October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is calling on all of us to 鈥淪ecure Our World,鈥 with a simple message that calls everyone to action 鈥渢o adopt ongoing cybersecurity habits and improved online safety behaviors.鈥 This month, the 探花大神 blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
IT admins are tasked with becoming security analysts in response to today鈥檚 hostile threat environment. That can be a difficult adjustment if it鈥檚 new to them and they don鈥檛 know where to begin. The onus (and the blame) is on them to act, despite potentially never having received training for or awareness of security best practices to develop a program that will satisfy management and protect the organization.
A formal cybersecurity program is multifaceted and structured to control risks, but there鈥檚 a few crucial concepts you should be aware of that will help you get to a place where you know enough to be dangerous. Armed with these core concepts, you can swiftly reduce your organization鈥檚 exposure, or, at the very least, have informed discussions with an MSP partner to handle it. There are five main pillars small to medium-sized enterprises (SMEs) should focus on:
- Know your assets
- Patching
- Least privilege computing
- Email security
- Backups
This article examines how to bring those concepts into action.
This advice isn鈥檛 an exhaustive checklist: it鈥檚 part of a series of articles that provide additional guidance to formalize a security program. There are also for SMEs available from government entities to help guide you as you get started. IT admins should also consider training and education by pursuing certifications such as ECSS, GSEC, Security+, and SSCP to obtain baseline knowledge. I encourage you to check out my journey for more perspective.聽
Now, let鈥檚 get real for a moment: SMEs don鈥檛 necessarily have the capacity to establish a formal program and the typical mandate is always to do more with less. I鈥檝e encountered firms that would shock you when you glimpse behind the corporate veil; don鈥檛 be one of them, have a plan, and be more proactive.
That鈥檚 where you come in. Be an effective change agent by focusing on the foundational concepts outlined above.
Know Your Assets
You can begin by creating a register of your IT assets, which is where a risk assessment begins. Start by identifying who 鈥渙wns鈥 the system or data and ask them about their departmental workflows. Then, ask questions about how these assets are configured, managed, and secured. They should at the very least be able to tell you what software and hardware they use, as well as where those records are stored. The outline below will help guide you. It鈥檚 populated with real-world examples and notations from my work as a security practitioner working with SMEs.
Below you鈥檒l notice that assets are categorized in three ways: technical, physical, and administrative. Those align with the categories of controls that are used to address the problem(s) uncovered when you list and evaluate your assets. This outline is useful when you move on to the next step of evaluating risks and the type of controls that are required to correct them. You may also encounter some examples that you can live with and eat the cost.
- A cloud productivity and email suite
- Is it configured correctly?
- Are the correct authorizations in place?
- Are security baselines available?
- Is MFA enabled with a centralized directory?
- Cloud storage
- Who has access to what and why?
- Is any sensitivity labeling required?
- Legacy domain controller
- Is it supported and patched?
- Does it have policies? Are any of those policies conflicting?
- Tip: Don鈥檛 鈥渇ire and forget鈥 policies. Changing one policy in response to a security incident may impact others.
- Who has domain admin rights? Who has rights to other privileged roles?
- What service accounts are running?
- Is offboarding users disabled?
- Is there a plan for modernization to secure identities, endpoints, and apps?
- Is the domain controller even necessary?
- System backups
- Where does everything reside if there are no backups outside of the siloed documents residing in the cloud?
- What are the plans in the event of a fire or flood?
- Is there any immutable backup attackers won鈥檛 tamper with?
- Physical security
- Is there a functional CCTV system?
- Who鈥檚 responsible for facilities and what will it cost to implement it?
- Are there controls to restrict server room access?
- Drive encryption
- Are workers remote on laptops?
- Is physical security weak?
- IT skills and security awareness
- Who can manage security awareness training?
- IT accountability
- IT admins who were surfing the web while logged in as a super user (and didn鈥檛 believe that was a problem)
- Are you able to provide a technical solution for privileged access management?
- Sensitive files (analog and paper)
- Where are they stored? In plastic bins, filing cabinets, secure storage?
- Are there any fire suppression or alarm systems?
- How are you going to protect those files?
- The cost of digitizing files is high, so what are the readily available alternatives?
- Old PCs and IT waste
- Old PCs were left around with drives intact with potentially personal and regulated information.
- Are you okay with sending them off to be disposed of?
- What鈥檚 the plan going forward?
