High profile cybersecurity incidents hit more and more frequently across industries. Each and every day hundreds of new unique pieces of malware, attacks, and vulnerabilities are exposed. If you are paying attention it can be overwhelming. There are so many approaches to security, frameworks, tools and techniques it can become difficult for IT Managers and leaders to decide which efforts to prioritize and why. This post will discuss the highest maximal return considerations that can be implemented to secure your company’s business.
1. Refine your identity management architecture.
All information systems and applications rely upon some underlying assumptions about access control, for example that somewhere there is an authoritative database that contains authorized users and groups that can access certain resources. Historically most businesses relied upon Microsoft Active Directory for this purpose, but as the market has shifted many businesses are now very heterogeneous in nature with regards to running different kinds of operating systems, and some businesses may not have a centralized database of users at all.
Fortunately the market has responded to the changing landscape and you can purchase LDAP as a service products from JumpCloud and a similar Universal Directory product from Okta, which can become your authoritative store. Office 365 also comes bundled with an instance of Azure Active directory, which can provide some good identify management capabilities.
Identify management systems can get stale without attention. An ad-hoc user and group creation cannot scale and is prone to error. Attackers will try to login to all available information systems with any credentials they can discover during reconnaissance. Keeping old and unused accounts out of the picture blocks their efforts. Further businesses need to implement robust onboarding and offboarding solutions to keep identity directories clean. Spending time cleaning and organizing your identity solution will have wide reaching affects as that identity store is relied upon across the organization. Keep in mind these systems can also benefit from stronger passwords, with the help of your password managers, and MFA tokens.
2. Modernize your password technology.
Adopting password managers across your business gives your users the technology they need to finally adopt secure password techniques. Passwords managers are not for power users or administrators, they are for everyone. You can only expect users to succeed with the rather tough standards required of them with supporting technology. With the password managers in hand users can easily set unique passwords per account. And those passwords will be generated by random password generators, and they will be very complex, and much longer than what they have been traditionally. There will be some resistance to this initially, so walking users through the technology and assisting them in updating the majority of the critical passwords they use daily will help with adoption. 1Password and LastPass are two of the popular managers of what has become an increasingly growing field of providers. These and other providers include team features, such as assisting users in recovery of their lost accounts, which should also be considered during selection. These managers also integrate with various Multi Factor Authentication (MFA) solutions, such as the new U2F authentication standard implemented in security token providers such as sold by Yubico.
The big solution we solve here is that people, generally, are not too good at doing password management, and certainly not as good compared to the level of sophistication that password crackers with large dictionaries of known passwords have at their disposal. Exploiting weak passwords are still a very large attack vector for many businesses, but it is so easy to prevent with this technology, if adopted by your teams. Make modern password technology a priority, work with users to gain strong adoption, and push for strong passwords plus MFA wherever possible.
3. Encrypt all endpoints.
Windows, Mac OS, and Linux all support robust full disk encryption. Most of the time you can kick off a system to be encrypted and the user won’t even notice. Be sure to back up the encryption keys off of the systems to a tightly secured database or data store in case you have to recover data later in the course of business. Historically there were concerns about data loss, complexity of the encryption tools, and performance issues for the user, but all of those issues have largely been overcome. Of course it is possible there are some power users that would notice the additional latency when accessing their data drives, but the vast majority of users won’t even notice unless their systems are badly in need of updating. Some systems can be further locked down by setting the BIOS password. This often ignored security feature can help some businesses further lock down their systems.
The primary concern addressed with disk encryption is for when businesses have systems stolen or lost, especially where a significant portion of users work on mobile laptops and tablets. In many cases, if a laptop is stolen or found, and it is not encrypted, much or all of the data on it will be available to an attacker. This can simply be remediated by encrypting the hard drives and enforcing that requirement with group policies in Windows or Jamf for Macs. Many industries are now requiring data to be encrypted on laptops, but even when it isn’t required data breaches through physical theft are very damaging to companies. This relatively simple to do and usually free solution, if done in advance of theft or loss, completely solves this issue.
4. Backup your user’s data to the cloud.
Backing up to the cloud is affordable, widely available, and much easier to implement than traditional backups. You can backup servers to the cloud too and just as importantly user’s workstation and laptop data to the cloud. There are many reasons to backup data: theft, data corruption, business continuity, protecting intellectual property. Today’s backup clients are relatively easy to deploy and run quietly in the background. I should mention, although this field has matured significantly, one drawback still seen is that some providers still have restore times that are slower than desired. On strong incumbent player is Acronis Backup. These products cover the gap of just relying on Microsoft One Drive, Dropbox or Box. Most users have legacy habits of not using these preferred technologies and save directly to their systems in places that are not backed up at all.
