Skip to main content

ITHC Principle Security Concerns

Introduction

Purpose This document presents a categorised set of Principle Security Concerns (PSC) for use within an IT Health Check scoping document.

The PSCs have been derived following a recent Ministry of Housing, Communities and Local Government (MHCLG) Mitigating Malware and Ransomware Survey conducted with Local Authorities during 2020.

The suite of PSCs will assist Local Authorities to generate penetration testing scopes aligned with National Cyber Security Centre (NCSC) areas of concerns and pertinent cyber threats.

Scope The PSCs are categorised into focus areas identified below as those providing defenses against ransomware and malware threats, viewed from an identify, protect, detect, respond and recover perspective

IT Health Check and NCSC ACD excluded.

Principle Security Concerns

1. Backup

PSC-BU01

Organisations Active Directory system state is not being backed up and severely limits the organisation’s ability to recover directory services.

PSC-BU02

Backup traffic is communicated in cleartext protocols and sensitive information is vulnerable to eavesdropping.

PSC-BU03

Backup traffic is channel encrypted which allows sub optimal cipher suites.

PSC-BU04

Backups are stored unencrypted, potentially exposing sensitive information.

PSC-BU05

Backups are stored using a weak encryption algorithm affording poor confidentiality protection.

PSC-BU06

Backup servers are not leveraging latest build releases which may introduce known vulnerabilities.

PSC-BU07

Backup servers are sub-optimally configured exposing unused services.

PSC-BU08

Backup server operating systems are not hardened in line with best practice – Centre for Internet Security (CIS) Level 2

PSC-BU09

Backup servers reside within the corporate Active Directory domain providing no defence against an escalated privilege lateral attack.

PSC-BU10

Backups are stored on-network within the same authentication domain.

PSC-BU11

Backup service accounts utilise weak and or non-complex password(s).

PSC-BU12

Backup service account(s) credentials are locally cached on the backup server(s).

PSC-BU13

Backup servers expose SMB service, increasing the attack surface for ransomware propagation.

PSC-BU14

Administration of backup servers via remote desktop protocol is unrestricted from within the local area network.

2. Multi-Factor Authentication

PSC-MFA01

Cloud based administration accounts aren’t protected with MFA exposing potential attack areas.

PSC-MFA02

External remote access leveraging user based authentication is only a single factor.

PSC-MFA03

On-premise privileged user account access is provided via single factor authentication only.

3. Operating Systems

PSC-OS01

Unsupported operating systems are present within the estate with known vulnerabilities.

PSC-OS02

Supported operating systems are not patched within 14 days of vendor release.

PSC-OS03

Unsupported systems have access to untrusted internet content.

PSC-OS04

Vulnerable systems have exposed services which may provide a mechanism for an attacker to gain a foothold.

PSC-OS05

Host based firewalls are not present and provide an increased attack surface.

PSC-OS06

Antivirus / antimalware software is not present on target systems, increasing likelihood of successful malicious software insertion.

PSC-OS07 Cached administrator credentials are present on systems increasing likelihood of successful privilege escalation attacks.

PSC-OS08

Desktop operating systems are not hardened in line with best practice – Centre for Internet Security (CIS) Level 2.

PSC-OS09

Application whitelisting is not in place across critical systems to prevent known malicious code from executing.

PSC-OS10

Host-based firewall rulesets are overly permissive providing little efficacy in filtering non-essential traffic.

PSC-OS11

Mobile and tablet operating systems are not running a vendor supported release in receipt of security updates.

PSC-OS12

Mobile devices are not subject to mobile device management technical governance.

PSC-OS13

Mobile devices are not secured in accordance with NCSC guidance.

PSC-OS14

Server operating systems are not hardened in line with best practice – Centre for Internet Security (CIS) Level 2.

4. Active Directory

PSC-AD01

Domain controllers are insufficiently hardened in accordance with industry best practice (CIS benchmark level 2) .

PSC-AD02

Coarse grained privileged user account permissions provide a large account base with logon privileges to domain controllers.

PSC-AD03

Complex passwords are not in place for privileged user accounts with domain wide permissions.

PSC-AD04

Local administrator accounts may be standardised throughout server estate and therefore more susceptible to attack upon one being compromised.

PSC-AD05

Standard user accounts are utilising passwords susceptible to brute force attacks.

PSC-AD06

Accounts are susceptible to continuous login attempts with throttling / lockout controls being absent.

5. Logging

PAS-LOG01

Privileged user account logon success / failure is not centrally logged and alerted upon.

PAS-LOG02

User MFA authentication failures are not logged / alerted upon, resulting in nefarious activity potentially going undetected.

PAS-LOG03

Cloud service logs are isolated and not ingested into a central system for analysis and alerting.

PAS-LOG04

No alerting is configured within the central logging / SIEM solution to trigger event investigation and triage.

PAS-LOG05

Lack of event correlation rules limit alerting and detection of potential nefarious activity.

PAS-LOG06

Logs are susceptible to compromise / tampering as a consequence of weak RBAC controls

PAS-LOG07

Log retention is less than 6 months potentially limiting historical analysis and investigative capability.

PAS-LOG08

Backup job success / failure is not centrally logged and alerted upon.