Can any of the security folks on here tell me what good secure systems really look like? If I wanted to build a company infrastructure from scratch what would "default secure"
look like? I am fairly sure I know what a good software engineering process looks like, but if I guessed a secure infrastructure I would be concerned I am
missing basics. (Hence no examples to get us started)
- Services do transport encryption, authentication, and authorization even to internal callers; presence on the LAN does not confer any privileged access.
- Identity and permissions that are user-friendly enough not to encourage workarounds, sophisticated enough to implement principle of least privilege, centralized enough to keep up to speed with personnel changes (including instant lockout on termination).
- Applications are developed with an awareness of common vulnerabilities and associated defenses (i.e. OWASP top 10). Sensitive applications are vetted by security researchers for high-end vulnerabilities. Off the shelf applications and libraries are kept up to date.
- Current ground truth and complete change history for everything about production is known and documented. Something like Puppet manifests in Git comprehensively describe everything that has been done to a VM from its baseline image, every rule in a hardware firewall, etc.
- Activities are logged; logs are correlated and analyzed for suspicious activity; alerts are promptly and competently investigated; credentials found to be compromised can be easily rotated; systems found to be vulnerable can be quickly patched or isolated.
- A quorum of insiders is required for especially sensitive operations; this is not just policy or code, but backstopped by math and hardware. At the root of trust you will find things like Shamir's Secret Sharing, HSMs, signing ceremonies, etc. and not a dude with a private key on his workstation.
I'm by no means a security expert, but as far as I'm aware, this stuff will make you a harder target than most.
Corporate mindset understanding the importance of security is more important than "implement LAPS" or "follow modern password policy guidelines instead of ones from 2002".
If you look at a lot of the big breaches, they have some pretty common patterns. Old operating systems (XP, 7, etc.), unpatched software, excessive vendor access. This isn't because they don't have money to manage these things, it's that other business priorities with immediately visible results have taken priority. "This business software sales needs was designed for Windows XP" takes prioritization over "It's unsafe to use anything older than Windows 10 on our network". If another department and IT have a conflict, the other department wins because it brings in revenue.
If you have people in the chain of authority above IT who support IT, and understand that securing your infrastructure prevents catastrophes on the same level as fires and the PR disasters, you will generally do much better than businesses who don't. People need to understand that IT/security personnel are not "annoying" them, but trying to help them avoid catastrophes they don't even understand.
Foucs... You can't protect everything, but can ensure that handling of at least some truly important data is as paranoid as it can be.
Protecting a company's FTP server that is open to thousands of employees is not a doable task, for example
And the same is true of human knowledge, a company saying that all and everything within its walls is super secret, can't truly hold anything secret.
At one of my first jobs in Canada, an owner of the company was very clear on the point what is a commercial secret and what isn't. Whenever there was a meeting genuinely demanding it, he clearly stated at the start "this is a commercial secret covered by confidentiality agreement."