The more serious current concern we solve with user cloud backups is the threat of Crypto Ransomware. This malware encrypts user’s hard drives and is generally combined with technology that propagates the malware across the network. As this type of threat has evolved it is less likely that paying a ransom will actually result in keys from the attackers which can unlock the data. By continually backing up the cloud, should the network become completely infected and local data lost, you now have a viable path forward in reimaging the systems and restoring the backed up data.
5. Stop Phishing.
Phishing has been in the wild for over thirteen years, and thankfully today there is technology that can mitigate those threats. In many cases hackers are not needing to compromise systems with 0-day hacks and sophisticated multi-vector attacks. They are compromising systems by offering employees free pizzas, or love, or money, with email based cons known as phishing. In business, we call this Business Email Compromise (BEC) and it causes Billions in losses each year to businesses. The first step for every company is to implement SPF, and DMARC, and DKIM on your corporate email systems. Both G-Suite and Office 365 have very easy user interfaces and instructions for what do setup in DNS to setup these basic configurations. Additionally Office 365 has an advanced threat protection add-on, which can provide additional anti-phishing technology. In all of these cases the weak link is the end user who mis-clicks and compromises their system. Sophisticated anti-phishing training campaigns are now available through vendors such as KnowBe4, which can help train your users to look for red flags in emails and learn to report suspicious emails.
Phishing is a very common current attack method hackers use to gain access to internal resources and networks. SPF, DMARC, and DKIM are no longer optional settings for enterprise email, as they are the technologies which help weed out external users sending email which appears to be originating legitimately from your company. These configurations changes along with additional email security cloud products, and end user training can significantly reduce this threat.
6. Implement Unified Security Management
Network and system compromise is going to happen. A comprehensive security strategy and implementing security controls and tools will reduce those incidents, but in today’s world breaches will occur. When they do occur, if you have already implemented a robust logging infrastructure ahead of time you will have a good chance an understanding your breach and remediating it quickly. Logging access logs, operating system logs, endpoint protection logs, border firewall logs, DHCP logs, and application session logs are some of the minimum elements you need to capture. There is good general guidance online, but if you are unsure where to start this is important enough where you should consider reaching out to a DFIR or MSSSP team and bring them out as consultants where they will tell you exactly what they will need to see when responding to an attack. Basic logging can be as simple as setting a Linux box on an old system on your LAN running syslog, which would be relatively quick to setup and much better than doing nothing. Commercial logging in the cloud is now widespread, with providers such as Graylog offering robust and scalable capabilities. One point of distinction here is logging is not necessarily the same as sending events to a SIEM or a cloud dashboard for your firewall. Logging has a lot more volume and will cover a lot of data points not directly tied to security, but which would be important during an incident response investigation. Both are important, and both should be done.
Too often business with relatively poor security profiles, do get compromised, but with poor or no effective logging they have no idea of what the impact really was and frequently have to hire expensive external DFIR consultants to help track down everything blind. Setup logging when things are quiet and make it as comprehensive as you can afford. Don’t neglect setting up all of your systems and network devices to the same network time utilizing Network Time Protocol (NTP) and setting a standard Time zone across your business systems, such as UTC. A thoughtful logging infrastructure provides important critical forensic data when incidents occur and can save you a lot of money during response.
With everything that is going on what is the best way to watch the environment without actually watching it? Monitoring is the name of the game, but spending time tuning the monitoring so that only actionable events ever get alerted is where you need to build too. Many of the enterprise and opensource logging solutions have complex alerting tools which can be leveraged to look for specific text incidents. Likewise with traditional agent based monitoring, setting the alerts thresholds to alert only when something actually has to be done is the only way to keep the noise in check. In most cases no one is ever really watching the dashboards and responding with a high degree of accuracy. You have to rely upon notification if you want a person on your team to see that something changed and respond when it needs attention. Pagerduty is a common alerting service provider that integrates with many monitoring companies such as Datadog and LogicMonitor to provide robust notification to your team. It can be setup to text, email, and call, multiple times, and even escalate to other team members to provide robust awareness.
