Securing the Seven Domains of IT Infrastructure

When a business environment is opened up to the Internet, many risks can be introduced into the organization. These risks must be identified and managed in order to defend and protect the organization from attack. Additionally, the people within the organization can intentionally or unintentionally introduce risk simply by performing their daily job duties. When these duties are performed in the absence of clear direction from policy and best practices, risk can grow exponentially. The following information will help demonstrate the importance of securing the seven domains of IT infrastructure.

User Domain

The User Domain represents a great weakness within the IT infrastructure. This domain includes any end-user accessing information at the organization. With “almost 90% of cyber-attacks caused by human error or behavior” [1], this domain needs strong scrutiny. The following risks have been identified within this domain:

• Employees that fail to lock their computers when getting up from their desks.
• Employees that leave sensitive company information on their desks.
• Limited IT security knowledge by employees can lead to the introduction of malware and social engineering schemes.
• Employee negligence from a lack of policy can lead to legal ramifications for the business.

These risks have the potential to destroy a business. Falling for a social engineering scheme can introduce ransomware to the corporate network. This can lead to the encryption of valuable files needed in day-to-day operations. In the absence of complete backups of these files, the only alternative would be to pay the ransom. If the hackers unencrypt the files as they say they will when the ransom is paid, this could lead to downtime amounting to days of lost productivity. Additionally, without rectifying the situation and properly cleaning the affected systems, the ransomware could reactivate and begin the process again. The introduction of malware by an end-user browsing an infected website can also compromise the business. Malware can include keyloggers and spyware which, if controlled by the wrong entity, could lead to sensitive data loss or the theft and sale of confidential company information to your competitors. These risks can be mitigated by strong security controls and policies as well as comprehensive security and awareness training for all employees. Policies that control employee’s behavior and produce a clear legal separation between the employee and the employer, such as an Acceptable Use Policy (AUP), are definitely needed.

Workstation Domain

The Workstation Domain includes any computing devices used by end-users and represents how the users connect to the actual IT infrastructure. The following risks have been identified within this domain:

• Old operating systems represent a huge vulnerability. They are beyond their end-of-life and are not maintained with security updates and patches.
• Older and outdated hardware is vulnerable to hackers and data loss through outdated firmware exploits and the lack of the ability to encrypt the hardware.
• Known remote access vulnerabilities within older OS’s can allow hackers to take over the workstation and gain access to the corporate network.
• Old hard drives can lead to failure and the data loss of critical business information.

These risks have the potential to allow hackers into the network and also have the potential for data loss of failed hardware components. These risks can be mitigated by a complete overhaul of old hardware to ensure everything is up-to-date. Newer OS’s will mean security holes are closed and new equipment, maintained through sound backup policies and encryption techniques, will help maintain business continuity if a hard drive were to fail. This will also protect corporate data in the event of a data breach. Also, by establishing a strong baseline system defined by a security policy, each workstation can be ensured to provide strong local encryption, backup of sensitive information, and protection from intrusion and compromise by utilizing the latest patched operating system and antimalware/antivirus protection.

LAN Domain

The LAN Domain includes all the equipment that makes up the local area network, including switches, hubs, access points and WiFi, and routers. These devices connect all the workstations to one another. The following risks have been identified within this domain:

• Flat network designs lack security.
• IT Employees may lack the experience, or the time, in designing and maintaining a secure network.
• Lack of security policy governing the network.

These identified risks have the potential to allow hackers into the corporate network and allow them easy access to resources once they get in. A flat, or unsegmented, network essentially allows all workstations and servers to exist on the same LAN. There are no security features in place, such as firewalls, to restrict access to different areas of the network. A user on a workstation can connect to a server, or a DMZ server can connect to the same router as all internal systems. This is a hacker’s dream. After initial compromise, pivoting between systems is easier than in a segmented network. The design of this type of network was either done by inexperienced network professionals or over-extended professionals without the time or resources to build out the network properly. Proper training of these individuals, and the proper amount of them, in conjunction with strong security policies, will help to mitigate these risks.

LAN-to-WAN Domain

The LAN-to-WAN Domain is where the corporate LAN connects to the Internet (in this case, the WAN). The Internet is an insecure environment containing many vulnerabilities, but also a necessary component of any business strategy. Great care and caution must be taken when securing this boundary. The following risks can exist in this domain:

• No firewall is present, only a simple modem.
• Lack of any defensive perimeter controls.
• Lack of Intrusion Detection/Intrusion Prevention.

