We continue our journey today on aligning technical design and execution in order to improve your security posture. This week, as I sat at dinner with a long-time IT friend, his phone rang. It was his sister. She works at a financial services organization and had not been to work all week. “We have been told all systems are down. The business is currently working with two outside firms to return to normal operation. We will be notified once they are back up and running.”
My friend hung up the phone and quickly shot off “when are business leaders going to start to take this threat seriously?”
As we unpacked the news together, several questions were put on the table.
How many of today’s businesses could survive a weeklong outage and return to normal business operations?
Ask yourself the question…can your business survive? More importantly, ask your organizational leadership. Are they prepared for the answer?
Why are businesses not acting more urgently to ensure their preventative posture is sound?
Pen-testing and the latest in security-focused hardware and software appliances are important, but the common gap we continue to see is one of sound process. We’ll unpack this further below.
Do business leaders really take the threat seriously?
The conversations we are having with businesses often reflect a marketplace in which the threat is known. But with everything else we have to manage, IT teams don’t know where to start.
Another common theme is also technical teams not having the resources to execute. If this is you, go back to the first question, and take it to your business leaders.
A quick look at some staggering statistics:
- Per an FBI release, since January 1, 2016 more than 4,000 ransomware attacks occur daily. This is up 300 percent from January 2015.
- At the point of publication, Symantec’s Daily Threat Monitor noted 26,093 ransomware events in September 2019.
- Sophos calls out that that average cost of recovery for a ransomware attack is $133,000 per event.
- Sophos also points out that 75% of all attacked organizations were running up to date end point protection.
- Kaspersky’s data states that 34% of all businesses hit by ransomware take a week or more to regain access to their data.
Basic Systems and Networking Practices to Improve Your Security Posture
Validate Your Back Ups Work and Sufficiently Protect Your Priority Systems
As we discussed in 5 Beginning Steps to Ensure Your Backups are Protecting Your Data from Ransomware, this step is vital to improve your security posture. In fact, when looking at CISA’s recommendation for improving your protection mechanisms, they also list this step first in the journey.
This isn’t rocket science, but it does require intentionality. Here is a summary of the article we posted earlier. Take the time to read the full link as it expands on the importance of the below steps.
- Are you protecting your priority workloads and systems?
- Have you tested any restores?
- Do you know where all your data resides today? Are you protecting it if it resides in a cloud service?
- Do you have a protected copy of your data that is offline?
- Are you closely controlling system access?
- Are you leveraging a manufacturer supported design?
Patching is Important
Yes, patching takes time. Yes…you have applications to support and deploy. But trust us…the effort is vital.
Microsoft’s October 2019 patch release covered 59 vulnerabilities – 9 of which were highlighted with a “Critical” rating score.
Soon, we’ll dig into creating a patch management strategy, but let’s highlight some basics.
- Have you created a patching schedule? Do you hold to it?
- Have that pesky 2008R2 system still floating around? Create a plan for legacy systems that isolates the workload to minimize your risk.
- Have you automated the process to reduce the required effort?
- Have you forgotten about patching your hardware and system bios?
- Do you have a strategy to handle priority vulnerabilities?
Your Network Design Matters
It’s no longer a question of if someone will get it. We have to approach the question around “when someone gets in.”
Your network design becomes a vital layer in preventing nefarious actors from moving around your network once they’re in. The process of network segmentation takes some forethought, but it can be accomplished.
- Do you know what systems actually need to talk to each other? It’s not safe to assume that because it’s within your network, you’re protected.
- Are you keeping backups of your network configuration?
- As you move workloads to the public cloud, has your network been designed to accommodate and protect this traffic?
- Do you frequently review & monitor who has access to your network?
- Are you reviewing network logs for attack vectors and unauthorized access attempts?
Identity Management and Access Controls
The days of trusting your password for simple access controls are long gone. Most industries have regulatory requirements in place to elevate your security posture. Are you properly aligned to your regulatory authorities?
Per Microsoft, setting your Identity Management baseline becomes the core of your security strategy moving forward. Paying a little attention here can go a long way over the course of time. Here is a quick starting point to walk through the basics. We often knock this out as a quick solution brief for our clients.
You can dig in deeper on creating a multi factor authentication strategy in our post 6 Things to Consider When Deploying MFA. This is a great starting point for the journey, but there are some related questions that also need to be asked.
- Have you deployed multi factor authentication beyond the standard user controls? Have you also applied this approach to your systems and network management?
- Do you have strong password management strategies? Not only for your users, but also for your technical systems?
- Do you require passwords to be changed every 30 days? If not, why?
- Do you have periodic reviews of who has access to core file systems?
- What is the cadence of said audits?
- Who has the authority to approve file and data access for your business?
Again, most of these questions target a procedural approach. You likely have the technology to enable these core practices. Remember, you need to be intentional in your design and process to improve your posture.
End User Computing
End User Computing is not as simple as just deploying a management solution that captures the presence of known vulnerabilities. In fact, this may be the most complex layer of the equation.
We always approach the end user layer with heightened sensitivity. The technologies we deliver are to support our end users as they drive revenue and support the core business mission. Thus, the actions and strategies in the technical domain need to limit the disruption to existing business process as much as possible.
All that said, to improve your security posture, we also need to protect the businesses we serve from the constant threats that target this layer of our ecosystem.
- Are you educating your end users to the known threats and reminding them to be vigilant in their daily work?
- What do your controls look like for remote users? How do you successfully deliver and manage their experience without limiting their success?
- What does your DLP (data loss prevention) controls look like? Do you even have controls?
- Are you monitoring for abnormal behavior or actions within your user base?
- How are you managing access across your network for all of the devices your employees bring to work?
Where to go from here…
Understanding the risks here are not difficult. More importantly, have you properly communicated the risks to your business?
Beginning this journey doesn’t just reside within the responsibility of our security teams. As systems engineers and network administrators, we need to own our layers appropriately.
If you need to push pause on life to institute new policies or procedures, please, for the sake of your business, do it. If you need an outside perspective, to ensure your core architectures and processes are in alignment with a solid security posture, raise a hand.
Like most things in life, improving your security posture is not a destination, it’s a journey. Remain committed to consistently reviewing your position to ensure you’re adapting to the forces that are seeking to compromise your work.