your organization running. The backups the rule of thumb is to backup as much as you can - it's

always better to have more and not need it, than less and find out you don't have it when you need it!

70% OF BUSINESSES INFECTED BY RANSOMWARE IN 2016

PAID THE RANSOM DUE TO HAVING NO VIABLE BACKUPS
According to an IBM Security report

7
 WHITE PAPER
The Definitive Guide to IT Security

LOGGER

The logger is a system that can store logs from all of your servers and devices. This includes switches,

firewalls, routers, workstations, servers, and IoT (Internet of Things) devices. Centralized logging

helps with troubleshooting when problems occur. More importantly, having a copy of a server's logs

is very helpful if a malicious user or application tampers with that server's logs. The logger should

sign all logs to ensure that the data has not been tampered with, and the retention period should be

appropriate to your organization (based on any regulatory compliances or internal policies). The

logger is essential also to the SIEM component, discussed later.

Other Considerations
In addition to the above security devices required to secure your network, there are a
number of other items that should be covered when thinking about security. A good starting
point are the following items:

Multi-Factor Authentication as users are again more likely to write it down. A much

Password protection is the most common way of securing better solution is to require users to use multi-factor (or

systems today. However, it also has a critical flaw - it can be 2-factor) authentication. This means that the user will have

easily compromised. If a user sets a weak password, a to provide something they know (their password), and

simple brute-force attack might find it in minutes. If the something they have (e.g. a token with a changing code

password is too complex, users will sometimes write it down every minute). This is much more difficult to crack as most

and stick it on their desk! Forcing users to change passwords people are compromised by malicious hackers located far

too often can lead to a false sense of security too, away, and who are unlikely to have access to the physical

8
 WHITE PAPER
The Definitive Guide to IT Security

token. Many MFA & 2FA solutions include a variety of token approach, sending out large numbers of emails to random

technology, including smartphone apps making it easy for people claiming to be from a popular social media site, or a

your users to carry tokens without any extra hardware. well-known bank hoping that the recipient is tricked into

thinking the email is about their account and will click the

Password Strategy malicious links inside. Spear-phishing is even more sinister,

Consider having your users utilize "passphrases" instead of and target specific organizations or even people. Imagine a

passwords. The biggest determiner of how fast a brute- malicious user pretending to be your finance team and

force cracker can guess a password is the length of the asking a customer to change their wire details so that

password. Educating users to use longer (15-20 character) instead of payment coming to you, it goes to a malicious

passphrases (simple sentences, with spaces and bank account. We've seen this happen, and all it required

punctuation) means they are much more likely to was access to one user's email account. Don't expect law

remember it without writing it down, and this also means enforcement to be able to be fix everything either - most of

you can reduce - or eliminate if using multi-factor - regular the time in situations like that, the money is irrecoverable.

password changes. The best way to combat this, and the many other ways

your users can be tricked, is by providing them with the

System Updates necessary training on a regular basis. It also goes without

Keeping your systems up-to-date is critical to ensure the saying that such training, if provided, should be mandatory

security of your systems and your network. Ensure that all for all users to attend!

43%
systems are updated regularly (monthly at the very least).

Some software allows you to specify only critical security

updates, so this should be done as a minimum. Also, ensure

that all security system rule feeds are up-to-date and

OF BREACHES WERE
updated at least once a day, if not multiple times a day.
CAUSED INTERNALLY

User Training
HALF OF THOSE WERE INTENTIONAL,
One of the biggest security flaws in your network are the
WHILE THE OTHER HALF WERE DUE
people in your network. People who have not had security

awareness training are significantly more likely to be

TO POOR SECURITY PRACTICES.
compromised, and thus allow the malicious hackers in to