- Processes for handling PII
- Poorly documented processes for employees to handle personal information
- What resources are available to train people?
This exercise to uncover assets revealed a Windows 2008 Server that was past its end of life. One employee found it so worrisome that he turned it off every night (no exaggeration). Every PC that was joined to that domain was potentially insecure. This practice was permitted for a reason: senior management didn鈥檛 want to spend what the MSP quoted for new on-prem hardware.
Your list may resemble this firm or be more complex, but a comprehensive list of your assets is a starting point to assess weaknesses and vulnerabilities. It鈥檚 up to you to determine the likelihood of those risks and what you鈥檙e willing to absorb, based upon factors such as business impact or cost. The high-level formula for determining your risk is: threat x vulnerability x probability of occurrence x impact. Always consider context and information value.
You can use a Priority Matrix to determine where to start IT projects, which accounts for the impact on your organization and what costs and resources will be involved to mitigate risks.聽
An MSP partner could also help to guide you through this process.
Patch Your Stuff
Now that you know what your stuff is, it’s time to learn what state it鈥檚 in.
There鈥檚 a reason why a majority of IT admins we鈥檝e surveyed are more alarmed about software bugs than weak passwords (given MFA is enabled): bad actors are moving down the stack to and are swiftly targeting flaws in operating systems and business systems (such as popular browsers). I recently spoke with the CEO of a security monitoring company that specializes in examining events from log files in a data lake, and he鈥檚 noticed that trend 鈥渋n the wild,鈥 so believe it. Patching is critically important and can be accomplished via policies to mandate that updates happen within a timely period, test patches within user groups, and聽 patch management systems. You鈥檒l also want to keep support current on network devices, which can also be exploited by attackers on your perimeter and behind the firewall.
Avoid antipatterns and don鈥檛 make excuses not to patch or remediate issues when a patch isn鈥檛 available. There鈥檚 no perfect patch. Patching is not as difficult as IT operations makes it out to be.
Patching reduces the possibility of emerging threats impacting your organization before your security systems can catch up to their existence, but it doesn鈥檛 block avenues of attack. Your configuration is what could clear the way for a vulnerability to become a security incident.
Practice Least Privilege Computing
Having a registry of 鈥渟tuff鈥 helps you to keep up with the cadence that鈥檚 needed to update everything, responsively. Application inventories should be limited to allowed products, and the way to accomplish this is through least privilege computing or managing deployments using a solution for remote systems, such as Chocolatey for Windows and MDM solutions for Mac devices. Least privilege computing is the concept that users and systems should only be granted the minimal permissions that are required to do their job. For example, users don鈥檛 need to unilaterally install new things, so they shouldn鈥檛 have the rights to do so.聽
Least privilege extends to the capacity of malware to spread throughout your systems. Nothing鈥檚 impossible for malware to accomplish when it鈥檚 running under administrative permissions. There鈥檚 countless places to 鈥渉ide鈥 and any system that鈥檚 been breached is inherently untrusted. Broad permissions will enable attackers to transform an infected device into a jumping point to scope out what else is unsecured within your systems to maximize the potential for ransom.
This concept also extends to cloud services, website servers, resource groups, and even IT admins as they work. There鈥檚 no reason why an IT admin should have access to vital resources: grant yourself the permissions that you need to get a job done and then revoke them afterward. A centralized cloud directory service such as 探花大神 can manage and monitor user permissions and dynamic groups can remove unauthorized users. 探花大神 also allows for that apply business rules to limit access to IT assets.
Least privilege computing is an effective framework to follow, but people can be the weakest link, even when the best technical controls are in place. Software lacks human intuition and the ability to speak up and ask questions; conversely, people can also make poor decisions. It should come as no surprise that the median SME received 94% of its via email in 2020. Since then, has made these kinds of threats even more dangerous. That鈥檚 why the next topic places special emphasis on email security, which is a vital asset to modern enterprises and most often the vehicle for cyberattacks.
Manage Email Threats
It bears repeating: most threats to organizations aren鈥檛 complex or sophisticated. Cyber criminals are largely focused on finding common problems that are the consequence of inadequate employee security awareness training or poor IT hygiene, and email is your virtual front door to test these weaknesses. This risk is a well-understood problem and there are many effective ways to lock attackers out. Those include technical solutions that secure the email system and delivery of messages as well as training to empower your staff to learn and do better.
