Securing your infrastructure is a huge part of your overall cybersecurity strategy and it directly contributes to your current security posture. So what exactly does infrastructure security include? Let's take a look.
Infrastructure security TLDR
Infrastructure security is all about securing your organization's infrastructure. That infrastructure certainly can include permanent assets like real estate, but "infrastructure security" is most commonly used to refer to technology assets, including:
- Computers and endpoints/devices
- Networking systems
- Cloud resources — both hardware and software
The concept of infrastructure security includes not only protection from a traditional cyberattack, but also protection from natural disasters and other calamities. It concerns the topic of resilience, which considers how an enterprise recovers from an attack or other disruption. The ultimate goal of infrastructure security is to:
- Boost security measures and your overall posture.
- Minimize the amount of downtime and associated customer attrition, loss of brand and reputation, and compliance costs that businesses face.
Fundamentally, infrastructure security describes a high-level way of thinking about the protection of the entirety of the organization’s technology perimeter. More tactical security plans — how will we protect the data on our workers’ laptops — may be developed as subsets beneath that overarching strategy.
In this blog post, we will discuss the various components of infrastructure and infrastructure security, the most common threats and ways to protect against them.
Levels of infrastructure security
There is no universal definition of the various levels or categories of infrastructure security, but in the enterprise, one common way to look at security includes securing the following four levels:
- Physical Level: Infrastructure needs physical protection in the form of locked doors, fences, backup generators, security cameras and the like. Failover plans that locate backup equipment in another part of the world are also a part of a physical security strategy.
- Network Level: At its core, network security protects data as it travels into, out of and across the network. This includes traffic encryption, whether it is on-premises or in the cloud, proper firewall management and the use of authentication and authorization systems.
- Application Level: Security also needs to be considered at the application level. This includes protection of databases against attacks such as SQL injections as well as the hardening of other applications against unauthorized use or malicious exploits.
- Data Level: At the lowest level of infrastructure security, data protection must be considered, no matter where or how it is stored. This includes data encryption, backups and anonymization tactics where they are appropriate.
(If these sound familiar, it's because they related directly to the OSI networking model.)
The importance of infrastructure security
Infrastructure security, which includes critical infrastructure security, is critical both for preventing damage to technology assets and data due to attack or disaster. It’s also necessary for minimizing the amount of damage in the event of a successful attack or if a disaster occurs. Similarly, the primary goal of infrastructure security is to lower the overall risk level that the organization faces, which in turn minimizes the chance of a significant operational disruption and/or financial impact to the business. Risk management includes cybersecurity risk, financial risk and even third-party risk management.
Today’s enterprise has IT infrastructure that is far more complex than ever before, which typically includes:
- Both on-premises and cloud-based systems
- Company-owned and employee-owned devices, including laptops and smartphones
- Even IoT devices such as cameras and industrial sensors
Many of these devices were never designed with security in mind or have had a patchwork of security fixes applied to them after the fact. Ultimately, the duty to secure all of these systems falls on the managing organization.
Infrastructure stands at the core of every business’s technology operations, and as such, infrastructure security is the lynchpin of their overall security strategy. It is perhaps easiest to think of infrastructure security as the master security plan for the organization, underpinning tactical strategies and everything else that is developed around it.
Network infrastructure security
In most enterprises, network-level infrastructure security consumes the bulk of resources in an infrastructure security program. The network level is generally considered the largest and most vulnerable of the enterprise when it comes to security risk. Helpfully, an abundance of tools are available to protect the network level.
Network infrastructure is complex: networks normally comprise a vast number of hardware and software components. These include physical devices such as routers, switches, servers, wireless access points and even cabling. Vulnerabilities, however, are primarily attributed to the software and firmware that operate the network infrastructure, including server operating systems, network management, network communications systems, firewalls and other security application configurations, and routing software.
It is in the network infrastructure where the enterprise must maintain the highest level of diligence. Administrators must apply patches when they are released, double-check configurations to ensure they are correct, and develop and adhere to policies to ensure the network is kept as secure as possible.
The function of network infrastructure security is to mitigate all of the above issues. Network infrastructure security is designed to monitor hardware and software, to protect the network infrastructure against malicious attacks, to enforce access control rules and to ensure that only authorized users are able to use network resources, to detect and remove malware, and to provide secure channels — such as a virtual private network (VPN) — for remote users.
Infrastructure security in the cloud
Cloud infrastructure security, as the name implies, involves the protection of assets based in the cloud. Rather than existing as one of the distinct levels of infrastructure security outlined above, cloud infrastructure security spans a multitude of security levels, including the network, application and data levels. Only the physical security level, by definition, is exempted.
