MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

F. Network and Cloud Security

This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.

00) Does your organisation own or maintain a corporate network, cloud environment, or any application hosting infrastructure?

Answer yes if your organisation maintains a corporate network that allows user devices to connect and communicate with any network based storage or internal services, or if your organisation maintains any application hosting infrastructure (cloud or otherwise). You should answer yes to this question if you use a public cloud to host applications since you are responsible for implementing security controls within your environment.

Network and Cloud Security
Scoping
Read more

01) Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls?

Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments with firewalls.

Network and Cloud Security
Firewalls
Read more

02) Were the firewalls implemented using a deny all policy, with rules built around your organisation’s requirements?

Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.

Network and Cloud Security
Firewall Rules
Read more

03) Does your organisation review its firewall rules at least annually?

Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

Network and Cloud Security
Firewall Rule Review
Read more

04) Does your organisation have web application firewalls (WAFs) implemented to protect web applications?

Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls). If your organisation does not host any web applications, answer 'No' and state this in the notes section.

Network and Cloud Security
Web Application Firewalls
WAFs
Read more

05) Were the WAFs implemented using a deny all policy, with rules built around your organisation’s requirements?

Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.

Network and Cloud Security
Web Application Firewall Rules
WAF Rules
Read more

06) Does your organisation review its WAF rules at least annually?

Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

Network and Cloud Security
WAF Rule Review
Web Application Firewall Rule Review
Read more

07) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?

Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).

Network and Cloud Security
DMZ
Read more

08) Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs or SSH connections)?

Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection.

Network and Cloud Security
Encryption in Transit
Read more

09) Does your organisation secure remote access to its network or cloud environment using multi-factor authentication?

Answer yes if your organisation forces all remote connections to its network or cloud environment to be secured using two factor authentication.

Network and Cloud Security
MFA
Remote Access
Read more

10) Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?

Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Please describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).

Network and Cloud Security
IDS
IPS
SIEM
Network Monitoring
Read more

11) Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?

Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.

Network and Cloud Security
IDS
IPS
SIEM
Network Monitoring
Read more

12) Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?

Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.

Network and Cloud Security
Network Segmentation
Network Segregation
Read more

13) Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?

Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.

Network and Cloud Security
Encryption in Transit
Secure Protocols
Read more

14) Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?

Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Please describe the nature of these controls in the notes section.

Network and Cloud Security
DoS
DDoS
Read more

15) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?

Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.

Network and Cloud Security
Approved Network Connection List
Read more

16) Is each of the approved network connections subject to a risk assessment?

Answer yes if your organisation completes a risk assessment for each identified network connection between your network and any third party network.

Network and Cloud Security
Network Connections Risk Assessment
Read more

17) Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings?

Answer yes if your organisation conducts regular external vulnerability scans of its public IP infrastructure and remediates the findings.

Network and Cloud Security
External Vulnerability Scans
Read more

18) How many external automated vulnerability scans does your organisation conduct each year?

Please state the number of scans completed every year.

Network and Cloud Security
External Vulnerability Scans
Read more

19) Does your organisation conduct regular internal automated vulnerability scans of its IT infrastructure and remediate any findings?

Answer yes if your organisation conducts regular internal vulnerability scans of its internal IP infrastructure and remediates the findings.

Network and Cloud Security
Internal Vulnerability Scans
Read more

20) How many internal automated vulnerability scans does your organisation conduct each year?

Please state the number of scans completed every year.

Network and Cloud Security
Internal Vulnerability Scans
Read more

21) Does your organisation conduct regular penetration tests of its public facing IT infrastructure?

Answer yes if your organisation conducts regular penetration tests of its public facing IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Network and Cloud Security
Pentest
Penetration Test
Read more

22) Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)?

Answer yes if your organisation conducts regular penetration tests of its internal IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Network and Cloud Security
Pentest
Penetration Test
Internal
Read more

23) Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?

Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.

Vulnerabilities
Remediation
Read more

24) Does your organisation record and store user activity logs for all cloud environments, networks and associated services?

Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.

Network and Cloud Security
Network Logs
Read more

25) Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services?

Answer yes if your organisation records and stores administrator activity logs for its IT production systems, network devices and endpoint devices.

Network and Cloud Security
Network Logs
Read more

26) Does your organisation record and store the logs of root/super user/administrator actions for the network and associated services?

Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.

Network and Cloud Security
Administrator Network Logs
Read more

27) For how many months does your organisation stores its root/super-user/administrator logs?

Please state how many months the logs are kept for.

Network and Cloud Security
Administrator Network Logs
Read more

28) Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?

Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.

Network and Cloud Security
Secure Log Server
Read more

29) Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?

Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of applications to mitigate any adverse impact this may have on the operation or security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.

Network and Cloud Security
Testing
Read more

30) Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?

Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.

Network and Cloud Security
Load Monitoring
System Capacity
Read more

31) Does your organisation manage and control the use of, and access to, any cryptographic keys?

Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.

Network and Cloud Security
Cryptographic Key Management
Read more