What is infrastructure?
In a general sense, infrastructure refers to physical structures and facilities, such as buildings, offices, datacenters, and so on. In a computing sense, IT infrastructure can be referred to as your cloud and mobile devices, Internet of Things (IoT) endpoints, on-premises servers, cloud-based virtual machines, containers, or microservices, and all the software—both first- and third-party. The infrastructure footprint, whether organizational structures or IT assets, must be monitored and managed as it continues to expand and evolve. Considering the Zero Trust approach is the best way to enhance security in an ever-changing digital environment.
Common infrastructure vulnerabilities and threats
IT infrastructure comprises different technologies hosted over networks, making it a complex environment that faces increasing threat levels. IT systems and critical data that they process can be vulnerable to both digital and onsite attacks. Proper enforcement of security policies and procedures can mitigate the risks, limit the damage, and speed up the recovery efforts. Here's a list of threat vectors associated with infrastructure:
- Physical security
- Legacy software
- Default configurations
- Lack of encryption
- Lack of network segmentation
- Malware, distributed denial of service attacks, and attacks on web apps
- Poorly implemented security policies and procedures
Physical security
Physical security is referred to as the systems and technologies established to protect sites and workspaces. Physical security can be considered as an extension of IT infrastructure security. If attackers bypass security and gain unauthorized access to the office premises, they can conveniently plug into the network and gain complete access to resources. There is also a heightened risk of equipment theft.
Legacy software
A legacy system is so called because it has old and outdated technology—software or hardware—that's still in use. Legacy systems and software have certain limitations, and therefore might have vulnerabilities. This poses a massive security risk for the following reasons:
- Integrating with the latest technology might prove difficult or may not be possible at all.
- Software might no longer be supported by the vendor, so no regular security updates are available.
Default configurations
Default configurations are predetermined settings, often fixed by the manufacturer in a new device or software. For example, default settings and passwords that come with a new Wi-Fi installation must be configured and customized for secure connection. These default configurations are often misconfigured and unnecessary. Running needless services increase the vulnerabilities of the systems and applications. This leads to the risk of unauthorized access.
Lack of encryption
Encryption is a process of concealing or encoding information, so it's only accessible to the right recipient, who uses a special code or key for access. Lack of encryption can lead to data breaches and potential financial damages. However, strong encryption enhances protection even if the device or sensitive information falls into the wrong hands.
Lack of network segmentation
Network segmentation is the practice of dividing a computer network into multiple segments or subnetworks to control the flow of traffic. Each segment acts as its own small network, which provides organizations with increased control and enables timely detection of malicious activities within the network. Lack of segmentation exposes the networks to risk. For example, if the attackers gain access to an unsegmented network, it's easier for them to spread laterally within an organization.
Malware, distributed denial of service attacks, and attacks on web apps
Threats to infrastructure by malware, distributed denial of service (DDoS) attacks, or web applications attacks continue to emerge. The sole aim of these attacks is to disrupt day-to-day operations, commit data theft, or gain unauthorized access. Malware, DDoS, or web applications attacks can be defined as:
- Malware is malicious software, which, when installed, can damage computers and networks. It's spread via email attachments, links, or malicious websites over the internet.
- A distributed denial-of-service (DDoS) attack targets websites and servers aiming to disrupt network services by overwhelming an application's resources with an overflow of internet traffic.
- A web app is a computer program that runs on a web browser. The web application communicates with web servers and database servers. It allows users to interact with the webpages within a website. If there was an attack on a web application, web servers and data servers can be exposed and compromised.
Poorly implemented security policies and procedures
Security policies and procedures are sets of rules endorsed by the IT team to defend the organization's resources. Some examples of security policies are:
- Clear screen policy: This ensures that all users must lock their screens when leaving their workstations, preferably logging off when away for an extended period to prevent unauthorized access.
- Clear desk policy: This helps ensure that users don't leave any documents, or computer media, such as a USB or storage device, unattended on their desks. Work areas must be kept as clear as possible to prevent confidential and sensitive information from leaking and falling into the wrong hands.
- Internet and email policy: This directs that all users must stay vigilant when browsing the internet and ensure that use of email is secure. For example, users should avoid clicking and forwarding any malicious links and attachments. To prevent security breaches, they should also report suspicious emails, encrypt sensitive information before sending, and not use work email for private reasons.
- Password policy: This encourages individuals to use strong passwords and change them regularly. It advocates that passwords mustn't be shared or written down for anybody to access.
- Information sharing policy: This involves a set of rules regarding data and information sharing. It emphasizes legitimate sharing and the protection of personal and financial information. It also ensures that the expected standards are met when dealing with sensitive information.
Failing to implement security policies and overlooking critical procedures can expose an organization to unnecessary risks.