During my career as a consultant and at my current employer working in Information Technology (IT), the focus on being more secure has been placed on finding the latest widget or new service with the idea you are now secure. I also have seen vendors promise that the latest tool or service they are pitching is the holy grail and you need nothing else. That is a big fat lie or let's call it "Marketing Fluff". It is all a false sense of security and you should focus on the basics before concerning yourself with any advanced security technology. This part of a one or two month long weekend blog series I am going to write. I am going to provide one or two tips a weekend that are practical and import tenants when designing and Information Technology Cyber Security program. My goal is to provide some basic advice that are overlooked and can provide a immediate impact to make you more secure.
What do I mean by Basics?
The basics, which some refer to as blocking and tackling, are really just that, basics. It is not implementing some new fancy Endpoint Detection and Response (EDR) or fancy outsourced managed security Managed Security Service Provider (MSSP), both of those are part of the solution. If you don't have what I call the basic's and you are purchasing these services, I would say you have not reduced your risk. Your risks might even be higher due to the false sense of security.
Security Basic's Part One
The genesis of this blog post was an IT security conference I attended. One of the sessions at that conference focused on IT Security basic's and leveraging some of you existing technology and building on/leveraging that technology. If you look at the ransomware attacks and security breachs that have hit large company's, many if not most are due to mis-configurations or not focusing/seeing some of the basic's. I also have seen misplaced faith in MSSP's that was not up to par. I have also have seen many managed services providers who are more interested in the monthly recurring revenue than doing the right thing. Why would an MSSP do that? It is expensive to remediate the basics and if you don't review the contract you sign (most people don't) they have an out clause.
Review Contracts Before Signing Them and Engage Your General Counsel's Office
Which brings me to my first important point. You need to have a good working relationship with your general counsels office or attorney. They are experts at contracts and can help you make sure you have the proper protections and liabilities in place. If the MSSP causes a breach, you will want to make sure they can cover it. One of the items I typically see in contact language that should be addressed is the amount of damage a company will cover if they cause a breach or in an MSSP's case miss a breach. The common amount is three times what you pay annually for the vendors in fees or the value of the contract. I can tell you, depending upon the service and what level of access they have to your network/data, that is not good enough. Why?, the cost of reporting and remediating a breach is going to cost way more then 3 times what you pay the vendor annually.
I am not an attorney, so consult with one first. Don't rely on any legal advice in this blog post. It should be based on costs related to the incident up to the coverage of the vendors Cybersecurity Insurance Policy. Another tip, make sure they have Cybersecurity Insurance with the proper amount of coverage and reivew amount they cover per incident. I have had two very good mentors at my current employer that have taught me what to look for and help review and mark up contracts before signing them. I want to thank them both (you know who you are) for the help and for teaching me what to look for. I have many people tell me that legal holds us up or they speak negatively about the general counsel's office. Don't do that, they are there to protect you and your business. If you do happen to have a breach or cybersecurity incident, the advice they provide can save your butt from mistakes and additional expense. Once you know what you are looking for, you can see good contracts vs bad contracts and start figuring out which vendors have their stuff together and which ones don't. To summarize, get to know you general counsel or attorney and make sure you engage them in reviewing your contracts. Also start asking them what to look for. They are like most of us these days, overworked and if you can preform a basic review and highlight your concerns, they will appreciate it.
Finally, if you need an attorney who specializes in this sort of Law, I just might happen to know a few good attorney's and I can refer you to a expert.
IT Security Basic's Tip Number - Reduce/Remove Administrative Rights And Follow The Practice Of Least Privilege and rename default accounts
This is very basic and is IT security 101. I am amazed at the amount of networks/systems I have seen that do not have these basic's implemented. You have the latest wiz bang EDR, have MSSP monitoring have the latest and greatest next generation firewall's. If you did not implemented these basics, it is like having security camera's and alarm service that send the police if the alarm is triggered, but you leave the front door unlocked and the alarm is disabled so someone can walk right in.
You do not need to be an administrator and your users should not be an administrator on your workstations. Create a separate account for your administrative needs with a unique password. This account should be a pass-phrase that is at least 15 preferable 20 characters or longer. If you have administrative rights to your and all machines, it makes it very easy for an attacker to move laterally quickly in your network. It makes you and easy target to compromise.
If your a Windows Active Directory Domain Administrator and you use that account as your everyday account on your machine, stop right now and remove those rights. You need very few rights that require Domain Administrator rights. In fact, I would create a third account that is only used for Domain Administration and limit what systems you log on to that account with. Why do you want to limit what machine's this account logs into? Most windows machines have password caching enabled, which means that the password is left on the machine in hash. Attackers can grab the hash and crack your password. That is why it is important to limit the machines you log on to with Doman Administrative rights. (Yes, solutions such as privileged access management exists that can also address this issue, but if you are reading this and are going to implement this suggestion, I highly doubt you have this in place.)
