Fixing A Hole Where The Cybercrime Gets In
Security doesn't have to be a massive financial hardship. In fact, there are a great number of things that can be done in your organization to make systems and applications more secure. This post outlines some of the most helpful that can be used to make your organization more secure.
Note: This is the second in a series of articles, focusing on practical steps that can be taken to increase your organizations IT security posture. Part 1 of this series looks at general security philosophy.
Part 1 is available here.
One Last Piece Of Philosophy
Looking at the items below you'll see a lot of things that you can do to make your organization more secure, and you may be thinking to yourself, "Which one should I choose?" The short answer is "as many of them as you can." There is a concept in IT Security known as 'Defense in Depth,' and it basically means overlapping layers of security. Think about it like you're driving your car. Sure you are wearing your seatbelt (and you ARE wearing a seatbelt, right?), but if you're driving a modern car, you also have an airbag. This may seem redundant, but the airbag in conjunction with the seatbelt will keep you more secure than either safety mechanism will alone. Same thing with IT security.
Ok, NOW on to the tactical items:
Protect Your User Accounts At Login
|Implement Strong Passwords||Cost: None|
Require strong passwords for all users and make sure they are changed when necessary. This doesn't have to be on a schedule. The trouble with mandatory password changes is that users will inevitably pick weak passwords, because they know they will have to change them again soon. Better to
- Encourage users to use a password manager, and
- Check username/password combinations for compromise.
Checking for compromise can be done in a number of different ways. The website https://haveibeenpwned.com can be used by anyone to check their own information. Additionally many password managers have a built-in feature that checks stored usernames against known breaches, and recommends changes. This can also be done directly from browsers, if you're using a browser for password management.
Account compromise detection and alerting can usually also be done automatically at the Enterprise IAM level(Active Directory, for example); the functionality will vary by provider. This will not be free- but if you are handy with shell scripts, you can do it directly by downloading, and testing against, freely-available breach information.
|Require MFA||Cost: None|
Multi-Factor Authentication is the best protection against weak passwords. They in effect require you to have two passwords: one that is static and used in combination with your username, and one that is dynamic and based on a temporary code. And MFA applications are free from a lot of reliable vendors. Here is an example from Google that shows how to use MFA with your Google account and Google Authenticator. Once you do this, you will be able to use Google Authenticator for any number of other login use cases.
(Note that some applications out there only use text-message based MFA. This is not ideal. It's better than not using MFA, but if you can use an authentication app like Google Authenticator or Authy, you should.)
Using MFA is considered a best practice in IT security. As such, in most cases, MFA is free to enable for the business applications you use. Consider using a different application if it isn't.
Protect Your Systems
|Encrypt Your Data||Cost: None|
Encrypt. Everything. Encrypt devices, encrypt backups, encrypt hard drives. Encryption adds complexity (and encryption keys that need to be managed), but it makes it significantly harder for attackers to access any data they may get offsite in some way or other. If they can't read it, they can't sell it.
Whole disk encryption is available from manufacturers for no additional cost, and just about every modern laptop supports it. Here is a Microsoft FAQ about their encryption tool called BitLocker. (And just for linuxy variety, here is the Ubuntu tutorial to enable Full Disk Encryption.) There are Enterprise solutions that mandate BitLocker (more on those kinds of technology policies later), but this is a feature that can, and should, be enabled on an individual basis, for both personal and company-owned devices.
|Disable User Access To Administrator Accounts||Cost: None|
One of the best things you can do to secure a laptop/desktop is disable the built-in Administrator account. Often times malware relies on having elevated permissions in order to further infect the PC. Once a PC is set up with user accounts, the Administrator account should not be needed at all unless changes are required. This is such a known issue that it is even referenced while a user goes through the manual Windows 10/11 installation process. It's important for individual users and doubly important for company-owned devices where customization is even less of a need.
|Use Antivirus/Antimalware||Cost: None|
It's essential to have am Antivirus/Antimalware solution on all your Windows systems. Even Microsoft accepts this, to the extent that Windows 10/11 comes free with access to Microsoft Defender Antivirus. This is an increasingly good product at an excellent price point. There are a number of other very capable products in the market, but since we are focusing on cost sensitivity, Defender has a clear advantage.
(Note: If you are using a third-party Antivirus package, Defender Antivirus should be disabled. Running two Antivirus packages simultaneously is a bad idea.)
