October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is calling on all of us to “Secure Our World,” with a simple message that calls everyone to action “to adopt ongoing cybersecurity habits and improved online safety behaviors.” This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
IT admins are tasked with becoming security analysts in response to today’s hostile threat environment. That can be a difficult adjustment if it’s new to them and they don’t know where to begin. The onus (and the blame) is on them to act, despite potentially never having received training for or awareness of security best practices to develop a program that will satisfy management and protect the organization.
A formal cybersecurity program is multifaceted and structured to control risks, but there’s a few crucial concepts you should be aware of that will help you get to a place where you know enough to be dangerous. Armed with these core concepts, you can swiftly reduce your organization’s exposure, or, at the very least, have informed discussions with an MSP partner to handle it. There are five main pillars small to medium-sized enterprises (SMEs) should focus on:
- Know your assets
- Patching
- Least privilege computing
- Email security
- Backups
This article examines how to bring those concepts into action.
This advice isn’t an exhaustive checklist: it’s part of a series of articles that provide additional guidance to formalize a security program. There are also resources for SMEs available from government entities to help guide you as you get started. IT admins should also consider training and education by pursuing certifications such as ECSS, GSEC, Security+, and SSCP to obtain baseline knowledge. I encourage you to check out my journey for more perspective.
Now, let’s get real for a moment: SMEs don’t necessarily have the capacity to establish a formal program and the typical mandate is always to do more with less. I’ve encountered firms that would shock you when you glimpse behind the corporate veil; don’t be one of them, have a plan, and be more proactive.
That’s where you come in. Be an effective change agent by focusing on the foundational concepts outlined above.
Know Your Assets
You can begin by creating a register of your IT assets, which is where a risk assessment begins. Start by identifying who “owns” the system or data and ask them about their departmental workflows. Then, ask questions about how these assets are configured, managed, and secured. They should at the very least be able to tell you what software and hardware they use, as well as where those records are stored. The outline below will help guide you. It’s populated with real-world examples and notations from my work as a security practitioner working with SMEs.
Below you’ll notice that assets are categorized in three ways: technical, physical, and administrative. Those align with the categories of controls that are used to address the problem(s) uncovered when you list and evaluate your assets. This outline is useful when you move on to the next step of evaluating risks and the type of controls that are required to correct them. You may also encounter some examples that you can live with and eat the cost.
- A cloud productivity and email suite
- Is it configured correctly?
- Are the correct authorizations in place?
- Are security baselines available?
- Is MFA enabled with a centralized directory?
- Cloud storage
- Who has access to what and why?
- Is any sensitivity labeling required?
- Legacy domain controller
- Is it supported and patched?
- Does it have policies? Are any of those policies conflicting?
- Tip: Don’t “fire and forget” policies. Changing one policy in response to a security incident may impact others.
- Who has domain admin rights? Who has rights to other privileged roles?
- What service accounts are running?
- Is offboarding users disabled?
- Is there a plan for modernization to secure identities, endpoints, and apps?
- Is the domain controller even necessary?
- System backups
- Where does everything reside if there are no backups outside of the siloed documents residing in the cloud?
- What are the plans in the event of a fire or flood?
- Is there any immutable backup attackers won’t tamper with?
- Physical security
- Is there a functional CCTV system?
- Who’s responsible for facilities and what will it cost to implement it?
- Are there controls to restrict server room access?
- Drive encryption
- Are workers remote on laptops?
- Is physical security weak?
- IT skills and security awareness
- Who can manage security awareness training?
- IT accountability
- IT admins who were surfing the web while logged in as a super user (and didn’t believe that was a problem)
- Are you able to provide a technical solution for privileged access management?
- Sensitive files (analog and paper)
- Where are they stored? In plastic bins, filing cabinets, secure storage?
- Are there any fire suppression or alarm systems?
- How are you going to protect those files?
- The cost of digitizing files is high, so what are the readily available alternatives?
- Old PCs and IT waste
- Old PCs were left around with drives intact with potentially personal and regulated information.
- Are you okay with sending them off to be disposed of?
- What’s the plan going forward?
