Would you believe me if I tell you the best and most effective cybersecurity solutions are completely free?
I’m not talking about free and open source software, I’m talking about hardening the systems with what’s already available and configurable.
The list of hardening possibilities is endless, I want to stay concise and infrastructure-agnostic.
The Mantra is one: reduce the attack surface
You should always ask yourself if there are ways to lock things up without breaking the functionality, sometimes sacrificing a bit of user friendliness yields massive gains in security.
What might feel like a little friction for a user, is a cliff for an intruder.
This reasoning, ideally coupled with some knowledge of the offensive security, can yield incredible results - really.
POLP: Principle of Least Privilege
The idea is simple: if a user/account doesn’t need something, it shouldn’t have access to it, conservatively!
- That shared directory where everyone can read and write from? Restrict access to it.
- Old files should be moved to safe, permanent storage, ideally encrypted. They usually have no place in working directories.
- The CEO does NOT need Domain Admin privileges. If s/he does, read below.
- IT staff and Admins should have two accounts: one for inspecting (read-only) and another for acting (read/write). With different credentials!
- Check privileges inherited from groups. I’ve found multiple new employee accounts one click away from Domain Admin!
- Never, ever give users Local Administrator privileges. EVER!
- Limit authentication methods to what’s actually required, not potentially useful.
Whitelist execution privileges
This could’ve been on the previous list, but it’s so impactful it deserves its own chapter.
Ask yourself, if Karen from HR only needs Office 365 and Chrome to do her job, why she has Candy Crush installed?
By allowing only an explicit and conservative list of software to run on the workstation you can completely eliminate all malware-associated risks.
All malware requires to be executed to do harm. You could have Terabytes of malicious code on a machine being as dangerous as a .txt file if it cannot run.
Also make sure Office Macros are disabled and cannot be enabled by the user.
This policy alone improves the security to very high levels.
With what you can save on Endpoint Detection from this policy alone you can buy Karen a dedicated laptop for Candy Crush, just make sure to…
Segment the Network
Divide the network into separated segments, there’s not a single reason all endpoints should all reside in the same subnet.
The first and most important candidate for segmentation is the Operational Technology network. No, the CNC machine running on Windows 95 shouldn’t be on the same subnet HR uses.
Bringing the smartphone to work and having wifi access is perfectly legitimate, but the phone should connect to a different network entirely, not touching the any of the company assets.
This has to be strongly enforced with proper Network Access Control with whitelisting.
Fine-tune the Firewall
Firewalls, unlike Antiviruses, are near-impossible to bypass. A “smart” system can be deceived, one that stubbornly says "You can’t connect to 1.2.3.4. Period” won’t be fooled.
If workstation A, B and C only need access to a SMB Share and to the Domain Controller, why should they be able to talk to each other? Implement Firewall rules that use a whitelist-approach to necessary servers and deny all the rest by default.
This negates most if not all Man-in-the-Middle attacks.
It’s also useful to limit outbound connections to the bare minimum.
Backup properly
Backup servers are not replicas of file servers. Backup shouldn’t be treated as a simple copy.
A proper backup should be immutable and completely locked from access, even from Domain Admins.
Everyone stresses over the 3-2-1 rule and the need to test backups - true - yet none seems to care that the backups are writable and is shocked with they get encrypted as well by a ransomware attack.
There’s a huge difference between an incident and a threat. A attacker will hunt your backups down.
Make them immutable and avoid giving access to any other host. It’s the backup server who should actively connect and pull the backups, not the other way around. DO NOT join the backup server in the Domain.
Prepare playbooks, inventories and policies
You should be aware of any piece of technology in the infrastructure and have plans ready to use in case of disaster.
They don’t have to be extremely complex and detailed, you just have to react quickly.
A simple, well crafted firewall rule that blocks all outbound traffic with pre-built exceptions can stop an attack immediately without causing massive disservices, it just has to be ready emergency!
It’s also very important to define restrictive use of the company’s assets
Play Wargames
Train your brain to always ask “what if” and play hypothetical breach scenarios.
What if this asset is compromised and under full control of an adversary? What can they see? Where can they pivot to?
This teaches to see the network/infrastructure as a tactical battle map and helps to identify paths and chockepoints that should then be further assessed to harden the security.
Whitelist, whitelist, whitelist.
Access has to be consciously granted, the default is deny. In short, fully embrace the Zero-Trust Principle.
I’m fully aware this takes time and work, but the improvement on security cannot be overstated.
For a typical SMB internal IT infrastructure, without significant internet-facing asset (that’s another story), these changes yield incredible results.