2. Top 4 Strategies from ASD
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to
help mitigate cyber security incidents, with just the top 4 of these strategies stopping 85% of
attacks.
1. Make use of application profiling and whitelisting to ensure that only approved
applications are operating;
2. Patch applications;
3. Patch the operating system;
4. Restrict administrative privileges to operating systems and applications based on user
duties.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm
9. VPC Networking
• Elastic Networking Interface (ENI)
• Subnet
• Network Access Control List (NACL)
• RouteTable
• Internet Gateway
• NAT Gateway
• Virtual Private Gateway
• Route53 Private Hosted Zone
10. Elastic Network Interface (ENI)
• Instance can have multiple ENI
in Multiple Subnets
• Use Case: Bastion Replacement
• Use Case: Management Network
• Low Budget HA Solution
• Limitations:
• Same AZ
• HotAttach OS Support
• Instance Type
11. EC2 Security Groups
• AWhitelist Service for instances
• Stateful packet inspection, centralized configuration, and out-of-band
rule administration independent from guest OS configuration
• Use 3rd Party host based firewall or an inline firewall for deep packet
inspection, IPS/IDS, or network threat protection
• As general rule, be specific with Security Groups Rules when possible
• Follow Security Group Best Practices
12. Security Group Management Ideas
• Tier / Nouns Based
• Load Balancer, Web Server
• Role Based
• Such as public, https, ntp
• Have a Naming Convention, such as: sg-ap2-prodvpc-https
• Create common SG as part of VPC / Infrastructure
13. Network ACL
• Whitelisting and Blacklisting Service for Subnet
• An optional layer of security that acts as a firewall for controlling
traffic in and out of a subnet
• Note the Differences between SG and NACL
• Follow the Recommended NACLs fromAWS
14. Security Groups vs NACL
Source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
15. Whitelisting with NACLs
• Set up ACLs with rules similar to your Security Groups in order to
add an additional layer of security to yourVPC
16. Old Habit Die Hard
Source: https://devops.com/old-habits-die-hard/
25. ADS Top 4 Strategies
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to
help mitigate cyber security incidents, with just the top 4 of these strategies stopping 85% of
attacks.
1. Make use of application profiling and whitelisting to ensure that only approved
applications are operating;
2. Patch applications;
3. Patch the operating system;
4. Restrict administrative privileges to operating systems and applications based on user
duties.
• Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm
29. Immutable Infrastructure
• Comprised of immutable components
• Get replaced for every deployment
• Require full automation
• Infrastructure as Code
• Make change to GIT
• Infrastructure never stray away from initial “known-good” state
• Long Live Services, Rolling Instances
• Service Health Matric: Instance Age
30. Bootstrap vs Baking AMI
Bootstrap
Pro
• Guaranteed up-to-date
• Small deliverable size
Con
• Take time to update and deploy
• External Dependencies
Baking AMI
Pro
• Fast Deployment
• Self-Contained
• HelpTighten Security Groups
Con
• Extra Operational Overhead