Information and Communication / Cyber Security

This is intended as guidance for organisations creating policies that describe the protection of data when In Motion, At Rest and In Use against corruption, loss or breach using mechanisms such as encryption, access control and storage solutions.

CIS has provided cyber security advice to a number of organistations pursuant to applications to the FCA for providing authorised services.

It is our experience that Cybersecurity is reactive (not begin a revenue source) - it won't be actively managed operationally, but management by exception is acceptable.  Any Cyber security framework should bear this in mind, automating things like log analysis and interupting with exceptions were appropriate.

Network Security

CIS recommends a layered approach to Network Security, in accordance with best practice. The outline below is our starting point for network security.

Layer 1: Physical Layer

Data and systems should be covered by ISO 27001:2013 A.11.1, where this is not possible a suitable substitute should be in place.

Layer 2: Data Link Layer

802.11 is widely used for access control on wireless networks, 802.1X is similarly available for Ethernet ports. 

Use of 802.1Q (VLANs) is relevant for segregation.

Layer 3: Network Layer

Null routing IP addresses from FireHOL Cybercrime IP Feeds mitigates against known bad network access.  Null routing is more efficient than using a packet inspection firewall. 

(Automated) log analysis should done to dynamically block abusive traffic targeting your network specifically.  Once blocked any further access from these addreses is out of scope.  This is mitigattion against brute force and escallation attacks.

Layer 4 & 5: Transport & Session Layers

Protecting ports that are opened out of necessity, but need not be available publically, with a packet inspection firewall is essential.  CIS completes a daily (nmap) audit from a public internet IP and compares against a "known good" / gold standard scan an reports any exceptions.  These should be handled by an Incident Response mechanism for investigation.

Some ports (like filesharing) could be dynamically opened for users who have completed 2FA for defined time period.

CIS feeds log analysis of SIP, SSH and SMTP, POP and IMAP traffic data to our Layer 3 firewall to dynamically block abusive traffic.

Layer 6 & 7: Presentation Layer & Application Layer

Protocols at this layer are mostly capable of specific use authentication with at least a username and password.   See AAA below.

AAA

All resources require access controls and reporting for proper management.

Authentication

According to PSD2 Strong Customer Authentication (SCA) requires multi-factor, or more specifically two-factor authentication (2FA), using at least 2 of a knowledge factor (something known), a posession factor (something had) or an inherent factor (something you are) for authentication.

Password / Knowledge Factor : Any initial password assigned should be confirmed to be changed after a fixed onboarding period is over.  Accounts should be considered at risk during this period and suitable mitigations made.  A site like https://howsecureismypassword.net/ will demonstate to users whether their password complexity and length is suitable.

Dynamic Password / Posession Factor : TOTP apps are ubiquitous.  The secret generated should to be treated as sensitive personal data similar to a password. Exchanging the secret (possibly via QRcode) is a high / at risk activity and should be suitably managed.

Authorisation

Assigning authenticated users roles (role-based authorisation) provides for the easiest way to meet periodic auditability requirements but allowing roles permissions and role membership to be audited independantly.

Accounting

Log files should be fed back into security mechanisms or exception reported as appropriate.  For example failed remote connection attempts, logins to telephony and email reasources as well as connections from disallowed geographies should be noted and further attempts blocks where possible. How we feed Windows log entries to a central syslog server

From Cybercriminals to Nation-State actors, GDPR legislation and PSD2 - properly considered and implemented ICT / Cyber security is essential to every organisation.

Encryption likely considers TLS using a limited subset of AES ciphers along with appropriate key lengths.

Storage likely considers use of redundancy (RAID 1, 5 or 10) and a backup and recovery strategy.

Along with these Network Security mechanisms should be in place to limit beaches and to notify when they do occur [Art. 33 GDPR].

The OSI model can be used to independantly evaluate Network Security.  Not all aspects considered are relevant to every circumstance.

Osi-model-jb

The AAA framework [Authentication, Authorization and Accounting] can be used to independantly evaulate resource access control.

AAA

Valid XHTML 1.1 Strict CIS ZA | CIS UK

© Commercial Internet Solutions Limited (2019-)
Registered in England and Wales, Company No. 07276867

Full QR Code

Brief QR Code Take a look at our QR code, if you hover over it you can scan our full VCard.

Commercial Internet Solutions provides internet applications and services to Small Business clients around London. from our Tier 4 hosting facility - Custodian in Maidstone Kent using n+1 redundant Supermicro servers.

We provide fast web and secure (SSL) imap and pop3 email hosting and cheap, compliant easy to use email marketing software.

We host, manage and backup Microsoft Windows Small Business Servers, dedicated Linux servers and Asterisk/ SIP based VoIP PBX solutions.