Intended Audience
Everyone can benefit from all or certain portions of these recommendations:
- Organizations of all sizes - even most Fortune 500 companies - do not do everything listed here, so organizations of all sizes could benefit from these recommendations.
- Home users - although most of the enterprise-level recommendations will not be applicable for your home computer systems, a lot of the other topics will. Additionally, if you work in an enterprise, this entire guidance will help you understand and appreciate what your IT department is dealing with.
- Executives - increased staffing and money to mitigate risks is what you may want to take away from this.
Executive Summary
This guidance discusses various information and cybersecurity risks while providing defense strategies across different areas of information technology and user behavior. Risks discussed include data compromise, account takeovers, malware attacks, legal consequences for mishandling regulated data, and so on. Recommendations are made related to user training, network security, system administration, mobile device security, backups, vulnerability disclosure policies, monitoring and response, vendor solutions, and more.
Some of these recommendations require no additional purchases or exceptional experience to execute, yet provide a huge reduction in risks. Other things do require a bit of knowledge and investment in additional hardware and software but are also vital to keep you secure. Start where you can because every change made towards a secure network reduces the risks of a breach.
This guide is not comprehensive; it just scratches the surface of a secure baseline. If you and your team feel this is overwhelming, it’s likely a sign that you have a grossly underfunded Information Technology/Information Security budget. Of the organizations we test, there is often a correlation between funding and how secure we find the organization to be. However, this is more than simply “throwing money” at the problem and “hiring more people”; it also requires strategic hiring and planning.
If you do not have the in-house expertise or bandwidth to carry out these recommendations, look to an outside Managed Service Provider (MSP) that specializes in secure IT infrastructure design, build, configuration, and maintenance, in addition to general IT services, fractional CISO support, and consulting. Feel free to reach out to us and we can help get you connected with a trusted referral.
Once you have a measure of security in place, you’ll want to validate your controls by calling on an experienced offensive security provider (aka “pen testing firm”) who specializes in testing and independently validating what has been done. PEN Consultants would be honored to serve you in this role - please reach out to discuss the next steps when ready.
Risks
Before we discuss how to defend against cyber attacks, we must first understand what we are protecting. The following are some notable risks:
- Compromise of your organization’s, employees’, clients’, and users’ confidential information.
- PII (personally identifiable information), such as names, email and physical addresses, SSNs, DOBs, DLs, etc.
- Financial information
- Intellectual property and trade secrets
- Health records
- Attorney client privilege, counselor records, and the like
- Account takeovers (ATOs) of your corporate accounts, third-party/cloud accounts, financial accounts, and so on. It’s important to note that just one account or endpoint being compromised can often lead to the attack “laterally moving” to other accounts and services of that same user, as well as “privilege escalating” to other users’ accounts and services, and even to administrative access.
- Malware, ransomware, extortion, and denial of service (DoS)
- Website defacement and brand reputation
- The larger your online presence, the more data you collect and store, and the type of data you deal with, all put you at higher risk.
- Sacrificing security for usability and user experience - those are usually competing goals, and security often seems to take a back seat.
- Financially draining your bank account with small transactions slowly over time after an ATO.
- Federal prosecution and lawsuits over the improper protection of educational information (FERPA), medical information (HIPAA), and other regulated data.
- Cost of a data breach - $164 per record, per IBM and Ponemon's report. This tends to be higher for healthcare ($417), finance ($236), and other industries. Just the identity protection service you will likely have to purchase for affected users can cost ~$100 per record/person, in addition to fines and legal fees. Consider the number of records in your databases and multiply by $164 to gauge the potential costs of a breach.
Top 10 industries affected by data breaches (2023, statista.com)
- Healthcare - 25.82%
- Financial services - 23.75%
- Professional services - 9.83%
- Manufacturing - 8.27%
- Education - 5.52%
- Technology - 5.33%
- Retail - 3.80%
- Non-profit - 3.35%
- Transportation - 3.22%
- Government - 3.19%
Users
It is often said throughout IT departments everywhere, “No matter what we do, one of our users is going to do something stupid and cause us to get breached.” However, the responsibility of a breach is often a shared one – insufficient technical controls and training provided by the organization, along with careless users.
Users need to be trained (see training section) to help avoid performing dangerous actions or falling for social engineering attempts and to know when to report it when it happens. But, the IT professional(s) must also keep in mind that non-IT people will only be capable of so much, so they must be protected from themselves to some degree.
Two things are often simultaneously true in most organizations:
- The users are one of the weakest links that are likely to cause a breach, and it only takes one person to cause a data breach.
- The users are an integral part of the security of your organization and are on the front line of defense. It only takes one vigilant user’s report of “something strange” (ex. reporting a phishing email they clicked) to foil an attacker and stop a breach.
It’s important to understand that the average non-IT user may not even know they've made a mistake until it's pointed out. By being overly critical about security failures, you can drive your users to never report a dangerous action they’ve made.
Consider consequences for users who fall for social engineering in the future, be it real or testing:
- Out-of-cycle compliance training
- Meeting with a manager
- Temporary removal of accesses (ex. web access) and/or placement into a less risky job function if there are repeat failures
- Other consequences some companies choose to use (PEN Consultants does not endorse these): monetary penalties and/or termination
Consider rewards for users who quickly report social engineering attacks, be it real or testing:
- Rewards would only be for the first X who report and/or those who report within Y minutes, as time is of the essence with a social engineering campaign.
- Gift card, spot bonus, lunch with manager, public recognition, etc.