- Processes for handling PII
- Poorly documented processes for employees to handle personal information
- What resources are available to train people?
This exercise to uncover assets revealed a Windows 2008 Server that was past its end of life. One employee found it so worrisome that he turned it off every night (no exaggeration). Every PC that was joined to that domain was potentially insecure. This practice was permitted for a reason: senior management didn’t want to spend what the MSP quoted for new on-prem hardware.
Your list may resemble this firm or be more complex, but a comprehensive list of your assets is a starting point to assess weaknesses and vulnerabilities. It’s up to you to determine the likelihood of those risks and what you’re willing to absorb, based upon factors such as business impact or cost. The high-level formula for determining your risk is: threat x vulnerability x probability of occurrence x impact. Always consider context and information value.
You can use a Priority Matrix to determine where to start IT projects, which accounts for the impact on your organization and what costs and resources will be involved to mitigate risks.
An MSP partner could also help to guide you through this process.
Patch Your Stuff
Now that you know what your stuff is, it’s time to learn what state it’s in.
There’s a reason why a majority of IT admins we’ve surveyed are more alarmed about software bugs than weak passwords (given MFA is enabled): bad actors are moving down the stack to applications/systems and are swiftly targeting flaws in operating systems and business systems (such as popular browsers). I recently spoke with the CEO of a security monitoring company that specializes in examining events from log files in a data lake, and he’s noticed that trend “in the wild,” so believe it. Patching is critically important and can be accomplished via policies to mandate that updates happen within a timely period, test patches within user groups, and patch management systems. You’ll also want to keep support current on network devices, which can also be exploited by attackers on your perimeter and behind the firewall.
Avoid antipatterns and don’t make excuses not to patch or remediate issues when a patch isn’t available. There’s no perfect patch. Patching is not as difficult as IT operations makes it out to be.
Patching reduces the possibility of emerging threats impacting your organization before your security systems can catch up to their existence, but it doesn’t block avenues of attack. Your configuration is what could clear the way for a vulnerability to become a security incident.
Practice Least Privilege Computing
Having a registry of “stuff” helps you to keep up with the cadence that’s needed to update everything, responsively. Application inventories should be limited to allowed products, and the way to accomplish this is through least privilege computing or managing deployments using a solution for remote systems, such as Chocolatey for Windows and MDM solutions for Mac devices. Least privilege computing is the concept that users and systems should only be granted the minimal permissions that are required to do their job. For example, users don’t need to unilaterally install new things, so they shouldn’t have the rights to do so.
Least privilege extends to the capacity of malware to spread throughout your systems. Nothing’s impossible for malware to accomplish when it’s running under administrative permissions. There’s countless places to “hide” and any system that’s been breached is inherently untrusted. Broad permissions will enable attackers to transform an infected device into a jumping point to scope out what else is unsecured within your systems to maximize the potential for ransom.
This concept also extends to cloud services, website servers, resource groups, and even IT admins as they work. There’s no reason why an IT admin should have access to vital resources: grant yourself the permissions that you need to get a job done and then revoke them afterward. A centralized cloud directory service such as JumpCloud can manage and monitor user permissions and dynamic groups can remove unauthorized users. JumpCloud also allows for conditional access rules that apply business rules to limit access to IT assets.
Least privilege computing is an effective framework to follow, but people can be the weakest link, even when the best technical controls are in place. Software lacks human intuition and the ability to speak up and ask questions; conversely, people can also make poor decisions. It should come as no surprise that the median SME received 94% of its detected malware via email in 2020. Since then, human-operated ransomware has made these kinds of threats even more dangerous. That’s why the next topic places special emphasis on email security, which is a vital asset to modern enterprises and most often the vehicle for cyberattacks.
Manage Email Threats
It bears repeating: most threats to organizations aren’t complex or sophisticated. Cyber criminals are largely focused on finding common problems that are the consequence of inadequate employee security awareness training or poor IT hygiene, and email is your virtual front door to test these weaknesses. This risk is a well-understood problem and there are many effective ways to lock attackers out. Those include technical solutions that secure the email system and delivery of messages as well as training to empower your staff to learn and do better.