Technical solutions can include the following:
- Configure the system that you have, or add a layer of threat protection via a third party, to be more secure on the server side.
- Enable MFA for every user, immediately
- Using strong and a password manager
- Configure DLP policies to limit the loss of personal and protected information
- Sign emails using an identity-based credential
- This provides non-repudiation (nobody can say they didn鈥檛 read a message)
- It also ensures that people within your organization are who they say they are. This is especially valuable when CEO fraud and other phishing attempts are used to socially engineer attacks specific to your group. Criminals use pressure tactics such as impersonating your boss and making demands on a tight deadline.
- There鈥檚 no reason to host your own email unless you鈥檙e a national security organization. Today鈥檚 providers have more credentials and security protocols in place than you could ever imagine, let alone pay for.
- Evaluate 鈥渘ext-gen鈥 solutions.
- Some newer generation solutions utilize advanced AI to process the context of a message and block messages from being delivered.
- There鈥檚 a hot and several mature platforms.
- Ensure that every endpoint uses EDR software, with special consideration for mobile devices. There鈥檚 a push/pull factor between privacy and security, and the jury is still out.
According to , a leading general agent for managing cybersecurity risk, the risk of claims for business email compromise (BEC) and funds transfer fraud (FTF) events were found to be equally as bad with Microsoft 365 as on-prem Exchange. This is in stark contrast to companies using Google Workspace, which experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims. 探花大神 is a Google partner and Google recommends 探花大神 as a directory solution for SMEs.
User awareness training is the administrative solution for people. Your employees can become 鈥渉uman firewalls鈥 through education and simulations. The simplest answer is to teach people how to stop what they鈥檙e doing and contact suspicious senders (or suspicious messages from legitimate senders) through a different medium (like pick up the phone) before opening or clicking on things.
Many solutions exist in this realm and you can simply incorporate them into your onboarding process and have quarterly reviews. The benefits extend into home lives where personnel and their families could be acutely harmed by identity or financial theft. The cost of these training programs is a pittance compared to lost business and unrecoverable data.
Storage Is Cheap: Back It All Up
Suppose that your systems and users aren鈥檛 up to speed and someone clicks on a ransomware payload. Unfortunately, their system has unfettered access to crucial information on your network that鈥檚 business critical. Hopefully, this won鈥檛 become a major catastrophe if you have working backups. Don鈥檛 rely solely on endpoint security and assume that every attack will be handled. Nothing is foolproof. It鈥檚 better to master the systems that you have and map out your recovery from cyber incidents than it is to overspend on too many security systems.
You may have heard it said that your chances at recovery are only as good as the quality of your last backups. You鈥檒l spare yourself a catastrophic scenario if you invest time and resources into disaster planning; therefore, configuring good backups should be top of mind.
One option is to use an offline backup, which is inexpensive, portable (you can remove it from your building), and can be disconnected from the network where threats will propagate. The downside is that backups can be corrupted if the hardware or software encounters problems, and theft is a concern. Make sure that any backup is also encrypted, which will limit damage and the potential for data exfiltration in that circumstance. Theft happens, and even though your office space isn鈥檛 Fort Knox, physical controls such as appropriate doors and locks are effective protective measures.
Online backups are another option (if you have a speedy, dependable internet connection). The quality of the backup may be higher given it鈥檚 the core dependency of the backup vendor and off-site locations create redundancy in the event of disasters or fires. The potential downsides are that data is no longer in your hands, and remotely hosted data takes longer to download for recovery. Hackers will also try to find their way in, including ransomware that may lock up this type of backup, making it vulnerable to malware despite being an off-site service provider.
Mature disaster recovery programs conduct tabletop exercises to practice disaster recovery. That鈥檚 not something we鈥檇 expect SMEs to do, but designating responsible individuals and having a process laid out in booklets in the event of a data breach is a good starting point.
Knowing Enough to Be Dangerous
This article is tailored to the modern IT admin of an SME and emphasizes the basics. You鈥檙e well on your way to a good security strategy if you follow these pillars, independently, with your team, or in conjunction with an advisor or MSP. Security is a spectrum that can evolve in its breadth and scope almost indefinitely, but you can know enough to be dangerous and protect your organization while you plan for the long term.
You can accomplish many of the technical controls outlined in this article by leveraging 探花大神 Directory Platform, which is free to use on a trial basis.