Bottom line: Impart the perspective to your users that they are an integral part of the security of your organization, not a weak link that is likely to cause a breach...even though both are likely true.
Network Security
Network security components include routers, switches, wireless access points (WAPs), firewalls, cabling, and so on. The design, selection, and configuration of these hardware components and devices is important to maintain the security of the core of your network.
- Use managed network gear, not a $50 Small-Office-Home-Office (SOHO) device from the local box store. For small organizations, Ubiquiti is a good value option, but Palo Alto (for example) is more enterprise-level. We do NOT recommend Fortinet (example reason: https://penconsultants.com/blog/miscellaneous/responsible-vulnerability-disclosure/).
- Isolation and segregation - Prevent devices on the network from reaching each other.
- By default, no two devices should be able to see/ping each other. Only allow devices to be reached by another if needed (ex. to a printer). Many attacks can be prevented by implementing this and minimizing lateral movement during a breach.
- Use VLANs - group and segment as much as possible - workstation, servers, printers, IoT, etc.
- If some systems are required to have higher risk configuration settings (ex. no screen lock, shared passwords, etc.), move them into a highly isolated environment and ensure no sensitive processes are performed on those systems. Examples: kiosks, multimedia systems, etc.
- Do NOT connect corporate devices to guest networks.
- Potentially use separate ISP connections for guest vs corporate networks.
- Firewall: Often overlooked is the need to also prevent all outbound (or egress) traffic from leaving your network unless it is traversing your network stack and being properly controlled. Example: Even allowing unrestricted DNS could allow internet filter avoidance if it is not being forced through your authorized DNS server. Likewise, web traffic should be forced through a web proxy.
- Internet content and category filtering. Sure, you want to block NSFW stuff, but you also want to block known malicious sites to minimize the chances of infection.
- Implement Bandwidth Quality of Service (QoS) settings as needed. Although this is mainly a performance consideration, it could lead to denial of service (DoS) risks.
- Keep unused switch ports “downed” from a software configuration perspective so someone cannot simply plug into a “hot” jack and gain access to your network.
Perimeter Security
For this category, we will include anything publicly exposed and accessible, including 3rd party cloud services which may be proxying data before it reaches your network.
- Firewall: block everything. If there is an external service that you need open, restrict access to a small list of authorized sources. If you have it open to the world, enable strong application-level controls (details dependent on the service).
- Implement robust email security! There is a lot of attack surface with email - people passing their password lists to themselves (bad practice, see password section), the ability to reset passwords to cloud/3rd party accounts (especially without MFA), phishing other users from an internal trusted account, etc.
- Use the various industry-recommended methods to validate the sender, such as reverse DNS lookups, SPF, DKIM, and DMARC checks, etc., and ensure they are enforced. https://mxtoolbox.com/SuperTool.aspx
- Force authentication for senders claiming to be a member of your domain.
- Filter mail through a reputable security solution such as Proofpoint or Mimecast which includes a number of features and capabilities that combat evolving threats.
- Include “EXTERNAL”, or similar, in the subject for all inbound email.
Windows vs MacOS vs Linux
Which is the best option for corporate environments - Windows, MacOS, or Linux? BLUF: Microsoft Windows in most cases.
- There are many considerations for making this decision: security, usability, user familiarization, compatibility with needed hardware/software, vendor security culture, attacker trends, ease of administration, and so on.
- Mainstream Linux distributions could arguably be considered the most secure, but are harder to manage in a corporate setting due to the lack of vendor solutions and integrations. Not to mention, most users are not going to be familiar with it, and most 3rd party hardware and software the corporation needs will not work with it. Many offensive security people run Linux, but it is arguably not the best for corporate networks.
- MacOS is not inherently more secure than Windows (for example), but there are some aspects that make it more secure and some aspects that make it less secure. Apple has long bragged about the security of MacOS, but their security practices are far from perfect, and the vulnerabilities that have come out show that. The fact that their marketing used to downplay the risks is concerning. However, there are fewer attacks against MacOS than Windows, which is one of the arguments for why some think it is more secure. That is largely due to a much lower market share, though, specifically in the corporate world, so there is little value for attackers to come after MacOS. In our experience, MacOS in a corporate environment is easier to compromise than Windows.
- Windows is far from perfect in terms of secure code, and is heavily attacked. However, management and monitoring solutions are laser-focused on Windows (far more so than other OSs), making Windows generally the best option overall for corporate networks.
System Administration
Secure configuration of workstations and servers, adoption of effective policies and procedures, and general hygiene.
- Ensure you have a complete inventory of all systems. Not only does this help you with financial budgeting, but it helps with security as well. During our testing, more times than not, we find unknown assets in a network (ex. shadow IT), and often those devices have vulnerabilities and misconfigurations that allow exploitation. After all, how can you defend what you don’t know about? Do the inverse as well - set up notifications when a workstation or laptop hasn’t “checked in” for a while, as that could be an indicator of theft.
- Active Directory and AD Group Policy
- What is it? Active Directory provides the infrastructure for managing network resources and identities, while AD Group Policy extends this functionality by allowing administrators to define and enforce configurations and policies to maintain security, compliance, and standardization within the networked environment.
- Carefully plan out your access control and management strategy within AD/GP, as there are a lot of pitfalls to avoid. Exploiting delegation weaknesses, lack of secure configurations, or the Active Directly itself is common during our testing. This is a complete topic by itself, but to get started, check out https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
- If you are inclined to also incorporate MacOS or Linux in your environment, it’s important to control access and manage configurations on those systems as well! There are standalone solutions to manage each, but it is often easier and advisable to integrate these into your core AD/GP framework by utilizing a 3rd party solution that includes agents running on the endpoints and plugins within AD/GP such as Delinea (FKA Centrify) or JumpCloud.
