14 Jun 5 simple actions to improve your security posture
Greetings everyone! Today I bring you 5 simple actions to improve the security posture of your company.
The last couple of years, I’ve seen in different engagements that IT people struggle to take actionable steps towards a better security posture. They find difficulties to clearly identify where to start while they work towards best practice industry standards such as CIS Top 20 controls, or NIST Cybersecurity Framework.
That is why I came up with 5 simple quick-wins to implement in your company that would help you to reduce the risk of a cyber-attack.
ONE: Use Two-Factor Authentication. Everywhere.
Let’s admit it. We’re not very good with passwords, although we think we are. People tend to use simple passwords that they are going to be able to remember and reuse them throughout different systems.
Two-factor authentication (2FA) is a multi-stage method of verifying that you are who you say you are. Typically, it’s a combination of something you know (a password), and something you have access to (a phone). The second factor could be an SMS, a code in an App or even an automated phone call.
I know that your users may complain about it. But you are going to thank me later when one of your user’s password gets breached and an attacker gets access to his account. You should tell them that this is not something that you do because you like to make the process more difficult. You are doing it because you need to protect company’s information and also, their privacy.
TWO: Don’t use your domain admin user for day-to-day tasks.
Some Domain Admins use the same administrative user to perform all kind of tasks. However, you should not be logging in every day with an account that is a local admin or has privileged access (Domain Admin). Instead, create two user accounts, a regular account with no admin rights and a privileged account that is used only for administrative tasks.
The regular user should be used to perform typical day-to-day functions - reading email or browsing the web unless protections. Only use the privileged account when you need to perform admin tasks such as creating a user in Active Directory, logging into a server, adding a DNS record, etc. Follow the least privilege administrative model. Basically, this means all users should log on with an account that has the minimum permissions to complete their work.
Restricting administrative privileges makes it more difficult for an adversary’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after reboot, obtain sensitive information or resist removal efforts.
THREE: Traditional Password Policies Don’t Work Anymore
New investigations from the National Cyber Security Centre (UK) concluded that password expiry policies create vulnerabilities of their own.
Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other. That is, the next password can be predicted based on the previous password. Studies have shown when you require complexity it is used a similar pattern and then repeated. Cyber criminals have caught onto this and there are now huge passwords lists (freely available) that contain millions of easy to guess passwords.
Instead, long passwords and using the passphrase technique makes it more difficult for password cracking software and for hackers to guess. However, this does not mean that passwords should not be changed. Passwords do sometimes need to be changed; most importantly, on indication or suspicion of compromise.
You should work with your users to embrace the use of password managers. This enables users to use longer, stronger, unique passwords and change them whenever you want, without making the process too difficult. These can easily create and maintain long, complex, unique passwords for every service they use and not reuse them.
For more information, please refer to the following links:
Another good approach to enhance passwords policies is to check your current users’ passwords against breached passwords. This site has a dictionary of all passwords that have been present in a breach https://haveibeenpwned.com/passwords. You should also check the API. You can use it, for example, to prevent a user to choose a password that has been already breached.
Just some tools that the community have already built:
FOUR: Know what is exposed. Run recon on yourself.
Attackers will scan your network. You should do it first. There are *A LOT* of free tools out there that you can use to scan your network. Identification is key to reduce the attack surface and Nmap is free. Turn off the services that you don’t need. You can also use Shodan to perform recon over your environment. Take a look here: www.shodan.io.
In addition, we’ve seen a lot of management / admin pages exposed to internet. Even though access is restricted by a login page, they are still out there, and an attacker could brute force, or spray passwords. You should definitely restrict access to those management portals by IP or geographically.
Another bad practice that is easy to fix is services tied to Active Directory should not be accessible from the internet. Instead, you should put them behind your corporate VPN.
FIVE: First inventory, then patching
For an efficient patch management process, you should have an up-to-date inventory of all of your assets with OS versions and applications (yeah, applications like chrome should be included in your process too). Develop an up-to-date inventory of all production systems, including OS types (and versions), IP addresses, physical location, custodian and function. Commercial tools ranging from general network scanners to automated discovery products can expedite the process. You should inventory your network periodically.
Once you have done that, the answer is simple; patching, patching and patching. You should always do it. I know that it may sometimes be a difficult process because you need to test that everything will still be working after applying the patch, and you don’t want the business to be mad at you. But remember, attackers will always scan your network looking for that Low hanging fruit.
Here there is an interesting read from National Cyber Security Centre (UK) where they explain their approach to apply security patches to their systems. https://www.ncsc.gov.uk/blog-post/ncsc-it-installing-software-updates-without-breaking-things
BONUS: Security Awareness Training
Ok, this is not a straight forward solution. But you should definitely consider implementing security awareness training to all of your employees.
A social engineering attack, targeting the human factor, is typically carried out by an external entity who deliberately manipulates an employee’s good intentions (i.e. their willingness to assist) or general curiosity, such as enticing them to click on a link in an email to a malicious website. Phishing is the primary method of entry in 91% of cyber-attacks world-wide and many high-profile breaches emanate from a single, successful phish.
You must appeal to the hearts and minds of your audience through messages that encourage them to take ownership of their own cyber security and in that way, become an ally in the fight against cyber crime. Topics are not only phishing; they include Why it is important to maintain up-to-date software to How to pick a good password or that Internet is a shared resource and taking care of them is everybody’s responsibility. You can also talk about the importance of being careful regarding what information they share on internet. You can find good resources from: https://www.stopthinkconnect.org/.
Stop other people from accessing your information by using strong passwords. think before you download apps you aren’t familiar with. Connect with friends safely online by checking your privacy settings regularly.
Remember, it does not matter how big or small it’s your team. There are always small steps that you could take to improve the security and protect our company.
Written by Nicolas Brahim, Security Consultant, Solista