Cloud infrastructure security can be complex because many organizations fail to properly understand where the provider’s responsibility ends and their own responsibility begins. In general, many cloud providers are responsible for security “of” the cloud, meaning that they must ensure cloud infrastructure — which incorporates security of storage, compute and network layers — is inherently secure and reliable. Cloud providers outline these responsibilities in great detail in their terms of service, yet these environments are often so nebulous that confusion about who is responsible for what often persists — especially if an attack is detected.
While responsibilities vary from one provider to another, in general, the customer is always responsible for a number of cloud security tasks, including user management and access control, data encryption in the cloud, proper configuration of vendor-provided security tools, and adherence to relevant privacy laws. This is known as the shared responsibility model.
With the cloud everywhere, cloud security is of critical importance — largely due to the rise in attacks against cloud infrastructure. But securing cloud infrastructure is difficult for many reasons:
- An increase in the size of the attack surface
- A lack of complete visibility into how cloud services are operating during runtime
- The dynamic and often temporary nature of cloud-based workloads
- The general complexity of a cloud environment, particularly when multiple cloud services are involved
Common threats to your infrastructure
OK, now that we know what infrastructure security is, what exactly is the threat to your infrastructure? Some of the most common infrastructure threats in the market today include:
Phishing
Phishing remains one of the most pervasive and damaging threats to individuals and enterprises alike, growing in both quantity and complexity while no longer easy to detect. The goal of phishing attacks, however, remains the same: to separate users from their login credentials, which attackers then use to:
- Access corporate resources.
- Steal funds or intellectual property.
- Wreak havoc on the enterprise.
Phishing attacks skyrocketed throughout the pandemic, ranging from COVID-19 relief scams and impersonating the CDC, to the lure of small business loans and tax extensions.
Ransomware
This type of attack involves the threat actor installing malware on the corporate network, which then encrypts targeted data. The threat actor thenholds that data for ransom, waiting for you, the victim, to pay up. If the ransom is not paid, attackers will prevent the victim from accessing their files. Even if the ransom is paid, there is no guarantee that system functionality will be restored.
Ransomware attacks are becoming more common and widespread: in June 2021 a ransomware attack crippled the networks of hundreds of businesses by targeting a software supplier and using it as a conduit to spread through cloud-service providers.
Botnets
Botnets have historically been used to launch distributed denial of service (DDoS) attacks. In more recent years, botnets have been used for surreptitiously mining cryptocurrencies and targeting IoT infrastructure. Enterprises that have fallen victim to this type of attack are often unaware that their resources are being exploited, sometimes for years. Cloud-based resources are particularly vulnerable to botnet attacks.
(Not all bots are bad! Learn about the different types of bots.)
Physical theft
It doesn’t matter how secure your infrastructure is from cyber threats if it is not effectively protected by physical barriers such as locked doors, fences, alarm systems and security guards. To that end, a stolen laptop belonging to a medical facility exposed and potentially compromised the personal information and health data of 650,000 patients.
Benefits of Infrastructure Security
Naturally, the biggest benefit of infrastructure security is simply that it protects all of your business’s technology assets from attack. For most enterprises, infrastructure security is the first line of defense against cyberattacks or other types of exploits.
Of course, there are numerous benefits to the enterprise. With proper infrastructure security, you will:
- Protect data from being stolen or otherwise compromised, minimizing financial risk incurred with steep fines.
- Ensure compliance with evolving data privacy rules that mandate consumer information be kept safe from attack.
- Minimize the risk of damage due to user carelessness.
Most malware doesn’t end up on the corporate network because an internal user intentionally put it there (although insider attacks like these do happen). More often, this happens because a user unthinkingly clicks on an email attachment or a malicious link. Infrastructure security systems and protocols help to mitigate risk when these mistakes inevitably occur.
Protecting infrastructure with cybersecurity solutions
IT security solutions are the key tools used to protect infrastructure. It is not a question of whether you can protect your infrastructure with cybersecurity solutions --- it's a question of how you best protect your infrastructure with them. Cybersecurity solutions can be used to:
- Ensure access is granted only to authorized users.
- Prevent malware from successfully being installed on infrastructure devices.
- Assess the overall security of the network, via both offensive and defensive approaches.
- Encrypt data in transit and at rest to protect it in the event of a successful attack.
Put together, all of these solutions provide the building blocks of a strong infrastructure protection program.
What do we mean by "National Infrastructure Security"?
On a national scale, infrastructure security takes on a whole new dimension that is far more complex than at the enterprise level.