- Anti-virus (AV)
- For the purpose of this discussion, we will call any program that detects/prevents malware, simply “Anti-virus” or AV for short - be it “anti-virus”, “anti-malware”, “security protection”, etc.
- Assuming you're following the other recommendations in this document (limited user accounts, verifying software before installing, web and email inspection, etc.), AV is almost not needed.
- AV does not prevent malware infections! AV reduces the chance of a malware infection by detecting/blocking a small subset of the known malware, malware behaviors, and malware infrastructure, and so on. There is no AV solution that we have not bypassed, and, the majority, are fairly easy. AV will catch the “drive-by” malware and potentially even a small subset of basic custom malware, but it is not going to stop someone of intermediate to advanced skill from coming after you.
- Keep AV updated constantly! Have it check for updates every hour or less. AV is already of limited value, but if it does not have the latest rules/signatures/engines/etc., it will be close to worthless.
- Beware of marketing gimmicks: If a vendor says they are “99%” or “100%” accurate, they are liars. No other way to put it. You should look elsewhere.
- Dealing with infected endpoints - reimage at least the OS, and perhaps the firmware as well.
- If an endpoint gets infected, reimage it. Don’t try to “clean it”. Some malware (ex. rootkits) is nearly impossible to remove completely as they’ve hooked low-level functionality of the OS and resist most attempts to remove it.
- Advanced malware will even embed itself at the firmware level of your BIOS and disk drive, so even re-imaging the OS only would not remove it.
- Regardless of sophistication though, how sure are you that you’ve removed all of the malware?
- Even as individuals who write malware ourselves, when we are testing our malware, we rarely rely on “we got it all cleaned up” before calling it clean. We revert to known good snapshots of VMs before claiming “clean”.
- Application whitelisting - Only allow authorized apps to run. Example solution: Windows Defender Application Control. This is one of the best defenses in preventing any type of malware from gaining execution on an endpoint.
- Disable power saving or shutdown SOPs! Do not allow any devices that are “always plugged in” to sleep/hibernate, nor ask your users to turn them off. The risks of keeping it off (and not receiving timely updates) are more critical than what little power savings there is - especially with modern ultra-low power consumption devices.
- Restrict removable media (CD/DVDs, USB drives, etc) in computers, printers, etc.. Use a trusted agent(s) to handle the media and upload needed data to a share. Those people should be highly trained IT types who understand the risks. This can often be done via software, but there are hardware methods to prevent access as well - removing the drives/ports, gluing ports shut, etc.
- Firewalls: Just like perimeter firewalls are important, so are host-based firewalls. In addition to being an extra layer of security, this provides access control for internal (aka east-west traffic) that does not traverse a perimeter firewall, as well as vital for mobile devices (ex. laptops) that may leave the network and protection of your normal security stack. Use the most restrictive access possible (ex. default block policy).
Mobile Devices
Mobile devices include laptops, phones, tablets, and any other computer systems that physically leave your premises and that utilize public networks at any time.
- VPN - hide the details of your traffic from the local network you are connected to.
- First, it is important to understand that VPNs, in some situations, can actually introduce more risks than they mitigate because
- it funnels your traffic through a 3rd party which may be even less trusted than your ISP, and
- depending on configurations, other VPN clients could likely communicate with services you have running on the host (SMB, SSH, HTTP, etc.) and compromise your system.
- However, if you are connected to an untrusted network (ex. a guest network), or public WiFi (at the airport), using a VPN is vital as the risk of using it is far lower than not.
- Example providers: Proton VPN, NordVPN, Brave VPN, etc.
- Secure DNS queries with DNS over TLS (DoT) and DNS over HTTPS (DoH)
- Even if your internet traffic is encrypted, your DNS is likely easily seen by anyone on the same public network as you, and it is not encrypted and shows which websites you are visiting.
- Generally, if you are using a VPN, your DNS traffic is also tunneled through your VPN, but encrypting your DNS is still recommended to hide your DNS requests.
- To do this, you would configure your computer/mobile device to send your DNS queries to a trusted 3rd party. Because of this, it has a very similar risk/reward as VPN - you may want to use it in some situations, but avoid it in others.
- More information: https://techdocs.akamai.com/etp/docs/configure-dot-doh
- Lojack laptops - This may be overkill for some, but for more security-conscious users consider using tracking technology to locate and self-destruct laptops in the event they are stolen. Example: https://homeoffice.absolute.com/solutions/home-and-personal-computer/
- Use a trusted mobile carrier, ensure your porting passcode is not a default/well-known code, and that you actually HAVE a SIMLock Pin. SIM Swap/Port-out protection (some are carrier dependent):
- Use a SIM PIN
- Port freeze / Number Lock
- Enable carrier alerts
- Strong authentication to online cellular management portal
Bring Your Own Device (BYOD)
Personal device usage in and for the workplace has never been higher - i.e. Bring Your Own Device (BYOD). From accessing corporate email on a personal phone to using a personal computer to remotely access the corporate network. This is in contrast to organization-owned and managed systems that have the full corporate security stack - software updates and managed configurations, monitoring software, anti-virus, etc..
Although managed corporate systems still come with risks, they are far less than unmanaged BYOD. Sure, it’s easier for the business manager to access the financial records from any device in the world, or the counselor to keep session notes on a personal laptop, and the IT guys to manage the computer equipment from the coffee shop computer terminal, but it’s far more dangerous.
