We all want to abide by security best practices, but who decides what is best? If something is best for one firm, it is best for all? Too often we do not take the time to analyze what we are protecting to ensure we are protecting it as well as we can. There are, however, some basic techniques that can be deployed in nearly all organizations. I’m calling these recommendations “minimum practices.” Here are six to consider.
Multi-factor authentication (MFA) is must-have protection that every firm needs to determine how and where to deploy. Some say a best practice is not using text messages or other phone-based authentication techniques that could potentially be hacked. I’d argue that the goal is not perfection. Rather, it’s to be secure enough that the attacker passes you by and goes on to the next victim.
SMS attacks require that the attacker targets your firm. Spoofing a specific phone number takes planning and time. For most firms this targeting is not realistic. Any sort of second authentication method, not just the most secure, is a plus.
The recent Microsoft Exchange vulnerabilities showcased how important prioritizing updates are in a network. Too often we deploy workstation patches over network patches because we can recover from workstation issues faster than we can server issues. When evaluating what to patch, review the exploit possibilities and put a priority on any technique that is public facing.
The Common Vulnerability Scoring System (CVSS) score helps you understand the severity of the vulnerabilities. The Exploitability Subscore is based on the vulnerable component qualities. The higher this score, the more remote an attacker can be. The Attack Vector (AV) metric will be higher if the attacker can be remote and lower if the attacker must be physically present. When security updates need to be installed, review and prioritize based on the risk to the network. Ensure that your review the updates for not only the operating systems in your network but also any edge devices such as firewalls or VPN devices that may be used to gain a foothold into your network.
As MITRE points out, evaluate public-facing applications that expose your firm to more risk. Review your network for web application-based risks as well as for potential software weaknesses. Use the ATT&CK navigator view to help prioritize devices that need patching.
Phishing is a key way that attackers gain access to your organization. For phishing to be successful there is one major entry point: Office macros. Protect yourself from this entry point by limiting or blocking the use of Office macros. The bulk of your user base can often do just fine with a stripped-down version of Word or Excel for day-to-day use.
Next, review your options for controlling PowerShell and other scripting techniques. Set up a policy that allows only signed PowerShell scripts to run in your firm. You’ll also want to upgrade to at least PowerShell 5.1 to facilitate better security and logging and review if you can disable PowerShell version 2. Consider upgrading to PowerShell 7 or 7.1. Next, you’ll want to implement remote administration via Windows PowerShell Remoting.
See if you can invest in and manage Constrained Language mode via Applocker or Device Guard. Many of these recommendations require certain licenses and hardware to implement. Applocker takes more time and deployment to get right. I recommend that you investigate this as a solution, but it’s a bit more advanced and thus not a “minimum” practice.
Logging is a key requirement both in terms of understanding how the attacker gained entrance as well as providing forensic information. So, review if you can enable script-block level logging and set up log forwarding to a centralized log repository. You’ll need to be on a modern platform, so review if you have any legacy servers and operating systems and remove them from your network. Windows 10 should be a bare minimum operating system along with the appropriate server platform.
Finally, give rights only to those who need them. Securing privileged access by using Local Administrator Password Solution (LAPS) and other least privilege techniques, including just in time (JIT) and just enough administration (JEA).
We are still in a world full of passwords. Too often we reuse passwords and do not choose strong passwords. How many of us set up an account on a site that either annoys you with a password policy that you can barely figure out or limits the number and types of characters in a way that suggests they are probably still using an authentication system based on Windows NT 4.0. If your baseline Active Directory infrastructure keeps you from implementing strong passwords, passphrases, biometrics or even smart cards, you can add two-factor solutions such as Duo.com.
Password management should still be a key goal in your organization. Cracked or stolen passwords are the entry way into your organization. Worse yet is when credentials for a development project are found in GitHub repositories. Have a process and ensure that you understand how to scan for secrets that should not be stored.
In this era of the cloud, don’t overlook the item that we all used to rely on for all our security—your firewall. Often it can do some of the heavy lifting by blocking traffic that shouldn’t be exiting your network. Ideally, only known and allowed traffic should have egress rules set up. The reality is that for many of your applications you must run your firewall in audit mode to best understand where the traffic is going and then develop your firewall rules accordingly.
Log and collect event logs from key servers and workstations that you believe would be included in targeted attacks. Whether you use Splunk or Microsoft’s Sentinel products, install the Sysinternals SYSMON module. It’s a key tool to monitor logs for attacks.
There you have it, my not best but minimum practices. See how many you are doing now and if you can strive to be better.