Skip to main content

πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.

  • Contextual name: πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.
  • ID: /frameworks/apra-cpg-234/16/45
  • Located in: πŸ’Ό 16 Implementation of controls - Minimise exposure to plausible worst case scenarios

Description​

Empty...

Similar​

  • Internal
    • ID: dec-c-b122fb4c

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (36)​

PolicyLogic CountFlags
πŸ“ AWS EC2 Instance IAM role is not attached 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted CIFS traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted DNS traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted FTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted ICMP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted RPC traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted SMTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MySQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟒1🟒 x6
πŸ“ AWS IAM User has inline or directly attached policies 🟒1🟠 x1, 🟒 x5
πŸ“ AWS IAM User MFA is not enabled for all users with console password 🟒1🟒 x6
πŸ“ AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟒1🟒 x6
πŸ“ AWS S3 Bucket is not configured to block public access 🟒1🟒 x6
πŸ“ AWS S3 Bucket MFA Delete is not enabled 🟠🟒1🟠 x1, 🟒 x6
πŸ“ Azure Cosmos DB Account Private Endpoints are not used 🟒1🟒 x6
πŸ“ Azure Cosmos DB Account Virtual Network Filter is not enabled 🟒1🟒 x6
πŸ“ Azure Cosmos DB Entra ID Client Authentication is not used 🟒🟒 x3
πŸ“ Azure Key Vault Role Based Access Control is not enabled 🟒1🟒 x6
πŸ“ Azure Managed Disk Public Network Access is not disabled 🟒1🟒 x6
πŸ“ Azure Network Security Group allows unrestricted HTTP(S) access from the Internet 🟒1🟒 x6
πŸ“ Azure Network Security Group allows unrestricted RDP access from the Internet 🟒1🟒 x6
πŸ“ Azure Network Security Group allows unrestricted SSH access from the Internet 🟒1🟒 x6
πŸ“ Azure Network Security Group allows unrestricted UDP access from the Internet 🟒1🟒 x6
πŸ“ Azure Non-RBAC Key Vault stores Secrets without expiration date 🟒1🟒 x6
πŸ“ Azure RBAC Key Vault stores Secrets without expiration date 🟒1🟒 x6
πŸ“ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟒1🟒 x6
πŸ“ Azure SQL Server Public Network Access is not disabled 🟒1🟒 x6
πŸ“ Azure Storage Account Allow Blob Anonymous Access is set enabled 🟒1🟒 x6
πŸ“ Azure Storage Account Default Network Access Rule is not set to Deny 🟒1🟒 x6
πŸ“ Azure Storage Account Private Endpoints are not used 🟒1🟒 x6

Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-3e379c671
βœ‰οΈ dec-x-4c15a09f1
βœ‰οΈ dec-x-4f30f24e1
βœ‰οΈ dec-x-6c93750d1
βœ‰οΈ dec-x-6eab9b881
βœ‰οΈ dec-x-11c3009f1
βœ‰οΈ dec-x-14bf01f31
βœ‰οΈ dec-x-42a090841
βœ‰οΈ dec-x-46a83a301
βœ‰οΈ dec-x-82ca41272
βœ‰οΈ dec-x-0289e9c91
βœ‰οΈ dec-x-293ab45b1
βœ‰οΈ dec-x-599c86b41
βœ‰οΈ dec-x-4157c58a1
βœ‰οΈ dec-x-66358b451
βœ‰οΈ dec-x-083928f51
βœ‰οΈ dec-x-637372481
βœ‰οΈ dec-x-a7d8f0e71
βœ‰οΈ dec-x-b4d3d9dc2
βœ‰οΈ dec-x-b17c005c1
βœ‰οΈ dec-x-b92b08f41
βœ‰οΈ dec-x-bcae85fb2
βœ‰οΈ dec-x-c80414561
βœ‰οΈ dec-x-ca1c0c0d1
βœ‰οΈ dec-x-d127f4071
βœ‰οΈ dec-x-e43fd12e1
βœ‰οΈ dec-x-ec547a7c1
βœ‰οΈ dec-x-f4cc003a1
βœ‰οΈ dec-x-f12d78aa1
βœ‰οΈ dec-x-f937c35f1
βœ‰οΈ dec-z-bb7312921
βœ‰οΈ dec-z-c82c9f971
βœ‰οΈ dec-z-dbeeed9f1
βœ‰οΈ dec-z-f778950c1