Consider this: At any given time, it is estimated that one-fourth to one-third of personal computers are infected with malware. Some of that malware gives the malicious actor full remote access to the victim's computer. If that victim's computer is a BYOD device with remote access into your corporate network, then the malicious actor also has access into your corporate network via proxy as seen here: https://penconsultants.com/blog/exploits/citrix-xendesktop-exploit/
If you do choose to allow BYOD devices as part of your overall operations, consider the following:
- Require the use of a mobile device management (MDM) solution, which can force things on the device such as screen-locks, sufficiently strong passcodes, firewall, up-to-date AV and patches, detect jailbreak/root, etc.. Some of these solutions can even provide monitoring and response capability. This is invasive in the sense it takes over management (to a large degree) of the person's PERSONAL device, which can also require special legal and authorization considerations, not to mention user adoption concerns.
- Require the use of a protected container for all corporate information to run within - i.e. “BYOD containerization” or “MDM containerization”. As the name implies, your corporate data remains in a “container” which uses isolation and encryption to minimize (but not eliminate) risks. These solutions can often still do some of the things a full MDM solution does, but they are far less intrusive. Their ability to make changes on the device is often limited or nonexistent, but they can often still “read” the device's settings and forbid the usage of the container unless the device is found to be in compliance.
Software Updates
According to Ponemon, 60% of data breaches involve the exploitation of unpatched vulnerabilities in one or more phases of the attack. However, 99% of vulnerabilities have patches released before public exploitation, meaning they could have been prevented. Here are a few key recommendations:
- Software Updates - endpoints, network gear, 3rd party software and appliances, mobile devices (phones and laptops), embedded/IoT devices, etc.
- It is critical to patch and patch as quickly as possible when vendors release updates for known vulnerabilities.
- Vulnerabilities of a critical nature are recommended to be patched by EOD, or, if that is not practical, ensure other sufficient mitigation(s) are in place, to include taking the vulnerable system offline.
- Accepting the risk of leaving vulnerabilities in place could have extreme consequences, including, but not limited to, defacement of content, serious brand reputation issues, inclusion of malware and links to malware, ransomware, data breaches, phishing (i.e stealing users’ credentials), etc.
- The following document proposes a model with which to assess risk, appropriate action, and urgency for vulnerabilities of this class: https://tools.cisco.com/security/center/resources/vulnerability_risk_triage.html
- Example timelines for patching known critical vulnerabilities:
- Example patch time policies:
- Critical: “work stoppage” to <48 hours
- High: 2 days to 2 weeks
- Medium: 30 to 90 days
- Low: 3 to 12 months
- Info: As able
- Likewise, keep 3rd party software and appliances patched
- If vendor products are up to date, and the software components they rely on in their products are out of date, contact the vendor and determine when they will upgrade their software/firmware dependencies.
- In the event the vendor is unwilling or unable to upgrade their frameworks without reasonable justification and compensating controls or mitigation, seek alternative vendor solutions.
- Create a process that monitors for updated versions of dependencies and software, especially security updates. The frequency should be, at minimum, a daily check and install.
- If your risk profile allows, consider enabling automatic updates where possible. The frequency should be, at minimum, a daily check and install.
- Much of the software, including 3rd party software, has a built-in auto-update feature and should have the ability to enable it through a group policy. Depending on the software, the group policy may require a 3rd party admin template or custom code to enable.
- If pushing automatic updates is deemed to be too risky, create a process that identifies and alerts for new updates on a daily basis. The process should allow for test deployment and post-patch testing (ex. web app unit tests), followed by staged patching roll-out to all servers.
- Invest in a patch/package/configuration management solution:
- SCCM+WSUS+SCUP: For a time, SCCM was the gold standard and included support to not only Windows platforms, but also to Unix-like platforms (Linux, Mac, etc.). Unfortunately, Microsoft has begun to deprecate non-Windows client support. SCCM is still, arguably, the best solution for Windows endpoints.
- Azure Update Management claims to have as good, if not better, support for configuration and patch management across many systems/vendors (on-prem and cloud). PEN Consultants has yet to evaluate this service, but we would recommend considering it.
- Cross-platform: Although SCCM+WSUS+SCUP is the best option for Windows endpoints, you may want to consider an alternate solution that is cross platform, either in addition to the SCCM-based solution or instead of (ex. ManageEngine, Automox, LanGuard, etc.). A single solution would probably be easier to manage, but the costs would likely be higher than a split/hybrid solution.
- Only allow supported software installs and updates through the authorized package management solution. This will ensure only authorized software is installed and that it is installed in such a way that it can be updated when needed.
- Evaluate and plan for any software or firmware that cannot be managed by this solution, such as plugins, IoT firmware, software with neither an auto-update feature nor integration with your patch management solution, etc.
- Scan for vulnerabilities
- Invest in a vulnerability identification and management solution, such as Qualys, tenable.io, etc. More information and product comparisons can be found here: https://www.g2.com/categories/vulnerability-management.
- Endpoint solutions, such as CrowdStrike’s Falcon Spotlight, can often provide better ROI overall, but they may leave coverage gaps for non-workstation/server endpoint vulnerabilities (ex. network gear, IoT devices, etc.).
- Alternatively: PEN Consultants provides a service where we can periodically scan your environment.
Wireless / WiFi
This section provides some basic recommendations for both the wireless infrastructure side, as well as the “user side” (AKA client side).
- Use wired connections, instead of wireless, for all devices whenever possible. In addition to better performance, wired connections are more secure than wireless connections.
