Page 86 - GiGW3
P. 86

5. Guidelines









             (h)    Enable and maintain logs of the ICT infrastructure for a rolling period of 180 days as per CERT-In
             directions.
             (i)     Regularly monitor and conduct review of alerts and logs

             (j)     HSP should also ensure:
                      (i)     Web host offer a Secure File Transfer Protocol (SFTP);
                      (ii)     FTP use by unknown users is disabled; and
                      (iii)     It uses a rootkit scanner.

             (k)     HSP should ensure to secure the containerized environments, if applicable.
                  Note:  Containerized  Workloads  are  much  more  complex  than  traditional  workloads.
                  Production environments deploy massive amounts of containers. Security experts and
                  administrators need to secure more components in a containerized environment than they

                  would  in  traditional  deployments.  Container  security  involves  the  implementation  and
                  maintenance of security controls that protect containers and the underlying infrastructure.
                  Integrating security into the development pipeline can help ensure that all components are
                  secured from the initial development phase and until the end of their lifecycle.



             B.     Best practices should be used to protect the containerized environments:
             (a)   Each library and tool pulled into the image poses a potential threat. To mitigate these threats,
             one need to include the application within the container image. This should be a statically compiled

             binary that contains all required dependencies.
             (b)  Remove all components the application does not need. For example, remove the “sed” and
             “awk” binaries, which are present by default on any UNIX system. This can help reduce the attack
             surface.

             (c)   If the image is not created from scratch, only trustworthy images should be taken. Public image
             repositories,  such  as  Docker  Hub,  can  be  used  by  anyone  and  may  contain  malware  or

             misconfigurations.
             (d)  If there is a private registry, the system administrator has to establish access controls that

             define exactly who can access and publish images and who cannot perform such actions.
             (e)  Signatures help track images to the people who signed them. This makes it difficult to substitute
             the  signed  image  for  a  compromised  one.  The  Docker  Content  Trust  mechanism  provides
             information about signing images. Notary - an open-source tool can help sign and verify images.

             (f)  Vulnerability scanners are designed to identify known vulnerabilities. These tools can help find
             critical vulnerabilities and detect critical threats. Scanners can be used on a continuous basis to
             ensure that the registries do not contain critical vulnerabilities.
             (g)  Secure the target environment – by hardening the underlying host operating system. It can also

             be established that the firewall and VPC rules or create special accounts that limit access.




                                                             86
   81   82   83   84   85   86   87   88   89   90   91