• Myth
  • Configuration Reviews
  • Methodology

Myth: It's a Plug & Play technology (Firewall, endpoint security, AWS, WAF)

A normal security program will incorporate vulnerability scans and penetration tests to help measure the effectiveness of their security controls, but oftentimes doing a more detailed review of their key security technology/devices is overlooked. The most important of these security devices/technology is usually the firewall / endpoint security / WAF / AWS / Azure / GCP. A configuration review takes a deeper dive into the configuration of this critical aspect of security, uncovering issues and deficiencies that may not be apparent through traditional security testing.

Securing the "Security Perimeter" of your organisation

Firewall is said to be the primary line of defense for an organization's network infrastructure. But this line of defense has its own set of weaknesses, that, if not addressed could cause havoc in the network environment. A few common weaknesses seen in the security perimeter are stated below, but are not confined to just these:

Misconfigured Firewall Ruleset:

The most common weakness we will ever see in a firewall. The Firewall Ruleset, if not configured in compliance to the industry-set standards, could pave a pathway for the unauthorized access for user to enter into the system.

Endpoint Configuration Review:

Enterprise relies on endpoints to prevent a large portion of the attack surface for users/attackers with ill intent, yet assessing the security of those endpoints remains a major gap. Certbar's Endpoint Security Configuration Review enables you to deploy an endpoint strategy with confidence.

AWS Configuration Review:

For organizations migrating to the Cloud or maintaining cloud based applications, regular modifications to the network configuration, user access, application architecture, platform components, and security controls are necessary to keep up with business needd. But even if reasonable change management processes are in place, deployment mistakes, configuration drift, and bad practices have the potential to introduce security flaws and aggravate risks in time.

Our goal is to identify weaknesses in the cloud configurations that are loosely coupled from security standards, and expose architectural flaws. 

Web App Firewall (WAF):

Whether the online branch of a bank, an online-shop, a customer-, partner- or employee-portal – all of these web applications are available to their customers – as well as their attackers – around the clock due to the always on nature of the internet. A web application firewall or WAF has a widely used technology to defend your IT infrastructure. WAF helps protect web applications from attacks such as cross-site request forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, etc by filtering and monitoring HTTP traffic between a web application and the internet.

Deploying a well configured WAF in front of a web application is paramount at an initial level of protection between the web application and the internet.

Certbar's Configuration Review Methodology

Configuration Review at Certbar takes an insider view at the system/technology with full access to configurations with the aim of providing the optimum review result thus attaining maximum security at the perimeter itself. Certbar deeply analyses the ruleset and policies throughout the entire configuration as per industry best practices, including guidelines from PCI-DSS and the Center for Internet Security (CIS benchmarks), and ensures compliance with the same.

Certbar believes in holistic security and hence gives equal importance to the technical, business, and device aspect of the 1st line of defense. At the end of the review process, a comprehensive report is provided a checklist of rule-sets or policies that are missing, which should be included to avoid misconfigurations that can be leveraged by an attacker. The config loopholes in the environment, along with remediation steps for the findings, and a detailed configuration review checklist to assess the business needs.