- Disable the Auto Connect feature for all WiFi-enabled client devices.
- Reduce the radio’s power in the AP(s) so the range is just enough to meet your needs and not broadcast to “the entire street”. Generally speaking, more, less powerful APs are better than fewer, more powerful APs – from both a performance and security perspective.
- Use a nondescript SSID
- Use at least WPA2 or WPA3
- For SOHO networks: Strong passphrase/PSK (pre-shared key)
- Note: This does NOT protect someone who knows the PSK (WiFi password) from viewing/decrypting someone else's traffic on the same access point. Additionally, it is fairly likely to get leaked/disclosed, but it is hard to manage the change process when that happens. For every person that has the PSK, the management and risks increase.
- For corporate networks: Use a modern and secure Extensible Authentication Protocol (EAP) for all WiFi authentication and encryption management; get rid of all usage of PSK. Options to consider, in approximately most-secure to least-secure order:
- EAP-TLS: best, requires client-side certificates, management heavy
- EAP-PEAP: good, requires some client-side configuration
- EAP-TTLS: good, no client-side certs needed
- EAP-FAST: good, requires some client-side configuration
- EAP-LEAP: Weak, advise against use
- EAP-MD5: Insecure, do not use
- PSK: Not suitable for multi-user/enterprise environments
- Other:
- Segmentation and isolation of guest wireless from corporate wireless and network - see separate ISP and VLANs under the network security section. Do NOT connect corporate WiFi devices to guest wireless networks.
- Ensure guest wireless also has content filtering - the content your guest downloads (or uploads) brings risks to your organization.
- Physical security (ex. no outdoor APs)
- Rogue AP detection (ex. WIDS)
- Wireless IPS (WIPS)
- QoS policies - prevent guest networks from consuming bandwidth and causing degradation in other guests' access, or degradation in your staff-only network.
- Have an Acceptable Use Policy (AUP) / EULA.
- Side note: Hiding your SSID and MAC whitelisting offers infinitely close to zero protection against attack. Do not waste your time doing this.
- Also, be careful about allowing wireless keyboards in a corporate environment. Many of these are vulnerable to eavesdropping and MiTM attacks.
Physical Security
Prevent someone from plugging into one of your terminals, running off with systems/drives (containing data), or stealing things like tablets and laptops for use (and at a cost to you to replace). In many cases, gaining physical access to a computer system allows one to defeat all other security measures, including gaining access to your data. But, there are measures you can take to minimize these risks.
- Prevent physical access from any portion of the endpoints or network gear where possible.
- Closets with steel (locked) doors, alarms, cable locks, security cameras, etc.
- Behind locked door
- In server rack/enclosure, with proper access control, alarm, etc.
- Prevent access to terminal ports.
- This prevents a rogue device from being plugged in or a man-in-the-middle (MiTM) device, such as a keyboard logger (ex. https://shop.hak5.org/products/key-croc), from being inserted.
- Especially true for kiosks, POS terminals, and anywhere else the public will have close proximity to.
- Glue shut unused ports, glue cables into ports to prevent them from being easily unplugged, etc.
- Use security wall plugs/ports that require tools to change cables.
- Use security cables on desktops, laptops, monitors, and the like.
- Enable screen locks on all endpoints with as short a timeout as possible (5 min is common). Use the webcam, or other proximity hardware, to immediately lock the screen when the user walks away. Microsoft calls this “Presence Sensing”.
- Encryption for data at rest: Use full disk encryption (FDE) on all devices. This reduces the risk of a stolen device from having the data recovered, assuming strong keys are used.
- Position screens away from windows and high-traffic areas to prevent shoulder surfing and/or get privacy screens (less effective and hinders user experience).
- Dispose of old equipment securely! So many stories we could all collectively share of old computers we’ve obtained with hard drives in them containing health records from disposed healthcare provider systems, PII from auctioned government systems, tax records and pictures from personal computers, etc.. At a minimum, use a free “data shredder” program to securely delete all data on removable media, and then drill a couple of holes through the media just to be safe. If you’re concerned about nation-state access, shred or chemically dissolve drives/media with something such as hydrochloric acid.
Credentials & Authentication
For this section, we’ll consider credentials to be passwords, PINs, API keys, or any “secret” used for authentication. Credentials are the crux of most breaches. As such, strong passwords/passphrases must be used at all times on all accounts/devices.
- Create and use strong passwords.
- Good: Passwords >=14 characters, even all lowercase is better than a short password with arbitrary complexity requirements.
- Better: 24+ character passphrase, 5+ words, separated by special characters, and a minimum of 3 numbers somewhere.
- Best: Use 24+ character randomly generated passwords stored in a password manager where able/practical.
- Avoid straight dictionary words unless you are using at least 5+ word passphrases and are including special characters between each word. The preference is to also swap out some of the letters for numbers - ex. “4” instead of “a”, “1” instead of “l”, and so on (aka leet).
- Do not “increment” if you need to change your password due to compromise - i.e. updating a number at the end. Instead, create a completely new password/passphrase.
- Each account/device must use a unique password! Otherwise, a compromise of one account will lead to a compromise of all accounts.
- Additional resource: https://penconsultants.com/passwordPolicy
- Use strong PINs.
- Do not use PINs if you can help it - they are far easier to guess and crack than strong passwords/passphrases.
- If you must, make it as long as is allowed by the device.
- Do not base it on DOB, SSN, address, or other values that are easy for someone to find. Example: https://penconsultants.com/iHaveYourPII
- Use a password manager.
