By: Justin Silbert
Traditional cybersecurity practitioners and almost all IT staff view their security architecture as a defense in depth strategy starting at the network perimeter. But both the threats and the environments continue to adapt every day in ways that we cannot anticipate. Today’s malware is designed to exploit zero-day vulnerabilities and continuously mutate in order to slip through signature based protections. Insider threats can be crippling to an organization. IT environments are no longer contained within an organizational trusted network. Our environments stretch to the cloud, to our mobile devices, to critical infrastructure, and so on. The perspective that security starts at the perimeter is antiquated and needs a revamp. Consider evaluating your defense in depth strategy from the inside out.
Start with your typical user machines on your “trusted” network. In fact, assume you don’t have a trusted network. How might that change your configurations?
- Privileged Account Security. The easiest thing a company can do to lower risk is to control administrative privilege. Most organizations separate admin from user privilege, but the attackers find ways to circumvent this by escalating privilege or hijacking a privileged user account. Consider enforcing two factor authentication for all accounts, but especially all privileged accounts and ensure password management practices are enforced. There are also a number of solid access management solutions that are worth the investment.
- Host Firewalls. Do your workstations need to communicate with each other? One of the most common mistakes organizations make is to not employ their host firewalls, or configure them to be wide open when on the company network. Many flavors of malware will search your network looking for machines accepting connections and then infecting them. Properly configure host firewalls will prevent worms, which are becoming the norm with ransomware, from spreading across your network. Limit host to host communication.
- Email Client. Most organizations rely on their email SPAM filter or other expensive technology to identify suspicious hyperlinks and block malicious attachments. But controlling the authorized clients to be used and properly hardening the email client are imperative. Configuring to display hyperlink details to the user and reducing the email to plaintext can go a long way to preventing attacks.
- Remove Unnecessary Software. Unnecessary software is typically unmanaged and unpatched, creating an easy attack vector. Especially on servers, there is usually no reason to have Office products, Java, or Adobe. Additionally, servers should only have the services required installed and active. There is no reason to have IIS running on a file server or have SMTP relay enabled unless it is used specifically for relay.
- Database Protection. While many organizations believe they will be attacked for their business intellectual property, valuable information that can be monetized usually sits in databases. For example, any Human Resource or Payroll database would have PII, SSN, and other financial information. This information has monetary value to an attacker, as he can resell it. Put proper protections in place on all databases, and encrypt databases whenever possible.
- Code Execution. When a user opens an email attachment or tries to run a downloaded program, what location is this running from? Blocking execution from User profiles, Temp folders, or other non-standard locations can go a long way to preventing malware from executing. Whitelist specific directories that are approved for execution.
All of these suggestions can significantly reduce the probability of a compromise by hardening the environment and making it harder for an attacker. But compromise is inevitable, so keep your eyes open and continue to monitor your environment.