It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.
IT admins are increasingly tasked with being security analysts given today’s highly hostile threat environment. That’s an unsettling proposition if it’s new to them and they don’t know where to begin. The onus (and the blame) is on them to act, despite possibly lacking much education and awareness of security best practices to develop a program that satisfies their management and protects the organization.
A formal cybersecurity program is multifaceted and structured to control risks, but there’s a few crucial concepts you should be aware of that will help you get to a place where you know enough to be dangerous; armed with these core concepts, you can swiftly reduce your organization’s exposure, or, at the very least, have informed discussions with an MSP partner to handle it. There are five main pillars that small to medium-sized enterprises (SMEs) should focus on to be more proactive:
- Knowing your assets
- Patching
- Least privilege computing
- Email security
- Back-ups
This article examines how to marshal those concepts into action.
Let’s preface this advice with the caveat that it’s not an exhaustive checklist and we’ll be serving up some additional guidance to formalize a security program in the near future. There are several resources available that will broaden the scope of this discussion. IT admins should also consider beginning with training and education by pursuing certifications such as ECSS, GSEC, Security+, and SSCP to obtain baseline knowledge. I’d encourage you to check out my journey to becoming a security analyst (when it’s published later this month). Now, let’s get real for a moment: SMEs don’t necessarily need or have the capabilities to establish a formal program and the mandate is to do more with less. I’ve encountered firms that would shock you when you glimpse behind the corporate veil; don’t be one of them, have a plan, and be more proactive.
That’s where you come in. Be an effective change agent by focusing on the foundational concepts outlined above (that many of my smartest security cohorts agree SMEs should be doing). Starting somewhere is preferable to doing nothing at all, and as Hemingway said, “the shortest answer is doing the thing”, and ‘things’ are what you need to begin with.
Knowing Your Assets
You can begin by creating a register of your IT assets, which is where a risk assessment begins. Start by identifying who ‘owns’ the system or data and ask them about their departmental workflows. Then, ask questions about how these assets are configured, managed, and secured. They should at the very least be able to tell you what software and hardware they use, as well as where those records are stored. Let’s begin with a real life example from my practice and list out some of the factors that should be considered.
You’ll notice that assets are categorized in three ways: administrative, physical, and technical. Those align with the categories of controls that are used to address the problem(s) uncovered when you list and evaluate your assets. This outline is equally useful when you’re moving on to the next step of evaluating risks and the type of controls that are required to correct them. You may also encounter some examples that you can live with and eat the cost.
Dunder Mifflin:
- Technical:
- A cloud productivity and email suite
- Is it configured right?
- Is MFA enabled?
- Cloud storage
- Who has access to what and why?
- Legacy Domain Controller
- Is it supported and patched?
- Does it have policies?
- Who has domain admin rights?
- What service accounts are running?
- Are offboarding users disabled?
- System backups
- There were no backups outside of siloed documents residing in the cloud, so it was important to ask where everything resided and what their plans were in the event of a fire or flooding damage.
- Physical security
- Is there a functional CCTV system?
- Who’s responsible for facilities and what will it cost to implement it?
- Drive encryption
- Are workers remote on laptops?
- Is physical security weak?
- IT skills were low and there was no security awareness
- Who can manage security awareness training?
- IT Admins who were surfing the web while logged in as a super user (and didn’t believe that was a problem)
- Are you able to provide a technical solution to elevate permissions based on time?
- Will this person obey the procedure or do they have to be written up?
- A cloud productivity and email suite
- Physical:
- Sensitive files (Analog and Paper)
- Where are they stored? In plastic bins, filing cabinets, secure storage?
- Are there any fire suppression or alarm systems?
- How are you going to protect those files?
- The cost of digitizing them is high, so what are the readily available alternatives?
- Old PCs were left around with drives intact with potentially personal and regulated information.
- Are you okay with sending them off to be disposed of?
- What’s the plan going forward?
- Sensitive files (Analog and Paper)
- Administrative:
- Poorly documented processes for employees to handle personal information
- What resources are available to train our people and do we need partners in HR?