National infrastructure, which is often referred to as critical infrastructure, includes both physical and electronic systems, networks, data and digital assets that underpin society. National infrastructure also includes the internet itself, roadways and railways, pipelines and power plants, bridges and tunnels, drinking water systems, and a variety of physical structures. Even non-terrestrial systems, such as GPS satellites, are included.
In the U.S., critical infrastructure security falls under the purview of the Department of Homeland Security. In 2013, government officials developed a broad strategy dubbed the National Infrastructure Protection Plan (NIPP) to secure these sectors. The plan’s stated goals include:
- Assessing and analyzing threats and informing risk management activities.
- Securing critical infrastructure against a variety of threats and reducing risk.
- Enhancing infrastructure resilience through advanced planning and mitigation efforts.
- Sharing information across the infrastructure community.
- Promoting learning and adaptation during and after these incidents.
The security of national technology assets is just one of the critical infrastructure sectors that the NIPP is designed to protect. The Cybersecurity and Infrastructure Security Convergence Action Guide outlines a converged plan to protect both cyber and physical assets, connecting internet security to the physical protection of healthcare, transportation, energy and industrial control systems. In the wake of incidents such as the May 2021 Colonial Pipeline ransomware attack, which shut down 45% of the petroleum supply to the East Coast, it is easy to see why this type of physical cybersecurity is increasingly critical.
(Know what the SEC's new cybersecurity rules mean for infrastructure security.)
Best practices for securing infrastructure
There are a number of recommended best practices that should be incorporated into an organization's security policies that protect infrastructure, including:
Pay attention to password security. All logins must be protected by strong passwords (i.e. long passwords that use a hard-to-remember combination of uppercase and lowercase letters, numbers and symbols, passwords that don’t spell a word, etc..) as well as two-factor authentication when possible.
Audit user permissions frequently. To avoid unauthorized access, remove permissions to services when users no longer need them as well as immediately when they leave the organization.
Apply patches regularly. Patches should generally be installed the day they are released, particularly if they include a security fix.
Ensure internet-based assets use secure protocols like Secure Shell (SSH) and Secure Socket Layer (SSL). These protocols provide a secure channel for communication, even over an insecure network.
Remove unused services and software. These idle but active systems can create an unnecessary security risk. This is part of the process known as network hardening.
Properly configure firewalls. A misconfigured firewall is just as dangerous as having no firewall at all.
Make sure code adheres to secure development practices. Shift left and DevSecOps approaches can be useful in instilling a security-focused mindset within the development team.
Encrypt wherever possible. Encrypted files are largely useless to attackers who successfully enter the system but don’t hold the keys.
Regularly backup all systems. Offsite backups are the best defense against ransomware attacks.
Stress-test systems regularly. Run security scans and penetration tests to hunt down vulnerabilities.
Tools & solutions for infrastructure security
To protect your infrastructure data, consider implementing these types of tools and security controls to protect the business’s infrastructure, including:
- Firewall: This is the first line of defense against all manner of threats, preventing malicious traffic from ever accessing your internal networks.
- Antivirus or antimalware systems: Malware is introduced into the enterprise through a number of means. Antimalware systems scan email messages, web traffic and hardware devices to ensure that they are not infected.
- Penetration testing and network vulnerability analysis tools: These types of tools are set to run periodically — or continuously — constantly scanning the network for potential security problems.
- Intrusion detection system: An intrusion detection tool monitors the network in real time, watching for behavior that is out of the ordinary or that indicates an attacker has breached the infrastructure.
- Authentication software: Authentication software monitors the behavior of users with network access. AI detects unusual activity that may imply a user’s credentials have been compromised.
- Password auditing tools: Passwords should be regularly audited to ensure that users are not relying on insecure or hackable login credentials.
- Encryption tools: Encrypted data has limited to no value to attackers, providing an extra layer of protection to your organization in the event of an attack.
- SIEM tools: Security information and event management (SIEM) tools automate much of the grunt work of monitoring infrastructure security and provide a real-time analysis of the security alerts generated by various applications in the enterprise.
Securing the enterprise starts with securing infrastructure
Attackers have long targeted infrastructure because it represents a potential gold mine for their efforts. Unfortunately, because of its expansive size and complexity, it also presents a challenge for security operations teams to secure.
With the rise of IoT devices and the proliferation of cloud services, the typical enterprise now finds itself with a daunting attack surface that is increasingly vulnerable to both organized attackers and the threat of natural disaster. Only through careful infrastructure protection can you truly mitigate threats and keep your infrastructure environment — and data — safe from attack.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.