It’s an uncertain and troubling time in the world. Geopolitical conflict has enveloped Eastern Europe, but the frontlines aren’t restricted to that region. Cyber attacks can swiftly cross international borders. Nation states, as well as hacktivists, could adopt cyber warfare as a tactic to extend the battlefield, everywhere. This is a sensitive topic, and it’s important to stay vigilant in times like these and review your security best practices in preparation for any major escalation in these attacks.
It’s been said that unintended consequences are among the only certainties in war. A discussion about cybersecurity is appropriate given the velocity and worldwide reach of these events. Your organization’s best defense is to proactively plan and implement security best practices. Taking the time to review your cybersecurity posture limits the potential for unintended consequences.
Security Best Practices
The threat environment is so concerning that The Department of Homeland Security (CISA) has advised organizations of all sizes to put their “shields up.” You don’t have to be a government agency to (hope for the best… but) prepare for the worst. Just begin with the basics. Cyber security is more approachable when it’s broken down into three essential concepts:
Practicing Good IT Hygiene
Remember the Colonial Pipeline hack? It occurred due to poor IT hygiene, which is catch-all terminology for inappropriately configuring and maintaining all of your user accounts, apps, and devices throughout their life cycles. The pipeline attack wasn’t an example of master spycraft: it happened because old user credentials were unmanaged and had access to resources that enabled attackers to pivot onto bigger things. Tip: don’t be like them, follow Zero Trust Security instead.
Zero Trust Security is a concept that trusts nothing and verifies everything, which in essence states that in order for all users to be authenticated and authorized to access resources, they must be continuously challenged inside and outside of your organization.
For example, the old security paradigm was “Ben trusts Katie, and Katie trusts Tyrone, so Ben trusts Tyrone.” That’s no longer satisfactory given the scope and omnipresence of today’s cyber threats. Configure your systems with the belief that “nothing is secure” and you’ll be far better off. These are some of the steps that you should take to implement Zero Trust:
- Least Privilege
Devices and users only need access to the minimal permissions to get their job done. No PC user should be operating as an administrator day-to-day, even IT admins themselves. Know who your users are and what they have access to.
- Patching
Software is complex, and you should assume that there’s vulnerabilities present in operating systems and down the stack. Applying fixes to bugs, on schedule, and maintaining up-to-date licensing and support reduces the risks that these will be exploited. A device might be logging into your systems with appropriate credentials, but it carries risk forward if it’s not being regularly patched.
- Policies
“Live and let live” is not an acceptable security control on devices and with people. All devices within your fleet should be deployed “hardened”, that is to say, that rules are applied to limit what changes can be made to settings. Unmanaged devices provide attackers with greater surface area to find their way in. Policies may also apply to how strong your users’ passwords are and whether MFA is enabled. Policies also apply to your staff, such as mandatory vacation time or limiting access to network hardware.
- Identity and Access Management (IAM)
User lifecycle management is no less important than how well devices are secured. Who has access to what and whether there’s assurance that they’re who they say they are (working from a location that’s acceptably secure) is vital to IT hygiene. Modern IAM systems require more than one level of authentication, may use single sign-on (SSO), have the capacity for conditional access, and more closely manage group memberships.
- Human Firewalls
Practicing security awareness isn’t a technical control, but it’s no less vital. Your employees, an administrative control, should serve as human firewalls who know when to speak up and “say something” when they encounter unusual activities. That could be as simple as contacting the sender of a suspicious email using a different medium.
You don’t need limitless resources to implement Zero Trust security. It’s within reach by combining technical, administrative, and physical controls to mitigate or reduce your risks. You ultimately should have a formalized security program, but don’t get discouraged. You already “know enough to be dangerous” and can begin to introduce better IT hygiene to your organization.
Master Your Security Tools and Services
Security tools and services are expressly designed to help mitigate risks, but SMEs should take care to avoid security tool sprawl. Some systems require intensive resources that smaller organizations simply don’t possess. Master the tools that you have, partner to extend those capabilities when it makes sense, and consider vendors that can more externally handle those risks on your behalf. Some examples of tools that you should consider using are:
Endpoint Detection and Response (EDR)
We used to just call this antivirus software, but EDR solutions have evolved to analyze system behavior and even block common methods of attack. These systems are manageable and will help to secure devices. EDR software isn’t sufficient security as a standalone control: your organization should form a defense in depth using people, operations, and technology.
Monitoring
Monitoring ranges from logs and reporting to robust enterprise-grade systems that take every event into account within your environment and across domains. It’s not practical to expect an SME to have the resources to fully staff advanced security information and event management (SIEM) and Security Operations Centers (SOCs) that run threat hunting on data lakes. However, anomalous behaviors can be detected if you know what you’re looking for and don’t lose focus. Otherwise, you’ll just be spending a lot of your budget on a glorious post mortem.
Consider outsourcing this capability if your IT budget provides for it, or select vendors that perform these activities to secure the services that you’re purchasing from them.
Network Hardware and Software
Next generation firewalls, VPNs, and a software-defined perimeter (SDP) are other tools that can secure your network. Remote workforces won’t necessarily utilize all of these, so it’s also important to think about how you’re going to secure and manage your users everywhere they’re working, whether within a domain or in the domainless enterprise.
Incident Response and Business Continuity
There’s no universal elixir for better security: every organization has different requirements. However, there’s always a benefit to following best practices, such as having good backups. Every organization should have a plan to respond and recover from a cyber incident.
Security is a process, not only “stuff’. Incident response and understanding what happens following an attack are crucial. That’s where your backups might come into play. We recommend working with an MSP partner or other experts to create, adopt, and practice what your organization will do if it’s attacked, otherwise known as a cybersecurity tabletop exercise.
Cyber insurance is another option, but be mindful that there are some pre-existing conditions that make it more difficult to obtain coverage. Following good IT hygiene mitigates that risk.
Additional Resources
CISA has compiled a list of free CISO tools, also with guides covering the following topics:
- Reducing the likelihood of a damaging cyber incident;
- Detecting malicious activity quickly;
- Responding effectively to confirmed incidents; and
Maximizing resilience.
There’s also a collection of security guidance articles in the sidebar.