- Passwords must be securely stored, using an industry-recognized method such as a password manager - ex. Bitwarden, OnePassword, KeePass, LastPass, etc.
- Never store passwords as cleartext - ex. in a spreadsheet or Word document.
- Store your master password and a printout of your passwords in a fireproof safe AND safety deposit box. If you lose your master password or if the password manager service goes down, you will be in serious trouble.
- IT admins: Eliminate arbitrary forced password rotation.
- i.e. set max password age to “0” in AD.
- Forcing arbitrary password changes is a dangerous policy that is causing more harm than good, and it is advised against by every reputable standard - ex. NIST, OWASP, CIS, etc.
- This will lead to very weak passwords which are easy to predict. Examples and impact:
- Do not force a change unless the password is compromised.
- Monitor for breached passwords.
- Use a service such as https://haveibeenpwned.com/ to monitor for breaches - especially end users.
- Many modern IAM solutions use one or more monitoring services built-in - this is the best solution for corporations.
- If there is evidence of compromise, force a password change immediately. An attacker often uses breached passwords within days, if not minutes.
- Enable multi-factor authentication (MFA) / two-factor authentication (2FA) on everything!
- Enable it everywhere that you can - using MFA is a must; it is non-negotiable.
- Many of these services are free and provide a huge security benefit by adding an extra layer of protection when a password is compromised.
- Rank of most secure to least secure MFA solutions:
- Note: There is a near-perfect correlation between usability and security with this.
- Hardware-based - ex. yubikey
- App-based OTP - ex. google authenticator
- Push with number match - ex. Microsoft’s solution
- SMS-based - It’s not the greatest, but not the worst (see https://penconsultants.com/MFAFUD)
- Push notification - users often accept without even being social engineered or having to SIM swap/jack
- Email-based - near worthless
- For IT admins
- Verify the MFA token before the password, in the back-end. This has a dual benefit of protecting against brute-force attacks and other forms of password attacks (ex. password spraying), as well as preventing a DoS attack against known accounts.
- Do not use most push notification solutions. In practice, we have found it to be easier to bypass than even SMS-based. A growing number of threat actors are exploiting this same “muscle memory” user weakness.
- Verify the SMS OTP or push before the user is given a pass/fail. To do so, collect all three pieces of information (username+password+mfa) before providing a pass/fail result to the user or creating even so much as a noticeable timing difference. To prevent a user from receiving a flood of SMS messages or notifications (ex. during a brute force attack), verify the username+password - on the back-end only - before sending out the SMS/push. A token-based MFA solution simplifies this greatly as the initial page would include a field for all three pieces of information (username+password+mfa) and not even check the password unless the MFA token is verified first.
- Require additional information for MFA sign-up - username and password alone is not sufficient.
- Ensure email and text messages are sent to the user after MFA sign-up, to increase the chances they will detect a malicious takeover of their MFA.
- See the “Mobile Devices” section for protection against SIM Swap attacks.
- Additional resources:
- Use the principle of least privilege.
- Run as a non-admin user for your everyday account. Never run as an admin account unless needed.
- This also is a good idea for your 3rd party account as well (ex. your bank account). If you need to grant someone only deposit permissions or view permissions, then only give them that, even if you trust them with your life. It’s about reducing the attack vector, not just that you trust the person.
- For corporate networks: Only IT staff should have admin accounts, but this should be separate from their user account. Additionally, their admin account should not have email or internal access.
- The more credentials there are with “full access”, the more likely it is for an attacker to compromise all of your systems and data.
- Attribution - credentials should be attributed to a single person when practical.
- A basic principle of security is attribution - knowing someone is who they claim to be.
- No shared accounts unless they are isolated to one or two limited functions.
- Do not share passwords!
- Avoid saving passwords in a browser - especially on a shared computer.
Backups and Disaster Preparedness
Why back up and prepare for disasters? Because it is nearly guaranteed to happen at some point. Natural disasters, failed equipment, fire, theft, ransomware/attack, cancel culture / deplatforming, etc.. Keep your data backed up, and if possible, have multiple solutions for anything critical.
What to back up:
- Anything that would hurt to lose
- Images of all your baseline systems. Don’t rely on the “restore” partition on a computer to recover it if something fails or gets infected. Hard drives fail and malware sometimes infects “restore” partitions.
- Virtual machines
- Software - especially anything that is not easy to obtain from the vendor
- Company and user data - files, databases, websites, wiki and intranet pages, etc.
- System settings and configurations
- Cloud accounts and data
- Certificates
- Logs
Where to back up:
- Consider the risks and costs of central backups vs cloud backups vs individual external drives.
- If storing on-site, you’ll need to consider things like fire and flood that could destroy the data and theft. That could be two redundant backup locations on-premises, or perhaps just one with a periodic run to a safety deposit box with a drive, or perhaps a hybrid solution that uses both on-prem and cloud backups.
When to back up:
- Full backup at least monthly, with daily incremental backups, and perhaps real-time versioning.
- Monitor the status constantly, looking out for errors, failures, warnings, etc.
Protect:
- Protect the backups with everything! They are a prime target for attacks because all/most of your data is aggregated in one place.
- Ensure strong encryption with a strong password.
- Configure strong access control.
- Use FDE to protect the data at rest.
- Have sufficient physical security for backup devices.
Recovery:
- Ensure you’ve practiced recovery BEFORE the crisis.
- Don’t wait until you need it to realize some small setting that you forgot that will now make it extremely difficult (or impossible) to restore your data.