These identified risks have the potential to allow unrestricted access into the organization’s LAN, and also to introduce DDoS (distributed denial of service) or other attacks against computers in the DMZ, which could contain your corporate email and web servers. A best practice in security is “defense in depth”. This means securing resources through a variety of controls so that if one control fails, there are other defenses in place that can provide security and act as backups to an organization’s defense. A firewall should exist between the WAN (Internet) and the LAN, and another should exist between the DMZ and the LAN. Access to the DMZ should never come from the LAN because a breach of the DMZ would allow hackers an internal position to launch further attacks inside the network. Proper network perimeter design including multiple firewalls coupled with a strong defense in depth strategy, would help mitigate these threats.

WAN Domain

The WAN Domain is represented by the Internet and stands for wide area network. All outside entities are represented by this domain, including other businesses, websites, and all external endpoints. This also includes entities capable of launching malicious attacks against your corporate network or eavesdropping on any open port or protocol on the perimeter. The WAN also represents a possible communication channel from an end-user into the LAN utilizing a technology called virtual private networking (VPN), FTP, or Secure Shell (SSH). The following risks exist in this domain:

• A lack of security policy and trained employees means multiple vulnerabilities may exist at the perimeter which are unknown, including open ports and protocols, including FTP and Remote Desktop.
• Lack of firewalls and possibly improperly configured modem at the perimeter could introduce many possible attacks.

These identified risks have the potential to allow a compromise at the network border with the Internet (WAN). These weaknesses can directly be mitigated by shoring up the LAN-to-WAN Domain. Verifying and setting up SFTP instead of FTP can help secure this protocol if it is being utilized at your company. Best practices in defense in depth should be utilized, as well as penetration testing to ensure this domain is secure. Solid Incident Response policies should also be developed and tested to ensure a breach in this domain does not expose the business to unnecessary risk.

Remote Access Domain

The Remote Access Domain is represented by any employee, vendor, or contractor that works in the field or from home, instead of within the office environment, and accesses the corporate LAN. Improper set up in this domain can lead to access to the LAN by unauthorized entities, which can turn into a full breach of the network. The following risks exist in this domain:

• Weak passwords can lead to unauthorized entry into the network from external locations.
• Weak Group Policy on Domain Controller which does not enforce account lockouts, complex passwords, or password history.
• Improper set up of VPN, FTP, or other remote access protocol.

These identified risks have the potential to allow an external threat actor to gain access, potentially full access, to the internal LAN at your business. Additionally, weak FTP can allow an entity to introduce malicious applications, including malware, to the network. Allowing remote access to a corporate system is extremely important to configure correctly. Additionally, proper auditing and logging of attempts to gain access will help IT identify if a threat is growing and if an intruder has gained access. By creating solid controls and policies surrounding remote access and utilizing best practices like auditing and logging, your business can secure this domain.

System/Application Domain

The System/Application Domain includes all system and application software-related issues. The software includes anything that collects, accesses, and stores information and can include system software running on servers and application software running on servers and workstations (referred to as end-user software). Maintaining systems and software is the best way to mitigate risks in this domain. Allowing software to remain unpatched allows any hacker to compromise a system. Patch management is very crucial. The following risks have been identified in this domain:

• Unpatched operating systems and software existing on the network.
• End-users lack of security mindedness and unrestricted workstation access can lead to additional unsupported software being introduced to the network.
• An email that is not scanned for viruses.
• Employees that are not trained in social engineering schemes can unwittingly open infected files.
• Lack of antimalware/antivirus software to protect company assets.

These identified risks have the potential to allow an external threat actor to gain access to the internal LAN through spyware or trojan horse virus variants downloaded through email or from a compromised website. Antimalware and antivirus software can help stop these infections from getting released into the company network. Additionally, unpatched OS’s and software have many known vulnerabilities that can be exploited if discovered by a hacker. A solid policy to maintain systems and software can mitigate this risk. This would call for the use of antimalware and antivirus software on workstations and servers, including the webserver and email server. All email can be scanned and secured through an email gateway or Unified Threat Management (UTM) device installed at the network perimeter. Proper security and awareness training to help employees spot social engineering schemes would be a huge factor in mitigating these threats as well.

What Next?

Risk is inherent in the IT world. Every computer, every service, and every process can be compromised or attacked. The job of a good IT security team is to systematically identify risks and reduce, eliminate, or accept them. A big problem at many small businesses is that risks have not even been initially identified, and therefore no responses have been crafted. The identification of these risks across the seven domains of the IT infrastructure is a good starting point to begin reducing, eliminating, and accepting the risks through solid security controls, policies, and awareness.

References

[1] Kelly, R. (2017, May 7). Almost 90% of Cyber Attacks are Caused by Human Error or Behavior. Retrieved from https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/

[2] Johnson, R. (2014). Business Challenges within the Seven Domains of IT Responsibility. In Security policies and implementation issues. Jones & Bartlett Learning.