Cybersecurity Fundamentals

With the growing geopolitical instability in the world today, now would be a great time to review security fundamentals. If you are looking for ways to sharpen the tools in your cyber defense toolbox, here is a list of suggestions for your audit and technical teams:

Audit Suggestions

• Security Awareness Training – Consider adding more training with emphasis on social engineering and phishing attempts.
• Risk Exceptions – Readdress technology exceptions within your organization. With data exfiltration in mind, does group X really need access to online storage platforms and third-party email?
• Vendor Management – Open lines of communication with your critical vendors (for instance, a core banking provider) to validate what they are doing in response to the increased risk.
• Cybersecurity budgeting - If you are using a reactive or project-based approach to cybersecurity, now may be the opportunity to articulate the need for a dedicated budget.
• Incident Response – Do you have IR scenarios related to cybercrime (DDoS, ransomware, breach/compromise, etc.)? A walkthrough of existing IR plans or a tabletop to flush out specifics may be in order.
• Least privilege access reviews – Ensure your users, accounts, and processes are restricted to only resources that are absolutely required to conduct business. This would include their access in Active Directory, as well as resources accessible via remote access.
• Time of day/day of week restrictions – It is best practice to limit the dates and times that a user can login using Active Directory. If you already have these set, now is the time to review and tighten up where possible.

Technical Suggestions

• Backups – Be certain you have timely backups of all critical infrastructure and file shares. Test your backups regularly!
• Event & Log File Management – Review and increase logging verbosity as needed. Should the unthinkable happen, you will want a full picture across your systems to provide to a forensic investigator or otherwise.
• Review Firewall Rules – Overly permissive firewall rules for direct vendor connections should be tightened up. While time consuming, a rule base that only allows the services you and the vendor need to operate increases security posture. Larger vendors can be high priority targets, and if they are compromised, unrestricted network access could allow attackers to easily pivot into their customer’s networks.
• Alerts – Institutions should go through a ‘tuning phase’ when a SIEM or other log management system is deployed. Be sure to verify your configured alerts align with policy and confirm that you are alerted when privileges are escalated (e.g., a domain user is elevated to the Domain Administrator group).
• Multi-factor authentication (MFA) – Where available, always use out-of-band MFA to reduce the risk of unauthorized system access (don’t forget your cloud systems, public management forums, and remote access, to include any managed or technical service providers).
• Patching – Sometimes the best offense is a good defense. Grab that low-hanging fruit and ensure all firmware and software is up to date. Be sure to include a sweep of your routers, firewalls, virtual infrastructure, O/S updates, third-party software (ahem – Oracle Java JRE!), etc.
• Geo-blocking – Often found as a firewall service, this can be useful to prevent less sophisticated attackers, however IP Spoofing is trivial for more advanced attacks. Thus, geo-blocking by IP is best to be used as an additional layer to an already strong security foundation.

While now is certainly not a time for panic, it is an opportunity to review this list and continue building up your cybersecurity posture. If you have any questions or concerns, please feel free to reach out to your salesperson. As always, we are here to help and provide guidance where possible.

Authored by:Benjamin Caruso & Greg Peterson, CEH