Other:
- Consider cyber breach insurance if you have a lot of customer/personal data.
- Invest in UPS and backup generators. Power failure leads to abrupt shutdown which can cause corruption to data (open docs, mid-software updates, etc.). It can also cause availability issues for your customers.
- Redundant cooling for server and data system. Don’t just lock the equipment in an unvented cabinet or server closet, which can easily exceed 100 degrees. As a general rule of thumb, equipment must be kept in the double-digit temperature range (in Fahrenheit). But, 60-75 degrees is the most common target temperature to maintain equipment.
Training and Education
Humans are generally the weakest link in your information security program, but they can also be your eyes/ears, forming your first line of defense.
- Require staff to take Information Assurance (IA) training on a regular (annual) basis. The staff should have a healthy skepticism of anything coming in via email that requests confidential information.
- Education and training should include the following:
- creating strong passwords/passphrases and password storage
- phishing/social engineering – through email, social media, phone calls, text, etc.
- trusted websites, downloads, and software
- public WiFi and mobile security
- email security and confidential messaging
- data protection, data classification, sharing data, etc.
- signs of a potentially infected computer - ex. pop-ups, error messages, slowdowns, toolbars, etc.
- lock the screen when stepping away
- removable media dangers
- personal, at-home security - especially if BYOD / work-at-home
- physical security and OPSEC
- security policies, guidelines, and best practices in daily activities
- Train your IT staff also!
Vulnerability Disclosure Policy (VDP)
Welcome vulnerability disclosures from outside security professionals! Detail how one is to get in contact with you, what actions your employees should take, etc., when a vulnerability with your software or systems is found.
- Google “vulnerability disclosure policy” for more details and resources. Your external policy could be something as simple as this: https://penconsultants.com/vulnDisclosurePolicy.
- Create a security.txt file at https://<your domain>.com/.well-known/security.txt and populate it with the appropriate information. More information can be found at: https://securitytxt.org/.
- Create an email alias, security@<your domain>.com, and ensure multiple people are on the distribution list.
- Consider creating a Bug Bounty program, either on your own or by joining one (or more) industry leading programs. Google “bug bounty program” for more details.
- Open Bug Bounty has a free option you may wish to start with: https://www.openbugbounty.org/.
- If you want something a little more polished and refined, HackerOne and Bugcrowd are two well-known programs worth checking into. Note: These programs are approximately $12,000 per year for VDP, $20,000 per year for VDP+Triage, and higher for a full bug bounty program (price dependent on size of company).
- Alternatively, your VDP could simply specify that a disclosee may be provided compensation on a case-by-case basis.
- We would encourage that compensation considers the amount of time it took the researcher to verify the vulnerability (after discovery), write-up the details, work with you to disclose, etc.
- A researcher could spend 2-3 hours on even a basic and simple vulnerability disclosure. Depending on country of origin and skill level, researchers are accustomed to making anywhere from $25/hr to $500/hr. Median is ~$75/hr, which is a good starting point, and increased based on the risk level and potential impact of what was discovered. Another way to look at the compensation is, “How much would this have cost us (direct and indirect costs) had it been exploited?” and ensure you provide a percentage of that to the researcher (ex. 10%).
- Another method that could be used to determine fair compensation is to find similar bug bounty disclosures and compensation amounts. Example: https://hackerone.com/hacktivity
- Another resource: https://bugbountyguide.com/programs/determining-the-bounty-amount.html
- Once your VDP is created, and perhaps a bug bounty program created/joined, ensure those details are easily found.
- Important: A growing number of researchers are refusing to disclose discovered vulnerabilities unless there is some assurance on how the disclosure will be treated - professionally and gratefully, versus hostilely, to include threat of prosecution. Having clear guidelines on how both parties will behave gives confidence to well-intentioned researchers, while still providing you the freedom to prosecute if there is malicious intent or harm caused.
- You may wish to avoid “advertising” your bug bounty program on anything beyond your website, as that often entices large numbers of spam-level submissions. A promise to treat researchers “fairly” with no direct promise of payout has proven to be a beneficial middle ground in our experience.
- Other resources:
Monitoring and Response
- Ensure all user have consented to an agreement for usage and monitoring, that among other things, indicates that all activity is monitored. Display that on the login screen as well as perhaps a constant banner across the top of the screen.
- Immediate recommendations:
- Enable all available logging throughout your environment.
- Enable alerting for all suspicious activity - web, email, SMS, authentication, etc.
- Spend at least a few minutes each day manually reviewing a summary of the logs, looking for alerts (ex: yellow or red items) and spikes in traffic, or use a managed service provider to collect, monitor, and alert on anomalous activity in your network.
- Long-term goals:
- Perform the same tasks mentioned above across all of your systems – databases, servers, workstations, applications, etc.
- Anything that is capable of producing logs should be configured to generate and send logs to a secure central log management solution with real-time detection and alerting.
- Ensure you have a response plan in place in the event of an attack or breach. This plan should include a printed playbook of the immediate actions you will take, including what 3rd party resource you may call to help respond to the attack, what you will communicate to your clients, etc.
- In addition to logging/alerting, determine if security solutions being utilized, or ones available to use, can auto-block, at least on a temporary basis, some of the scanning activity. This would be especially true for your external presence. The idea is to cause scanning and enumeration to fail often enough and slow down an attacker enough to minimize potential vulnerability discovery.
- If the above goals are too burdensome for your existing staffing, consider supplementing your capabilities with a managed SOC provider (AKA SOCaaS).