Technical solutions can include the following:
- Configure the system that you have, or add a layer of threat protection via a third party, to be more secure on the server side.
- Enable MFA for every user, immediately
- Using strong passphrases and a password manager
- Configure DLP policies to limit the loss of personal and protected information
- Sign emails using an identity-based credential
- This provides non-repudiation (nobody can say they didn’t read a message)
- It also ensures that people within your organization are who they say they are. This is especially valuable when CEO fraud and other phishing attempts are used to socially engineer attacks specific to your group. Criminals use pressure tactics such as impersonating your boss and making demands on a tight deadline.
- There’s no reason to host your own email unless you’re a national security organization. Today’s providers have more credentials and security protocols in place than you could ever imagine, let alone pay for.
- Evaluate “next-gen” solutions.
- Some newer generation solutions utilize advanced AI to process the context of a message and block messages from being delivered.
- There’s a hot startup market and several mature platforms.
- Ensure that every endpoint uses EDR software, with special consideration for mobile devices. There’s a push/pull factor between privacy and security, and the jury is still out.
According to Coalition, a leading general agent for managing cybersecurity risk, the risk of claims for business email compromise (BEC) and funds transfer fraud (FTF) events were found to be equally as bad with Microsoft 365 as on-prem Exchange. This is in stark contrast to companies using Google Workspace, which experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims. JumpCloud is a Google partner and Google recommends JumpCloud as a directory solution for SMEs.
User awareness training is the administrative solution for people. Your employees can become “human firewalls” through education and simulations. The simplest answer is to teach people how to stop what they’re doing and contact suspicious senders (or suspicious messages from legitimate senders) through a different medium (like pick up the phone) before opening or clicking on things.
Many solutions exist in this realm and you can simply incorporate them into your onboarding process and have quarterly reviews. The benefits extend into home lives where personnel and their families could be acutely harmed by identity or financial theft. The cost of these training programs is a pittance compared to lost business and unrecoverable data.
Storage Is Cheap: Back It All Up
Suppose that your systems and users aren’t up to speed and someone clicks on a ransomware payload. Unfortunately, their system has unfettered access to crucial information on your network that’s business critical. Hopefully, this won’t become a major catastrophe if you have working backups. Don’t rely solely on endpoint security and assume that every attack will be handled. Nothing is foolproof. It’s better to master the systems that you have and map out your recovery from cyber incidents than it is to overspend on too many security systems.
You may have heard it said that your chances at recovery are only as good as the quality of your last backups. You’ll spare yourself a catastrophic scenario if you invest time and resources into disaster planning; therefore, configuring good backups should be top of mind.
One option is to use an offline backup, which is inexpensive, portable (you can remove it from your building), and can be disconnected from the network where threats will propagate. The downside is that backups can be corrupted if the hardware or software encounters problems, and theft is a concern. Make sure that any backup is also encrypted, which will limit damage and the potential for data exfiltration in that circumstance. Theft happens, and even though your office space isn’t Fort Knox, physical controls such as appropriate doors and locks are effective protective measures.
Online backups are another option (if you have a speedy, dependable internet connection). The quality of the backup may be higher given it’s the core dependency of the backup vendor and off-site locations create redundancy in the event of disasters or fires. The potential downsides are that data is no longer in your hands, and remotely hosted data takes longer to download for recovery. Hackers will also try to find their way in, including ransomware that may lock up this type of backup, making it vulnerable to malware despite being an off-site service provider.
Mature disaster recovery programs conduct tabletop exercises to practice disaster recovery. That’s not something we’d expect SMEs to do, but designating responsible individuals and having a process laid out in booklets in the event of a data breach is a good starting point.
Knowing Enough to Be Dangerous
This article is tailored to the modern IT admin of an SME and emphasizes the basics. You’re well on your way to a good security strategy if you follow these pillars, independently, with your team, or in conjunction with an advisor or MSP. Security is a spectrum that can evolve in its breadth and scope almost indefinitely, but you can know enough to be dangerous and protect your organization while you plan for the long term.
You can accomplish many of the technical controls outlined in this article by leveraging JumpCloud Directory Platform, which is free to use on a trial basis.