If you have routers/switches/Firewalls/Printers, change the default username and password on these devices. Better yet, implement radius and leverage your Active Directory administrative account. Create a password vault and put the system username/password in a vault. Only use the system account for emergency purposes.
You should be auditing your privileged or evaluated accounts and groups on a yearly, if not a quarterly basis. This will ensure you do not have stale accounts in those groups. Auditing those grouips might alert you to the fact that someone might be in the network have has evaluated privilege's.
Finally, leverage a technology such as Windows Local Administrator Password Solution LAPS. LAPS will make the local Administrative password on each of your Windows domain machines unique. You can also rotate the password for that local administrative account every 30 to 60 days. This helps prevents lateral movement if an attacker happens to compromise a system.
This is a security basic that I think most do not do a good job on. This should be a security basic that shoule be an easy and repeatable process once you have a established patch management program in place. This is also a core tenant to a well designed and well ran Information Security Program.
The first recommendation I have is write up a procedure/policy defining your patch cycle. What I mean by that is if a critical patch is released, but is not being actively exploited, how fast are you going to patch that system? Define your patching timeline for Critical, High, Medium and Low security vulnerabilities. If you have system that is difficult to patch, make sure you have compensating controls, in place. These controls can be blocking internet access to that machine or putting an agent on that virtually patches that machine.
Now that you have your vulnerability management policy in place, you will need some sort of tool to identify your vulnerabilities. You have a majority of tools, (Nessus, Qualys, Rapid 7 are a few of many) that can scan your network and find vulnerabilities. Make sure you are performing an authenticated scan. Why is that important? An authenticated scan will log into machines and have the rights to check and find additional vulnerabilities that an unauthenticated scan will not find. Once you have that list, review that list and prioritize the critical and high vulnerabilities. Not all critical and high vulnerabilities are created equal, focus on the vulnerabilities that have active exploits. If you have a switch/router that has a vulnerable operating system, but you have disabled the feature that contains the vulnerability. You have effectively remediated that issue and the system is not vulnerable. You should still patch theu vulnerability at some point.
Now that you have a timeline, you need to leverage a tool to patch your systems. Depending upon the size and tools/technology you have in place, you should automate your patching as best you can. Windows machines should be placed on a patch cycle, controlled by SCCM or Intune or a group policy or a third party patching tool. To be safe, I would recommend waiting at least 2 weeks after patch Tuesday before rolling out patches. This will help you avoid a bad patch. If you are a large enough shop, put the patches on your test servers. Make sure you apply Windows updates monthly. Microsoft does release bad patches and have released a patches lately that have been terrible, so make sure you review the patch notes and forums before deploying a patch.
You will also need to address patching third party software such as web browsers, Adobe and line of business applications. You can leverage your patching software to do this duty. If that is not available to you then you need to hand patch the system that contain the vulnerable software. I see many fail at this step. They have patched all of the Windows operating system vulnerabilities, but they don't review third party software vulnerabilities. Third party softeare can be vulnerable and also needs to be addressed.
Network infrastructure should also be defined in the patching policy. Most of this gear does not need monthly patching and really only needs to be patched if a vulnerability is discovered, If a vulnerability is discovered and you are not using the feature that is vulnerable, you can disable that feature and be secure . You should still patch the system, but is it not critical anymore and does not need immediate attention.
I take a different approach with network firewalls, those should be updated at least once if not twice a year. Code upgrades generally provide new features and bug fixes that might not be vulnerability related, but it is important to apply. If you have a lab/test firewall, put the code on that device first. This will allow you to test to ensure the firewall is not going to affect your production environment.
Don't forget about printers, environmental monitoring system, UPS/AC Unit management cards and camera's. They all contain firmware that is vulnerable and need to be added to your patch management strategy.
Make sure you have a well defined policy/procedure and create a process around that procedure. Make sure you purchase a vulnerability scanner to make sure you have a good picture of all of your vulnerabilities and create a priority list based the criticality of the vulnerabilities discovered. If your vulnerability list is large, focus on vulnerabilities that are being actively exploited or are easily exploited. All vulnerabilities are not created equal and you will never have everything patched. Focus your efforts on patches that are being actively exploited, once you have those addressed move on to the next critical patch. Eventually you will get caught up and be in a good place to address patches in a much quicker fashion. If you have a vulnerability , but you have a compensating control in place. The patch can be delayed, especially if you have more critical patches you need to focus on. Do not run your self ragged every time you see a vulnerability. The vulnerability more than likley does not need to be patched right away and can wait until your next patch cycle,
Both of these recommendations are basic and security 101. If you don't follow the practice of least privilege and your don't have a defined patch management program in place. Your information security program will suffer and possible fail. Before you concern yourself with the latest tools, gadget's and strategy's, focus on these basic's. Your network will be hardened and it will be much more difficult to compromise. These are foundational pieces for any well designed Information Security program. I hope you found this post useful and check out my blog next weekend when I will post part 2 of Information Technology Cyber Security Program Basics.