The concern is that if no one is watching no one will notice that someone is trying to breach the network or a resource, and even if they do breach, that it was actually done. General monitoring can help, but if it is a network monitoring system, a logging solution or a SIEM, you must build out actionable alerts with notifications and work to reduce the noise. Some businesses with less internal resources at hand can utilize Managed Security Service Provider (MSSP) teams to respond to these alerts, but ultimately someone needs to either be watching or at least responding to the monitoring systems.
7. Upgrade to the latest Endpoint protection.
Originally called anti-virus software, endpoint protection software attempts to solve the original problem identified by AV products, and now much more. The original problem of virus and malware infection was to scan the hard drive looking for files with particular signatures. The process was to install an AV product and keep those signatures up to date. It wasn’t long before attackers realized they could quite easily change the signature of each piece of malware in an attempt to bypass or at least staying ahead of definition updates. As the virus and malware writers became more and more sophisticated so did the defenders. New endpoint protection products allow the security administrator to attempt to catch rogue binaries before they execute on the system. Through these products admins can go so far as to whitelist only those approved applications they know are safe, to middle paths where unknown applications are run in sandboxes which can’t access the network or data drives. Another key element to these systems is that they reach back to their provider clouds with new observations and data which make the entire system more accurate as new malware is discovered. Another good benefit to these endpoint solutions is there is centralized reporting and rules that can be pushed out to various groups in the business on what to do when malware is discovered. Updates can also be push out centrally, reducing the burden to support staff. Products such Carbon Black’s Endpoint Protection provides these advanced defensive capabilities to all user’s systems.
Malware can and will end up on systems through various vectors such as email attachments, phishing, or just downloading the wrong thing. Once malware is on a system and activated it can quickly attempt to escalate privileges and compromise the system. Stopping the malware during execution is now part of modern endpoint solutions.
8. Upgrade your perimeter and your internal network
Just blocking ports and addresses on a firewall is no longer adequate at the edge of a network. There is a lot of hype about so called next generation (NG) firewalls, but to be fair there are some core features all Internet connected networks must have if they want to stay secure. NG firewalls come in all sizes and prices, so it isn’t necessary to spend thousands or more to get these solutions. You do need to pay attention to the firewall traffic ratings for when these NG features are enabled, as that can typically be a gotcha later on when you do turn on all features and you find the firewall was under selected against the traffic you are pushing through it.
The new features you want to consider are subscriptions to services which scan all traffic looking for malware, both unencrypted and encrypted traffic. Many of these NG firewalls allow you to enable authorized man in the middle features typically called SSL inspection. Once TLS traffic is intercepted in the firewall it can scan that traffic along with the unencrypted traffic looking for malware. Another common feature is to be able to control which applications go through the firewall. The firewall is doing more than blocking TCP and UDP ports, it is inspecting the traffic and when it sees, for example, BitTorrent traffic, it would be able to drop all of that traffic, if it was set to block by policy. Vendors such as Palo Alto and Fortigate implement traditional firewalling and next generation features.
Attackers are attempting to infiltrate your network on a daily basis and basic perimeter prevention can’t address those attacks. Next generation firewall features can help, but don’t forget to segment your network, use VLANs, and split out your wireless guest network from your internal network.
9. Single Sign On
Singe sign on (SSO) typically refers to a system of authentication where a user logs into a central system, and then a secondary authentication method, such as SAML, can be used to automatically log the user further into other external, but integrated systems. In other words, the user logs in once, and then can directly login to many other cloud applications such as Office 365, Dropbox, Jira or Slack. There are many SSO vendors such as Okta and Centrify, which offer similar features. They all rely upon an authoritative identify management store and can typically integrate directly with a legacy Active Directory or LDAP identify databases.
Although a password manager can assist users in creating better and more complex passwords, it doesn’t solve the overall growing complexity problem. SSO solutions reduce complexity by centralizing authentication. The user doesn’t need a username and unique password for every cloud application in an SSO environment. They will just need their credentials to get authenticated into the SSO environment. This simplicity ends up saving lots of time for smaller IT teams because there are much fewer systems where users need to have their account passwords reset, or someone to look up what their usernames is for a particular system. Additionally SSO saves lots of time for the end users in terms of automation.
These techniques won’t on their own solve all IT security problems and make a company impenetrable in today’s threat landscape. But they will address the most commonly exploited attack vectors which hit businesses today. Perhaps you can solve the 80% problem with these simple steps, which for a lot of companies is a great place to start. In many cases they are simple and somewhat commonly known recommendations, so the most important part in all of this is to actually adopt some or all of these measures and drive them to completion in your environment.