- Manage your emotional culture: insider threats can and do occur, especially if someone is motivated to fulfill an emotional need, and criminals will try to exploit those pressure points.
- Poorly documented processes for employees to handle personal information
This particular exercise revealed a Windows 2008 Server that was past its end-of-life, and one of the employees found it so worrisome that he turned it off every night (no exaggeration). I’d consider every PC joined to that domain to be insecure and wouldn’t sleep well at night either. However, senior management didn’t want to spend what the MSP quoted for new on-prem hardware, so the problem just continued indefinitely.
Your list may resemble this firm or be more complex, but a comprehensive list of your assets is a starting point to assess weaknesses and vulnerabilities. It’s up to you to determine the likelihood of those risks and what you’re willing to absorb, but there will be items that you should prioritize based upon some common formulas. I use a Priority Matrix to determine where to start first, which accounts for the impact on your organization and what costs and resources will be involved to mitigate every specific risk. An MSP partner that provides consultation (not just product suggestions) could help guide you through this process.
Patch Your Stuff
Now that you know what your stuff is, it’s time to know what state they are in.
There’s a reason why a majority of IT admins we’ve surveyed are more alarmed about software bugs than weak passwords (given MFA is enabled): bad actors are moving down the stack to applications/systems and are swiftly targeting flaws in operating systems and business systems (such as popular email servers). I recently spoke with the CEO of a security monitoring company that specializes in examining events from log files in a data lake, and he’s noticed that trend ‘in the wild’, so believe it. Patching is critically important and can be accomplished via policies to mandate that updates happen within a timely period, testing patches within user groups, and patch management systems. You’ll also want to keep support current on network devices, which also can be exploited by attackers on your perimeter and behind the firewall.
Patching reduces the possibility of emerging threats impacting your organization before your security systems can catch up to their existence, but it doesn’t block avenues of attack. Your configuration is what could clear the way for a vulnerability to become a security incident.
Practice Least Privilege Computing
Having that registry of ‘stuff’ helps you to keep up with the cadence that’s needed to update everything, responsively. Application inventories should be limited to allowed products, and the way to accomplish this is through least privilege computing or managing deployments using a solution for remote systems, such as Chocolatey for Windows and MDM solutions for Mac devices. Least Privilege computing is the concept that users and systems should only be granted the minimal permissions that are required to do their job. For example, users don’t need to unilaterally install new things, so they shouldn’t have the rights to do so.
Least privilege extends to the capacity of malware to spread throughout your systems. Nothing’s impossible for malware to accomplish when it’s running under administrative permissions. There’s countless places to ‘hide’ and any system that’s been breached is inherently untrusted. Broad permissions will enable attackers to transform an infected device into a jumping point to scope out what else is unsecured within your systems to maximize the potential for ransom.
This concept also extends to cloud services, website servers, user groups, and even IT admins as they work. There’s no reason why an IT admin should be running with access to vital resources: grant yourself the permissions that you need to get a job done and then revoke them afterward. A centralized cloud directory service such as JumpCloud can manage and monitor user permissions. JumpCloud also allows for conditional access rules that apply business rules to vett access to IT assets (compared toMicrosoft’s legacy nested permissions).
Least privilege computing is an effective framework to follow, but people can be the weakest link, even when the best technical controls are in place. Software lacks human intuition and the ability to speak up and ask questions when it’s in doubt; conversely, people can also make poor decisions. It should come as no surprise that the median SME received 94% of its detected malware via email in 2020. That’s why the next topic places special emphasis on email security, which is a vital asset to modern enterprises and most often the vehicle for cyberattacks.
Manage Email Threats
It bears repeating, endlessly: most threats to organizations aren’t complex or sophisticated. Cyber criminals are largely focused on finding common problems that are the consequence of inadequate employee security awareness training or poor IT hygiene, and email is your virtual front door to test these weaknesses. This risk is a well-understood problem and there are many effective ways to lock attackers out. Those include technical solutions that secure the email system and delivery of messages as well as handling the human end of the equation by empowering your staff to learn and do better.
