Prevention Measures

SHAMOOL-01

Best practices for prevention

  • Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Any unused applications or functions should be removed or disabled, if possible, to limit the attack surface of the host.
  • Implement network segmentation through V-LANs to limit the spread of malware.
  • Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting).
  • Recommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious binaries.
  • Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.
  • Consider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access.
  • Deny direct Internet access, except using proxies for Enterprise servers and workstations. Perform regular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an explicit versus transparent proxy policy.
  • Implement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.
  • Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. This will limit the damage sustained from a compromise or attack of a single network component.
  • Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is difficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on non-corporate owned devices.
  • Limit the use of social networking services at work, such as personal email, instant messaging, Facebook, Twitter, unless there is a valid business case for use, and this business case has been approved by the organization Chief IT Security Officer. If a valid business case exists for use, implement a guidance/policy that reduces the risk of data loss and malware threats.
  • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
  • Place control system networks behind firewalls, and isolate or air gap them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.