your network. Social engineering, the manipulation of

people, is one of the most common ways a hacker gains

access to your network. Phishing attacks employ a shotgun

According to an Intel sponsored report

9

The Definitive Guide to IT Security
Network Segregation
Another good practice is to ensure that you have good
physical separation in your network. This means, as shown
in the diagram, that each device type gets it's own
broadcast domain. This means either separate switches or
separate VLANs for each network, with their own subnets,
all talking back to the firewall as their default gateways. The
firewall should then allow only specific authorized traffic
between the different segments. This method ensures
compartmentalization of the network to limit the spread of
any malicious applications.
Policy
Ensuring you have good polices in place for acceptable use
and privacy is also critical. The policies reinforce to your
users that your organization is serious about security, and
also provides some legal standing. This is especially
important in publicly traded companies, but can also come
in to play with private organizations of all sizes. Showing
policies are in place, as well as user training as discussed
above, is a good way to ensure that your organization is
seen as being pro-active (as opposed to negligent) in its
mission to secure sensitive data.
High-Risk Devices
Today there is a rapid proliferation of what we would term
"high risk" devices. These devices typically fall under the
Internet of Things (IoT) category, and due to their outward
appearance are often neglected as part of any security
evaluation. However, these devices typically contain full
operating systems (e.g. Linux or Windows embedded
editions), and often manufacturers of these devices spend
very little effort on securing them. An endless list of devices
WHITE PAPER
such as flat-screen "Smart" TV's, IP cameras, VoIP phones,
coffee makers, photocopiers, thermostats, fire alarms, and
more, could be operating in your environment, without
supervision, waiting to be exploited. As an example, the
recent large-scale attack on DynDNS (one of the largest
DDoS attacks in history), which effectively took down many
high profile services such as Spotify and Reddit, was traced
back to a massive botnet made up of IoT devices that had
been compromised throughout the world. Be aware of any
and all IoT devices on your network, and if possible, place
them in their own firewall zones limiting their internal &
external communication to authorized devices only - and of
course make sure any logs are sent to a centralized
logger/SIEM for analysis.
External Penetration Testing
Performing regular testing from outside your network is
critical in ensuring that your infrastructure remains secure.
Often a requirement in many compliances (e.g. HIPAA and
PCI-DSS), this should be considered by all companies as part
of their security strategy. This basically involves performing
both manual and automated scans of your external IP
addresses, thoroughly testing any open services found (e.g.
web servers, email servers, etc). This should include (but not
limited to) checking software versions for known
vulnerabilities, testing for insecure configurations (e.g.
allowing anyone to send email through your email server),
performing a full web application scan of any web
applications, and checking SSL certificates for validity &
strong encryption/hashing. Doing this is critical to knowing
your external attack surface is as small as can be, and doing
this regularly will ensure that accidental misconfiguration
does not expose your organization to unnecessary risk.
10

The Definitive Guide to IT Security
$2.1
TRILLION
THE GLOBAL COST OF HANDLING
CYBERATTACKS PROJECTED BY 2019
According to insurers Lloyds of London
SAST & DAST
One place often neglected are any applications you may be
delivering to your customers - either as a download, or via a
Software-as-a-Service model. If your organization builds a
software product, it's critical that the source code is fully
tested for security before it is deployed. There are primarily
two ways of doing this - Static Application Security Testing
(SAST) or Dynamic Application Security Testing (DAST).
Dynamic testing is typically the traditional way any web
application is tested, and this basically involves doing an
external penetration test of the application. This means that
you try to attack the application using all the known
methods of compromise (e.g. the OWASP Top-10, and much
more), and see what you're able to do. The big advantages
here are ease of testing, and testing vulnerabilities that only
occur at "runtime" (i.e. when an application is running).
WHITE PAPER
However, there are some drawbacks to this - you can never
be sure you have gotten complete coverage and tested
every single path through the application (giving it the name
"black box testing"), and typically cannot test non-web
applications. Static analysis, on the other hand, tests your
application before it has even been compiled. It looks
through the source code and finds every single path through
the application, and can find issues buried deep in the code
before anyone has a chance to exploit it. Also known as
"white box testing", you can be sure that every single line of
code has been tested for security - but it does come with
some drawbacks, namely a bit more complexity in test setup
& tuning, and that runtime vulnerabilities cannot be found
this way. Therefore, these two methodologies, in addition to
regular internal AND third-party code audits, should be
considered complementary to each other, and are critical in
ensuring that your customers are protected, and that (in the
case of a SaaS deployed application), your infrastructure is
secure too.
Third-Party Applications
Third-party applications (also known as Commercial,
Off-The-Shelf, or COTS) can be a major source of security
headaches. These applications become critical to your
business, but often contain vulnerabilities on a massive
scale. Since you have little control over the development
team of another vendor, you are usually at their mercy.
However, there are several things you can do to ensure your
environment stays secure. First, insist that all vendors tell
you their security story. What they do when it comes to
security, how they do it, and why they do it. Do they do
internal and third-party audits? Do they perform both SAST
and DAST on their applications? How often do they test their
11