Technical solutions can include the following:
- Configuring the system that you have, or adding a layer of threat protection via a third party, to be more secure on the server side
- Enabling MFA for every user, immediately
- Using strong passphrases
- Configuring DLP policies to limit the loss of personal and protected information
- Signing emails using an identity-based credential
- This provides non-repudiation (nobody can say they didn’t read a message)
- It also ensures that people within your organization are who they say they are. This is especially valuable when CEO fraud and other phishing attempts are used to socially engineer attacks specific to your group. Criminals use pressure tactics such as impersonating your boss and making demands on a tight deadline.
- There’s no reason to host your own email unless you’re a national security organization. Today’s providers have more credentials and security protocols in place than you could ever imagine, let alone pay for.
- Evaluating “next-gen” solutions
- Some newer generation solutions utilize advanced AI to process the context of a message and block messages from being delivered.
- This has been a hot start-up market and there are several mature platforms.
- Ensure that every endpoint is using EDR software, with special consideration for mobile devices. There’s a push/pull between privacy and security, and the jury is still out.
User awareness training is the administrative solution for people. Your employees can become veritable ‘human firewalls’ through education and simulations. The simplest answer is to teach people how to stop what they’re doing and contact suspicious senders (or suspicious messages from legitimate senders) through a different medium (like pick up the phone) before opening or clicking on things.
Many solutions exist in this realm and you’re typically able to incorporate them into your onboarding process and have quarterly reviews. I had great success at my company and the benefits extended into home lives where personnel and their families could be acutely harmed by identity or financial theft. The cost of these training programs is a pittance compared to lost business and unrecoverable data.
Storage is Cheap: Back it All Up
Let’s suppose that your systems and users aren’t up to speed and someone clicked on ransomware payload. It gets worse: their system has unfettered access to crucial information on your network that’s business critical. This won’t become a major catastrophe if you have working back-ups. Don’t rely solely on endpoint security and assume that every attack will be handled and nothing is foolproof. It’s better to master the systems that you have and map out your recovery from cyber incidents than it is to overspend on too many proactive systems. You may have heard it said that your chances at recovery are only as good as the quality of your last back-ups. That’s something that even CEOs of security software makers have told me, and you’ll spare yourself a catastrophic scenario if you invest time and resources into disaster planning. Configuring good backups should be top of mind.
Your options are to use an offline backup, which is inexpensive, portable (you can remove it from your building), and can be disconnected from the network where threats will propagate. The downside is that back-ups can be corrupted if the hardware or software encounters problems, and theft is a concern. Make sure that any back-up is also encrypted, which will limit damage and the potential for data exfiltration in that circumstance. Theft happens, and even though your office space isn’t Fort Knox, physical controls such as appropriate doors and locks are effective protective measures.
Online backups are another option (if you have a speedy, dependable internet connection). The quality of the back-up may be higher given it’s the core dependency of the backup vendor and offsite locations create redundancy in the event of disasters or fires. The potential downsides are that data is no longer in your hands, and remotely hosted data takes longer to download for recovery. Hackers will also try to find their way in, including ransomware that may lock up this type of backup, making it vulnerable to malware despite being an offsite service provider.
Mature disaster recovery programs conduct tabletop exercises to practice disaster recovery. That’s not something we’d expect SMEs to do, but designating responsible individuals and having a process laid out in booklets in the event of a data breach will set a starting point.
Knowing Enough to be Dangerous
You’re well on your way to a good security strategy if you do these things, whether independently, with your team, or in conjunction with an advisor or MSP. Security is a spectrum that can continue in its breadth and scope almost indefinitely, but you can know enough to be dangerous and protect your organization while your longer-term planning is underway. This article isn’t exhaustive, but it’s tailored to the modern IT admin of an SME and emphasizes the basics.
You can accomplish many of the technical controls outlined in this article by using JumpCloud Directory Platform, which is free to use for your first 10 users and 10 devices. There are links in the sidebar to help guide you along the way, and we’re also here to help with the option for 10 days of live chat support if implementing any of these security controls becomes a stumbling block.