- Use an EDR solution to detect webshells, post-exploitation activities (ex. running system commands), exfil, and other malicious or abnormal behavior.
- Ensure the appropriate people are monitoring the financial transactions as well.
- Ransomware: NEVER PAY! You often will not get your data back after you pay due to a handful of factors such as data corruption or in some cases the ransomware group's failure to provide the necessary decryption tools or keys. Not to mention, you are emboldening the criminals by funding their activity, which could also have legal implications for your organization.
- Incident response plan - practice at least basic IR, among even your non-IT staff, regularly. Our red teaming services can help you with this - contact us today to get started.
- What are your state’s laws that require specific actions for suspected data breaches? Contacting law enforcement, governmental notification, publicly disclosing the breach, etc.? Example: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
- If you suffer a breach, consider publicly talking about it at some point. The community can learn so much and better prioritize defensive efforts the more we know about what’s happened to others. Not to mention, it’s almost always better for you to shape the “we’ve been hacked” message than for limited details to slip out (and they do slip out).
- Additional information:
Vendor Solutions
BLUF: If you don’t have an IT person who is an experienced system and network administrator, do not run your own servers for email, website, CRM, POS software, HR, payroll, document management, PM, collaboration and communication platforms, conferencing, KBs, and the like. Let a vendor manage those services for you.
Depending on the size, maturity, and budget of your organization, the management and security of most mainstream cloud providers or 3rd party vendors could be better than yours. They have experts in a very particular field and make every attempt to follow all best practices for that specific field.
With that said, 100% of the vendors and providers we’ve evaluated have had security issues. We’ve found vulnerabilities in many of the top-named providers and vendors with just casual browsing and testing. All that to say, there is no perfectly secure provider/vendor, but there are some good ones.
Here are some common things to be aware of when using 3rd party vendors and cloud providers:
- Secure your website!
- PEN Consultants offers services that can help with this.
- Contractually obligate your marketing vendor to keep it secure - if applicable.
- Ensure automatic updates are working - WordPress is HIGHLY targeted.
- For WP: Plugin Wordfence Security -or- Sucuri Security - hardening, basic firewall, malware protection, login security & notifications, MFA, common secure configurations, etc..
- For WP: Plugin Jetpack Protect - monitors for vulnerable versions of WordPress, Plugins, and Themes.
- Disable plugins, services, XML-RPC, etc. that are not needed - minimize the attack surface.
- Get the underlying server updated and secure - or it won’t matter how secure the web code is.
- Disable PHP debug and version information - aids the attacker.
- Install fail2ban and mod-evasive - block various automated attacks.
- Secure SSH configuration - ex. certificate-based auth only.
- Whitelisted access control and notifications for SSH and admin portal - ex. only allow your corporate IP range through the firewall/WAF.
- Securely configure various HTTP response headers - HSTS, X-Frames, Caching, Referrer-Policy, and so on.
- Cache locally and in cloud - otherwise, DoS attacks are easy.
- Automated offline backups - and the ability to recover.
- Log terminal/backend commands - something as simple as “script”, or various FOSS and COTS solutions.
- Monitor performance - which can also indicate a security issue.
- Monitor SSL certificates - don’t let your cert expire.
- Look for behavior analytics that warn you of the abnormalities - notifications for things like “someone tried to authenticate to your account” or “we don’t recognize this computer”, etc..
- Using a vendor to store PII or other confidential information does NOT let you off the hook risk-wise. In addition to there being a risk of the vendor getting compromised, you may choose less-than-ideal configurations that make your account/tenant vulnerable to attack.
- Evaluate the 3rd party provider to the greatest extent possible.
- There are services that provide risk ratings for vendors, as well as can perform a “paper audit” of said vendor’s practices.
- Lightly poke around and see if you find something that doesn’t look right. To be clear, we are NOT talking about attempting to hack into someone else’s account and certainly not running any kind of “hacker” programs against the vendor. Examples of what to look for:
- login pages and post-login pages that are not HTTPS
- direct object access (without authenticating)
- privileged escalation (between two accounts you control)
- XSS, SQLi, and other failures to sanitize user input
- If your IT staff are not comfortable with this, PEN Consultants provides services that can help, including potentially working closely with the vendor.
- Ask how often they have network and application penetration testing to evaluate their company and products. Will they share the above reports or a letter of attestation from the security company that performed the evaluation(s)?
- If the vendor is not willing and transparent with this, find another provider. A mature vendor will not only allow it, but welcome the scrutiny. A secretive vendor is always a bad sign.
Put it to the test - Get Hacked!
At this point, you need to validate your controls by calling on an experienced offensive security provider (aka “pen testing firm”) who specializes in testing and independently validating your controls.
The simplest way it can be said is this: it involves hacking into your systems, gaining access to your users’ data, and then giving you the detailed recommendations needed to fix those vulnerabilities and protect yourself against those attacks. Because this is a specialized service, it often means hiring a professional offensive security company, such as PEN Consultants, whose sole focus and area of expertise is this type of testing.
If you use a managed service provider to help with your IT, and they have implemented your core systems, you should NOT use them to perform this testing for the following reasons:
- They almost certainly do not have the level of expertise that a dedicated offensive security firm has.
- There is a near unavoidable conflict of interest since both the company that claims everything is secure and the company that verifies everything is secure is the same.
For most organizations, the industry recommends at least periodic vulnerability scanning, but also penetration testing for most. For mature organizations, the recommendation may also include red teaming services.
Contact PEN Consultants today - we can help you navigate through this step and help with this testing.
We also have some information that you may find informative in the process: