# CUBICSEC: INFRASTRUCTURE VULNERABILITY ASSESSMENT CHECKLIST **Version:** 2026.2 **Classification:** Public / TLP:CLEAR **Recommended Frequency:** Bi-Weekly / Post-Deployment This checklist provides standard procedures for identifying, evaluating, and mitigating security vulnerabilities within cloud and on-premise infrastructure. --- ## 1. Network Security & Perimeter Defense - [ ] **External Port Scanning:** Run external `nmap` scans against public IP spaces to identify active ports and services. - [ ] **Firewall & ACL Review:** Audit ingress/egress rules. Ensure only essential ports (e.g., HTTPS 443) are exposed to the public internet. - [ ] **DDoS Mitigation:** Verify Cloudflare, AWS Shield, or equivalent DDoS protection shields are active and properly configured. - [ ] **DNS SEC Verification:** Confirm DNSSec is active for all core domains to prevent spoofing/cache poisoning. - [ ] **VPN & Remote Access:** Ensure multi-factor authentication (MFA) is strictly enforced for all VPN and SSH entry points. ## 2. Host and Operating System Hardening - [ ] **OS Patch Levels:** Verify all hosts are running active, supported operating systems with the latest kernel security patches applied. - [ ] **SSH Hardening:** Disable password authentication; enforce SSH-key login only. Disable root login over SSH (`PermitRootLogin no`). - [ ] **Unused Services:** Disable or remove non-essential services (e.g., CUPS, FTP, Telnet) running on hosts. - [ ] **Audit Logging:** Ensure `auditd` or equivalent system logging is running and forwarding logs to a centralized SIEM. - [ ] **Container Isolation:** Verify container runtimes are locked down, using rootless mode where possible, and using minimal base images (like Alpine/Distroless). ## 3. Application Security (OWASP Top 10) - [ ] **Input Validation:** Ensure all client-supplied inputs are sanitized and parameterized to prevent injection attacks (SQLi, XSS, Command Injection). - [ ] **MFA & Auth:** Force MFA on all user accounts. Enforce strict password complexity and rotate system secrets every 90 days. - [ ] **Security Headers:** Verify essential HTTP headers are configured on all servers: - `Content-Security-Policy` (CSP) - `Strict-Transport-Security` (HSTS) - `X-Frame-Options: DENY` - `X-Content-Type-Options: nosniff` - `Referrer-Policy: strict-origin-when-cross-origin` - [ ] **Error Handling:** Avoid showing stack traces or server details to end users. Log internally and return generic error IDs. ## 4. Encryption & Key Management - [ ] **SSL/TLS Configuration:** Enforce TLS 1.3 minimum. Disable older versions (SSLv3, TLS 1.0, TLS 1.1) and legacy ciphers. - [ ] **Data at Rest:** Encrypt all databases, object storage buckets (S3, Cloud Storage), and block storage volumes. - [ ] **Secrets Management:** Ensure secrets, API keys, and connection strings are NOT hardcoded in source control. Utilize a secure vault (e.g., Vault, AWS Secrets Manager). ## 5. Threat Detection & Incident Response - [ ] **Intrusion Detection (IDS/IPS):** Verify host-level EDR/IDS (e.g., Wazuh, OSSEC) and network level IDS (e.g., Suricata) are active. - [ ] **Automated Alerts:** Configure alerts for anomalous spikes in CPU, network traffic, auth failures, or privilege changes. - [ ] **Backups:** Perform daily encrypted backups, store copies in an isolated/immutable vault, and run periodic recovery dry-runs. --- *For automated real-time scanning, deploy the CubicSec CubeScan module or schedule an analyst consultation at support@softsasi.com.*