By Harman Singh, managing consultant at Cyphere, who will speak at our ‘COVID-19 Threat Actors’ virtual event next week
Cybersecurity is no longer workable with a ‘tick in the box’ approach: a proactive approach is needed to determine and mitigate risk.
An SME business in the housing market, for example, may not have the same risk appetite as a top bank.
The excuse “my computer has no top-secret data” doesn’t wash any more. Gone are the days when only a handful of systems used to hold sensitive data in a separate environment.
So how can you improve your business’ cybersecurity posture?
Endpoint Protection
Endpoint refers to end-user systems or devices such as laptops, desktops/workstations and mobile devices. These endpoints serve as an entry point to an organisation. From an attacker’s point of view, this serves as an attractive opportunity. For instance, an attacker who successfully gains access to a staff system is often due to weakness exploited on the endpoint system. For example, a threat actor successfully establishing a connection with a staff computer due to phishing attack (or another form of attack) is due to malicious code bypassing the endpoint controls. Therefore, the security of entry points is important by utilising antivirus or anti-malware solutions that detect suspicious activity and deter such attempts. Additionally, after implementation, it is important to ensure full system-wide scans are performed periodically along with regular vendor updates.
Tip: Ensure that regular anti-malware/antivirus scans and backups are scheduled. Most of the big vendors perform automatic updates, ensure that settings are configured.
Network Segmentation
It is the most underrated control in the cyber security domain. Just like a submarine structure, you need to ensure there are different compartments within your organisations. In case a cyber attack has led to the compromise of a system or segment of the network, an attacker will not have immediate access to the entire organisation. This may lead to limited impact, containment or detection of intrusion activity based on the incident scope.
Tip: Always keep business-critical assets and important servers in a separate network segment with restricted access.
Principle of Least Privilege
Apply the rule of least privilege. This concept relates to the implementation of privileges on the need to know basis. This tip ensures that multiple tangible and intangible benefits are delivered across the organisation. In case of a system compromise, threat actors shall face increased resistance to escalate their privileges. Any requirements related to compliance, framework or standards would be a breeze. There are several tools and tactics: Privilege Access Management, Network segmentation, Separation of Privilege and Systems Hardening.
Tip: Start with separate accounts for privileged users. For example, Chris, who is a database administrator, should have one corporate account (for routine tasks such as email, intranet, timesheets, etc) and one production account (for privileged tasks as part of his role) with different password policy restrictions.
Secure Internet Access
Internet is the backbone of any business. Since the rise of remote working during and post Covid-19, this is even more important in our lives. Ensure that a restricted internet use policy for employees is served via emails, meetings and contracts (where needed). If there is a web proxy, filter or internet traffic access solution in place, order an immediate review to ensure it is serving the intended purpose. If there is no such software in place, purchase internet filtering solutions.
Tip: Remove unrestricted internet access from servers with exceptions to services needing internet access.
Passwords
It is a common myth that the use of facial or biometric authentication means you can keep an easy password because that won’t be used. It is important to use non-dictionary, difficult to guess, multi-character set based password. Change default passwords on all equipment such as network devices, printers, scanners, security devices. If possible, try to mandate the use of password manager software in your organisation.
Tip: Start with password managers, enforce strict password policies and add a list of blocked passwords to active directory.
Multi-factor Authentication
Multi-factor authentication includes the use of two or more methods of authentication (for example, a user password and a one-time code). Implement multi-factor authentication on all your devices and internet-facing portals. At times, employees’ credentials could be compromised without any cyber attack activity linked to your organisation. This technique, known as credential stuffing, is a type of cyber attack where stolen account credentials from one service are used to gain unauthorised access to other accounts on the internet. For instance, your work email accounts get hacked due to your selection of same password being used on your email account (assuming this got compromised). A threat actor got your stolen credentials from leaked database online (forums, dark web, etc places) and researched more information on you, attempting the same password against your email (email = username) account.
Tip: The majority of the service providers offer two-factor authentication. If this is not an option, look for alternatives such as passwordless authentication or two-factor authentication modules such as Duo, Authy, Okta, etc.
Secure Configuration
Secure configuration is important for all systems used within or outside the organisation. This includes mobile device management solution to control mobile devices, operating system hardened images used as a secure operating system base for desktops and servers and secure hardening based network equipment configurations. CIS benchmarks are a great start to prepare internal checklists that cover patch management, system hardening, services configuration and many other areas. In case of your mission-critical assets such as revenue-generating website, opt for a penetration test at the least once a year or after any major changes. This would pick up on the various cyber attacks that target retail or your business-specific websites, infrastructure.
Tip: Add security benchmarks as an extension to your IT team’s OS build checklist. Ensure that sign-off from the security point of contact is a mandatory part of the process before any build is released into the production environment.
Secure and Regular Backups
Backups are an essential part of your cyber security strategy. In case of a cyberattack, data could be either compromised or deleted. Given the SMB businesses lacking strict processes and procedures, there is a large amount of data on staff laptops and mobile devices (tablets, phones). Ensure that a secure and regular backup policy is in place. This includes utilising a backup solution that allows automatic ability to schedule backups. Use the cloud. Modern devices and services offer easy cloud-based backups. This offers multiple benefits such as backup schedule configuration, secure storage and easy restores accessible from anywhere.
Tip: Irrespective of the backup solution you opt for – don’t forget to test the backup restore.
User Education
Your employees could be your strongest or weakest link in cybersecurity, it all depends upon your cybersecurity strategy. Regular thorough training must be an investment to deliver a baseline of knowledge for all employees. This would mark a shift in company culture with time, ensuring an overall boost for a proactive approach towards cybersecurity. Ensure that staff don’t browse the web or check emails from servers or using administrative privileges. This will reduce the impact of attacks in the event user details are stolen.
Tip: In case of a solution, ensure that it’s simple, quick to use and helps users who are the least tech-savvy. If you are using Office 365, add this button “Enable the Report Message add-in” to Outlook clients that helps users report messages with a single click.
Secure Wireless Networks
If your business uses wireless network, corporate or staff network must be segregated from guest (visitor) network or vice versa. It is important to ensure this segregation is strictly implemented on both the networks to keep trusted and untrusted users separate. For corporate wireless networks, certificate-based authentication is the recommended authentication mechanism. This ensures user and connecting device identities are validated and cannot be spoofed. Implement a captive portal to manage guest network access for visitors.
Tip: We have observed with several organisations, backend infrastructure is shared for guest networks. Ensure that it is a totally separate internet route offering no connectivity with the corporate environment. A captive portal is an efficient way of user management (with approvals) ensuring security and usability aspects remain balanced.