In my role as a security architecture consultant with the National Cyber Security Centre (NCSC), I am privileged to collaborate with critical national infrastructure (CNI) organizations in the public sector. The challenges they encounter in ensuring our safety are always intriguing.
From safeguarding the United Kingdom’s energy grids and water supplies to securing transportation, healthcare, and telecommunications sectors, it is evident that these organizations rely on internet-hosted services to operate effectively.
This article will discuss ways in which public sector CNI organizations can bolster the security of their internet-facing services. Throughout this discussion, I will reference pertinent NCSC guidelines, patterns, and blog posts.
Is Enabling TLS Enough?
It may seem simple to enable Transport Layer Security (TLS) for any online service and declare the task complete.
However, the reality is more complex. Properly configured, TLS effectively encrypts your communications on the internet. Yet, it does not stop attackers from engaging with your online service and exploiting vulnerabilities within it.
For instance, a SQL injection attack can succeed regardless of whether TLS is applied. Additionally, TLS cannot rectify misconfigurations or ward off the use of default passwords. If simply turning on TLS isn’t the solution for protecting your internet-facing services, what actions should be taken?
Understanding ‘Internet-Facing Services’
When tasked with identifying their internet-facing services, organizations typically respond with one of the following:
- A catalog of web or API services, as this is how users typically interact with these offerings.
- A compilation of protocols and ports utilized, often derived from established and baseline configuration settings such as firewall rules.
However, it is essential to recognize that other entities (or processes) may also access internet-facing services. The user base for these services likely extends beyond just staff or customers. System integrators, external vendors, managed service providers, remote workers, and process orchestration tools (like those employed in development pipelines) should also be considered ‘users’ of the service.
Thus, we can define an internet-facing service as ‘any service reached by anyone through various ports, protocols, or services over the internet‘. With this definition in place, what further questions should we consider?
Based on an article from www.ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/protecting-internet-facing-services-public-service-cni