The Definitive Guide to IT Security
applications? Do they provide security awareness training to
their developers? In some cases, it may also be possible to
scan their application yourself before deployment. Doing a
dynamic test (DAST) is straightforward, but even though they
may not give you their source code, it is also often possible
to still do a static analysis (SAST) test of their application.
THE SOLUTION
This whitepaper has covered many aspects of security, but
yet still scratches the surface of what you can - and should -
do. Doing all of the above will drastically improve your
security, but there is always more that can be done.
Integration is a big part of security too, so ensuring all the
components work together seam-lessly is critical also.
There are a couple of ways to go about this - buy all the
tools and integrate yourself, or buy a device that is fully
integrated. Depending on your available resources, and
budget, buying everything individually and integrating
yourself will provide the absolutely bleeding edge of
security. However, this strategy is typically unrealis-tic for all
but the largest banks, governments and financial
institutions with legions of security professionals on staff.
Therefore, for most organizations, we would recommend
solving the issue by utilizing a fully integrated appliance that
allows you to cover most of your security requirements,
with minimal integration costs.
WHITE PAPER
Depending on the technology (Java & .NET being the easiest),
there are tools that can look at the bytecode and perform an
exhaustive test to find vulnerabilities across their
application. Being diligent about third-party applications on
your network can, and will, drastically reduce the attack
surface area in your infrastructure.
RackFoundry TSM
Total Security Management (TSM) by RackFoundry is a
powerful integrated suite of security tools that will allow you
to solve most of the security vectors covered in this docu-
ment, allowing you to be secure - and compliant - in one
easy, affordable, step. No matter if you have one small office
with 20 assets, or dozens of offices all over the world with
thousands of assets, TSM will scale with you and your
environment, giving you a single-pane management experi-
ence - and comes with security expertise built in! Our
philosophy at RackFoundry is to help organizations be
secure no matter their budgetary constraints or security
resources available.
12
 WHITE PAPER
The Definitive Guide to IT Security

Typical RackFoundry TSM Deployment

INTERNET

VPN

VPN VPN

TSM SECURITY
MODULE / CONSOLE

HEADQUARTERS

TSM SECURITY TSM SECURITY

MODULE MODULE

REMOTE SITE A REMOTE SITE B

13
 WHITE PAPER
The Definitive Guide to IT Security

How Does TSM Stack Up

TSM includes all the critical components of the ideal security landscape, which will allow you to
tick off most of your checklist, so you can get back to running your organization instead of
worrying about security.

Standard SIEM Standard Threat RackFoundry

Features Solutions Prevention Solutions TSM

SIEM

Log Management

Event Management

Event Correlation

Reporting

Ticket Management

DETECTION

Asset Discovery

Network IDS

Host IDS

Netflow

Packet Capture

File Integrity Monitoring (FIM)

Vulnerability Scans

Threat Intelligence Feeds

Continued to next page

14
 WHITE PAPER
The Definitive Guide to IT Security

Continued from previous page

Standard SIEM Standard Threat RackFoundry

Features Solutions Prevention Solutions TSM

PERIMETER PROTECTION

Firewall

Intrusion Prevention (IPS)

Web Application Firewall

GATEWAY FEATURES

Routing

DHCP Service

DNS Relay

TUNNEL FEATURES

Site-to-Site IPSec VPN

Client SSL VPN

HARDWARE FEATURES

Redundant Power Supplies

SSD-based Storage

Redundant Network (VRRP)

MANAGEMENT

Fully Unified Security Center

Expert Assistance for

Security Issues

24/7 Monitoring

15
 WHITE PAPER
The Definitive Guide to IT Security

If you would like to know more about TSM or how we can help you secure your
infrastructure, please contact us at info@rackfoundry.com, and one of our engineers
will be happy to walk you through a quick overview.

About RackFoundry
RackFoundry™, the maker of Total Security Management (TSM), is a leader in complete coverage security appliances, secure

cloud services and professional services such as SecurityXpert that provides security expertise to organizations of all sizes

and industries. The RackFoundry security team, FortressLabs™, help find new vulnerabilities in the wild, mitigate any found

vulnerabilities, and head up the RackFoundry Security Operations Center.

For more information visit us at www.rackfoundry.com.

15
© 2019 RackFoundry, Inc.