To manage servers securely, nine.ch operates a tried-and-tested, well-established management infrastructure. This includes a monitoring system, backup system and multiple communication systems. nine.ch’s management infrastructure ensures the security of nine.ch’s entire infrastructure at the software level, as well as the risk management of all its systems.
In early 2017, to maintain a clear overview of (both assumed and concrete) threats from management attacks, nine.ch commissioned Compass Security Network Computing AG to carry out a security check.
The procedure of the check included the following points:
- Assessment of the potential for threats to the implemented architecture in the internal network (both within and outside the management zone) from the perspective of an attacker.
- Random testing of managed and root servers to gain details on the implementation and verify facts.
- Identification of possible logical penetration-test scenarios for later testing and detailed recommendations on how to improve security
An excerpt of the most important results
The hardening of the Linux host was carried out in an exemplary manner. Employees’ security awareness is also consistently high. Servers are protected individually on a basic level with a host firewall. Web applications feature best-practice two-factor authentication (2FA) and single sign-on (SSO) is used throughout. The systems are administered in accordance with best practices.
To manage the infrastructure, nine.ch uses various web applications. Without exception, these web applications are protected through SSO and 2FA; nine.ch’s staff members also have VPN access.
A design flaw – already known to us – was also revisited during the check. This concerned the naming concept under the nine.ch domain, including both internal and external servers.
Compass Security recommended that nine.ch direct even more improvements towards the employee-end device level. While various satisfactory control mechanisms already exist, these are conducted manually at regular intervals. In the future, nine.ch will incorporate significantly more automated and predictive triggers.
Recommendations and forecast
Compass Security’s sole recommendation is a request for clearer differentiation between nine.ch’s internal and external systems and the separation of websites at the domain level.
The check has reinforced nine.ch’s conviction that security is ensured through a sustainable, tried-and-true approach – one that has succeeded in practice and can be scaled to many systems to boot.
Some of the specified recommendations – what are known as ‘quick wins’ – have already been implemented. Particularly in the case of design flaws, the challenges lies in changing an entire system landscape while it is still in operation. These changes require a slow phase-out of systems in operation while systems to be rebuilt are deployed immediately following the new concept. These changes are scheduled and take place within a short timeframe. Thanks to the information security management system – introduced in 2016 and certified to ISO 27001 – nine.ch has analysed and appraised the weaknesses and threats (and their associated risks) identified by Compass Security and incorporated these into the current risk-management plan. This ensures that all current risks are being considered.