Bonus Security Tip: A lot of cybercrime relies on invisible execution of downloaded malware. To help defend against this kind of attack you can disable the downloads folder permission to execute anything. This would require a user to intentionally manipulate downloaded packages out of that default folder in order to run it. An unintentional download simply would not be able to automatically execute, even if it did make it past the Antivirus software. The failure to launch could be an alert to the user that something isn't right. (Note: To be fair, Windows 10 did begin implementing some blocks to the running of unsigned (i.e., non-Microsoft approved) executables with their "SmartScreen" feature. This protection is a good start, but it's also a half measure that users can just ignore and click past. YMMV on whether it's necessary to disable any executable from running in the downloads folder under any circumstances- but it's worth considering.)
(Another Note: There is an advanced part of the endpoint protection market that takes a step beyond just Antivirus. This is called EDR (for 'Enhanced Detection and Response'), and there is another Microsoft Defender product that does this- however it is not free. Details about some of the non-free solutions Microsoft provides are available here.)
|Patch Your Systems||Cost: None|
Every major operating system puts out regular patches of two varieties: Feature Enhancing, and Security. Feature Enhancing could be major or minor version upgrades. These should be considered 'nice to have,' and you should definitely try to keep your systems as current as possible. Security patches should be considered essential.
It is true that sometimes patches can actually cause problems, but this is increasingly rare. When it does happen, it's almost always because of Feature Enhancing patches. It's a good idea to test patches before deploying them widely, but testing should be done quickly. What can't happen is systems never being patched because there is a fear that it will cause a down state.
Consider doing staged (delayed) patch deployment for Feature Enhancing, and immediate, automatic deployment of Security patches.
|Protect Your Network||Cost: None|
Utilize the network devices that you already own and use in order to protect your traffic to the maximum. One great place to start is to disable all incoming network traffic. You should not have servers running from inside your network that can be accessed from the outside. Only security devices (or servers built specifically for this purpose, and with security in mind) like VPNs and Application Gateways should receive traffic from the internet. This too can be done for zero to little money with open source software packages and an old PC you have lying around.
This does fall under the rule outlined above, but it's important to call out RDP specifically. RDP is well known as an absolute sieve when it comes to security. RDP allows far too many additional avenues of attack once a breach has occurred- and breaches are sadly far too common for RDP deployments that are not precisely configured and kept current with version and security patches. Configure your network devices to disallow RDP traffic entirely if possible - definitely from the internet.
If your team needs to use it, enforce the use of access control lists, limited to only IPs that absolutely need it. And even in this case, never allow server-to-server RDP.
|Segment Your Network||Cost: Some|
The way you set up your network can be a security feature. Network segmentation simply means that different kinds of traffic shouldn't be able to commingle unless it goes through a centralized server or network device like a router. The opposite of a 'segmented' network is a 'flat' network. Whereas a flat network would enable an infected server to easily reach out to every other computer in the organization (aka 'move laterally'), a segmented approach would cause that traffic to stop at the internal gatekeepers.
Depending on the network hardware you own this might be free, or you might have to make a purchase of a different network switch/router. Consult a networking professional on how best to approach this, but network segmentation is a core feature of all enterprise network gear and should not be a driver of significant cost increases.
|Monitor Everything You Can||Cost: None|
Once you have enabled your systems and networks, it is essential to monitor them. Keeping up with this information is essential to both security and organizational performance. Monitor your systems for signs of attack, yes, but also monitor user logins, system uptime and performance... basically everything that you can. Monitoring is an interesting topic that can get quite complex (and expensive), but it doesn't have to be- especially when you are starting out. Luckily, high quality, quite free products abound in this space. (and, luckily or otherwise, every single technologist you talk to will have a favorite tool to recommend.)
|Regularly Back Up Your Data||Cost: Some|
This one is controversial. There are people (people who are wrong) who do not believe that backups are a part of security.
The conventional definition of a 'backup' would read something like "Process by which you protect your data from accidental loss or damage." Which is true enough, but the definition could be extended to mark backups as "the last gasp kind of protection to keep your organization operational in the event of a catastrophic failure." This is a cost- backups will take up space, at an absolute minimum. However this is a cost of doing business. There are ways to minimize costs while maximizing protection though.
One common backup rule to follow is known as the '3-2-1' rule. In short this means three separate copies of your data (one in production, and two backup copies), stored on two separate types of media, of which one is stored offsite. A simple way to adhere to the 3-2-1 rule would be to have an offline backup copy of your production data stored in the cloud.
This combination is the most cost-effective way of protecting against the most onerous consequences of a catastrophic failure.
|Test Your Backups Regularly||Cost: None|
Now this one is free. A backup is only as good as its last successful test. A 2021 report from Veeam stated that 58% of backups fail. (you don't want to know what they had to say about data that never gets backed up at all, but I bet you can guess that it isn't good.)
And frankly, you have already spent the time and effort (and probably money) setting up a backup solution. It makes sense to test it- regularly.