The Australian Government publishes a bunch of guidance on how to secure government information systems. Whilst this guidance is basically just aimed at government departments to implement (because they probably haven't yet), it's very good advice for all businesses, no matter how small you are. You also don't need an IT budget of a government department to actually pull it off.
Just like common sense, backups are not as common as you'd think. Recovery plans and systems even less so. I see this a lot in organisations that have teams utilizing "The Platform" - i.e. they build and run their applications on a "platform" provided by the infrastructure team under the assumption that the infrastructure team is taking care of the backups (protip: they're not).
It seems like it's a bit of a meme at this point, but seriously: test your backups. And if you don't have any backups to test, go get Veeam or another good product to start doing backups. Do that before you go any further.
Recommendation: Go and delete your Primary Domain Controller. Go on. Delete it. And then see how good your recovery processes are. Better yet, delete a customer-facing web server. Delete something that makes your business money. If your sysadmins say "yeah it'll be fine, we have backups", they're probably lying to you and themselves, and they've probably never tried recovering them.
If your end users can download installers from a web site and run them, you've failed this test. If your sysadmins can rename
notepad.exe and run it, you've failed this test again. If your sysadmins can go copy
C:\Program Files\ and run it and it works, you've failed this test yet again.
There will be sysadmins you're going to fight on this, because they'll have their toolkits of utilities scattered around on servers everywhere and that's the way they like it and the way they're used to things, and who are you to tell them they're wrong?
Recommendation: Start with AppLocker policies, but also look at Endpoint Protection software for more sophisticated solutions. Make sure the people most likely to be targeted by attackers (i.e. the receptionists and the bosses) can't run anything they're not allowed to. Their accounts will probably be hit first.
Patch Applications (& Patch Operating Systems)
From what I see, this is the pattern for why organisations can't keep up with patches:
- The sysadmin staff are overwhelmed with work (or they're incompetent because the competent ones went and became contractors).
- Core systems are patched, but some outliers are forgotten.
- The outliers become several years out of date.
- No-one wants to touch the outliers because they don't know what will break, and they could lose their job if they're the one that broke it.
- The outliers now drag down the core systems, because jumping to the latest Windows Server version will break the outliers.
- Optional: bring in the contractors that left in step 1 to tell you the above, and charge you a lot of money to try to patch things.
Recommendation: Try to get a rhythm going for patching. Document all patching processes. Make sure the documentation is actually followed. Hire more sysadmins. Cull machines you no longer need (they're just wasting your time). Have you got 10 DB servers not doing a whole lot of work? Why not combine them into one beefy DB server, and then you've got 9 less servers to patch. Make sure you actually delete the other 9 though.
Configure Microsoft Office macro settings
Block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
The biggest user group that's going to complain about restricting macro use is the finance people. Their whole section runs on a mishmash of macros written by Big 4 consultants a decade ago when they were at the tail-end of puberty but "dressing for the job they want".
As much as you want to just deny all macros across the board, you're still going to need a strategy to deal with them, otherwise the payroll people will have nothing to pay you with.
Recommendation: Enforce signed macros and set up signing certificates, and then you'll also be able to identify which macros are actually needed in your organisation. Just make sure your signing certificates can't be stolen, otherwise you might as well not bother.
User Application Hardening
Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
I remember a sysadmin telling me that if he could get rid of Adobe Acrobat and Java from the network, his patching workload would decrease by about 80%. Imagine those savings.
I've also seen it before with products that scan for CVEs in networks - the majority of what they'll find is some aging version of Java hiding on an old web server somewhere, running with about 100 critical severity vulnerabilities.
Recommendation: A lot of newer companies might not need this as much, as they've probably not yet been sold a cumbersome Oracle platform that requires a dozen weblogic servers with complicated patching procedures. Get a report of the actual applications running in each division of your business, and look to see if each needs hardening.
Restrict Administrative Privileges
The crustiness of your sysadmins is the hardest part of this control. Crustiness can refer to their physical appearance (we've all met one), or their attitude (we've all met one of these too).
Actually one other type of user that'll be a problem is the boss - they want to feel in control of their business, so they'll want to hold on to their Enterprise Admin account. And they can threaten your employment if you argue with them.
Recommendation: Split accounts into privileged and non-privileged. Make sure privileged accounts can't use email or web browsers with internet access. Split admins into standard admins, and enterprise admins. Make it really annoying to use the enterprise admin accounts. Create a dummy admins group and put the boss in there so they think they've got the power. Put the
Domain\Administrator account password into a safe, and make sure no-one touches it. Not even you.
It's all well and good to enable the other 7 controls, but if someone can go to Have I Been Pwned? and look for email addresses of your sysadmins to find that they're using a password that was in the 2012 LinkedIn data breach, well then you've gone to all this trouble for nothing.
Where do attackers hit first? They target internet-connected servers, and VPNs. What's the easiest way to stop them getting through? Enable Multi-factor Authentication (a.k.a. 2nd Factor Authentication). If an attacker knows your password, but MFA is enabled, they're still not getting into your systems unless they can get their hands on your MFA device.
Recommendation: buy some trays of YubiKeys, and buy Signata Enterprise to manage them. Make sure you control how the tokens are issued, otherwise an attacker might find a way to get your help desk staff to just give them one. We wrote up a whole bunch of stuff about using YubiKeys in our previous post, which I recommend you check out to learn more.
Bonus Recommendation: if you're one of the next 10 organisations to sign up to Signata Enterprise, you'll get a 1 year starter licence for free! Just Sign Up now and click Request Trial.