Skip to main content

💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.

  • Contextual name: 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.
  • ID: /frameworks/apra-cpg-234/16/45
  • Located in: 💼 16 Implementation of controls - Minimise exposure to plausible worst case scenarios

Description

Empty...

Similar

  • Internal
    • ID: dec-c-b122fb4c

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags

Policies (37)

PolicyLogic CountFlags
📝 AWS DMS Replication Instance is publicly accessible 🟢1🟢 x6
📝 AWS EC2 Instance IAM role is not attached 🟢1🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢1🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted DNS traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted ICMP traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢1🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢1🟢 x6
📝 AWS EKS Cluster allows unrestricted public traffic 🟢1🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢1🟠 x1, 🟢 x5
📝 AWS IAM User MFA is not enabled for all users with console password 🟢1🟢 x6
📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢1🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢1🟢 x6
📝 AWS S3 Bucket MFA Delete is not enabled 🟠🟢1🟠 x1, 🟢 x6
📝 Azure Cosmos DB Account Private Endpoints are not used 🟢1🟢 x6
📝 Azure Cosmos DB Account Virtual Network Filter is not enabled 🟢1🟢 x6
📝 Azure Cosmos DB Entra ID Client Authentication is not used 🟢🟢 x3
📝 Azure Key Vault Role Based Access Control is not enabled 🟢1🟢 x6
📝 Azure Managed Disk Public Network Access is not disabled 🟢1🟢 x6
📝 Azure Network Security Group allows public access to HTTP(S) ports 🟢1🟢 x6
📝 Azure Network Security Group allows public access to RDP port 🟢1🟢 x6
📝 Azure Network Security Group allows public access to SSH port 🟢1🟢 x6
📝 Azure Non-RBAC Key Vault stores Secrets without expiration date 🟢1🟢 x6
📝 Azure RBAC Key Vault stores Secrets without expiration date 🟢1🟢 x6
📝 Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟢1🟢 x6
📝 Azure SQL Server Public Network Access is not disabled 🟢1🟢 x6
📝 Azure Storage Account Allow Blob Anonymous Access is enabled 🟢1🟢 x6
📝 Azure Storage Account Default Network Access Rule is not set to Deny 🟢1🟢 x6
📝 Azure Storage Account Private Endpoints are not used 🟢1🟢 x6

Internal Rules

RulePoliciesFlags
✉️ dec-x-3e379c671
✉️ dec-x-4c15a09f1
✉️ dec-x-4f30f24e1
✉️ dec-x-6c93750d1
✉️ dec-x-6eab9b881
✉️ dec-x-11c3009f1
✉️ dec-x-14bf01f31
✉️ dec-x-42a090841
✉️ dec-x-46a83a301
✉️ dec-x-82ca41272
✉️ dec-x-0289e9c91
✉️ dec-x-293ab45b1
✉️ dec-x-599c86b41
✉️ dec-x-4157c58a1
✉️ dec-x-66358b451
✉️ dec-x-083928f51
✉️ dec-x-637372481
✉️ dec-x-a7d8f0e71
✉️ dec-x-b4d3d9dc2
✉️ dec-x-b17c005c1
✉️ dec-x-b92b08f41
✉️ dec-x-bcae85fb2
✉️ dec-x-c80414561
✉️ dec-x-ca1c0c0d1
✉️ dec-x-cffc7d8e1
✉️ dec-x-d127f4071
✉️ dec-x-e02b5fdd1
✉️ dec-x-ec547a7c1
✉️ dec-x-f4cc003a1
✉️ dec-x-f12d78aa1
✉️ dec-x-f937c35f1
✉️ dec-z-bb7312921
✉️ dec-z-c82c9f971
✉️ dec-z-dbeeed9f1
✉️ dec-z-f778950c1