Part 1 of this series, “The Business Perspective,” examined how to build a cybersecurity capability from the ground up by starting with the basic governance aspects of information security. It explained how cybersecurity relates to organizational goals and how those goals dictate the organization’s approach to cyber risk management. Setting this overarching tone is important, but it needs to be reflected through effective technology management.
While cybersecurity is a business issue, it is one that is inextricably linked to technology. Part 2 of this blog series looks at the IT tools and methods that provide a basic foundation for a cybersecurity program.
Basic Administrative Management
While the processes discussed in Part 1 all have to do with organizational governance around cybersecurity, these tactical and administrative processes can help provide a defensive baseline:
Disable Local Administrative Privileges
In most organizations, there is no need for employees to have administrative rights over their workstations. Revoking these rights prevents employees from changing security configurations or downloading unapproved or unsafe software. It also helps limit the amount of harm an attacker can cause should they gain access to an employee’s computer. This recommendation is easier to implement during the early days of an organization, because it can occur before employees get accustomed to having elevated permissions, however, it can be accomplished at any time with the right internal messaging campaign.
Segment Administrative Accounts
Employees who require administrative privileges should have separate accounts that only they can use for performing administrative functions. Taking this a step further, administrative accounts should be segmented by device type — domain admins should only have access to domain controllers, workstation admins should only have access to workstations, etc. Additionally, all administrators should have a separate, non-privileged account for all other non-privileged business activities.
Identify Third-Party Support
Few organizations can handle a cybersecurity incident entirely on their own, especially when they are just beginning to build their security capabilities. In these early stages, contingency plans should focus on identifying whom to call for help. In addition to a technical incident response firm such as CrowdStrike® Services, some organizations will also want to have outside legal counsel and public relations support on retainer.
Change Default Passwords
While most software or online services force users to reset the default password during setup, this is often not the case with hardware. Small organizations or startups frequently fail to change the default passwords on their routers, security cameras and other online hardware. Changing the passwords is a simple step that can spare an organization considerable grief and embarrassment.
Even for organizations with mature cybersecurity programs, the number of cybersecurity tools and technologies available can be overwhelming. While most tools provide some benefits, organizations just starting their cybersecurity program need not buy everything. The following technologies are some good initial purchases that provide considerable return on investment.
Few security measures provide as much bang for the buck as two-factor authentication. Even without additional security tools, two-factor authentication can go a long way toward preventing unauthorized access to company resources.
The most obvious places to use two-factor authentication are on company email, VPN services, and any other tools or applications that employees use to access resources remotely. But it is also good practice to enable two-factor authentication on every service that will allow it. Examples include cloud-based document storage and backups, customer relationship management software, web-hosting and content management platforms, etc.
VPN for Remote Access
Requiring users to authenticate to a secure VPN (with multi-factor authentication, of course!) to remotely access company information provides an additional layer of security around network resources. By configuring firewalls to block all other types of remote connections, an organization can reduce the attack surface that adversaries may target. As organizations mature, they can layer additional security around their VPN by logging connections and blocking suspicious connection attempts.
Deploying firewalls at the network perimeter is a common initial step in building out a security capability; one that immature organizations frequently fail to do effectively.
Prior to setting up firewalls, an organization should carefully consider exactly what type of inbound and outbound traffic is necessary to conduct its operations. It should then block all other connections. Some firewalls come with pre-configured rule sets that can help with this process.
Once deployed, firewalls should do more than simply block unwanted incoming connections — they should also block unnecessary outbound connections, log all inbound and outbound connections, and potentially serve as a network intrusion detection system (IDS). Organizations with highly sensitive network segments, such as a production environment, also should consider inserting internal firewalls at the perimeter of that environment.
Firewalls are not “set it and forget it” tools. Once implemented, they require management. For instance, it is common for organizations to make exceptions to their firewall rules to allow for specific tools or functions to operate. But formal processes should exist for approving those exceptions, periodically reviewing how the exceptions in place affect the organization’s security posture, and renewing exception approvals where appropriate or closing the gaps if they are no longer required.
Firewall logs are a frequent source of information about suspicious network activity. While organizations with immature security programs may not have the tools or manpower to actively monitor firewall logs, ensuring that those logs are retained and periodically reviewed for anomalies is a good first step.
Create Regular Backups
Backing up files is a basic IT management practice, but one that often falls by the wayside in small organizations. Implementing a backup management system helps ensure an organization is resilient to any number of hazards, not just cyberattacks.
So long as ransomware attacks remain indiscriminate and pervasive, maintaining adequate backups are an essential security practice. Organizations with immature security capabilities and less sophisticated tools are particularly vulnerable to ransomware. While reliable backups will not prevent a ransomware outbreak, they can help ensure that such an incident is merely disruptive and not destructive.
Free, Signature-Based Antivirus
Older signature-based antivirus has proved ineffective against advanced attacks and is losing effectiveness as even untargeted, large-scale malware becomes more sophisticated. However, no-cost operating system-integrated A/V technology can, at a minimum, typically address the low-hanging fruit. It is certainly better than nothing; particularly at the outset. Of course, modern “next generation” products such as the CrowdStrike Falcon® platform can counter attackers far more effectively and are worth the investment for organizations committed to upgrading their security.
Enable Email Security Features
Phishing remains one of the most common and effective vectors of attack. Although users will always remain a weak link in any security program, certain email security tool features can help give them a fighting chance. These features include quarantining and scanning attachments, filtering URLs contained in emails and marking emails from outside your organization as “external” in the subject line.
A few commercial email platforms have these features built in, they just need to be activated. For other email platforms, a variety of third-party email security products offer this functionality. For organizations with little other security in place, beefing up security around email is a sensible investment.
To be clear, adopting only the measures described above will not protect you against even a moderately skilled attacker who is determined to target your organization. But they can help keep an organization from becoming a target of opportunity. Moreover, these measures provide the basic foundation upon which to build a more mature capability in the future.
For more on how to build on this foundation, download the white paper: “Where to Invest Next: Guidance for Maturing Your Cyber Defenses.”