What is it about?
According to the report published by the Australian Department of Defense, 85% of the targeted breaches could have been prevented by implementing just four simple controls.
"At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:
• use application whitelisting to help prevent malicious software and unapproved programs from running
• patch applications such as Java, PDF viewers, Flash, web browsers, and Microsoft Office
• patch operating system vulnerabilities
• restrict administrative privileges to operating systems and applications based on user duties. "
That's what this blog is focused on, with some extra measures, which will help you mitigate up to 98% of the attacks.
Hardening the nodes is essential in your network - servers and endpoints. The stricter the policies, the more difficult would it be to introduce a malicious element and
disturb the security of your operations.
Rule number 1:
You should establish some ground rules, the first and foremost of which will be performing an everyday set of tasks on any OS. This applies to all users but especially for IT administrators.
Policies should be set to prevent the execution and installation of unknown executables/software when running with a limited account. When running as an admin, the administrative user should be barred from accessing the internet on the proxy level.
There are no NO EXCEPTIONS to the above rule.
It doesn't matter how many riots and complaints you receive - based on my experience, IT Admins can get used to working this way, after some time, they not only accept it.
If you've done your job correctly and explained to them the reasons, they will enforce the good habit upon their rebellious peers.
The reason for this is contradictory but real.
The users with admin power should be knowledgeable and experienced – that is why they got administrative rights in the first place, right?
WRONG !!!
Often administrators are overconfident and browse the internet as admins with no clue of the risks in the simple act of browsing. Some of the download applications 'to make their life easier,' as a result of introducing malicious software into the organization.
Hence, the need to restrict internet access for administrative accounts, and administrators need to work as limited users. If they need to download and execute something, they can download it as a limited account and execute it as an administrator.
Rule number 2:
Pay them enough so they can buy their own hardware and sim card and do their stuff independently.
Forget about the BYOD !!!
No external devices should be allowed whatsoever, except company-issued ones, encrypted and allowed by Device ID, mapped to a user ID.
Connecting a smartphone or tablet to a corporate laptop for file transfer should be impossible.
Code execution from external devices should be forbidden by policy. Copying executable files from an external device to the local drive should be immediately detected if allowed at all – and an alert should be sent to the IT administrative team if that happens, followed by the creation of a security incident. Disabling AutoPlay/AutoRun should be a no-brainer and supposedly implemented a long time ago.
Rule Number 3:
Every user's "Documents" folder should be located on a network share, if possible. The purpose of this effort is to enable centralized backup (unless you have other solutions in place) and prevent the "Sony Disaster" in case your organization is attacked by destructive/encrypting malware. If this happens, you should have a backup to quickly restore the encrypted files to their original versions.
Rule Number 4:
Backup *everything* you can, as often as you can.
Rule Number 5:
This one is more of a recommendation, but if you can, build a clone of a standard desktop machine, ready to be logged on to and having auto-configuring mail client, etc.
( based on the user account logged on)
Have that one deployed on Amazon or another cloud vendor, ready to be cloned to as many copies as you need in the event of a disaster. Do the same for critical servers. If a disaster hits your organization, you will be able to quickly power on and run from the cloud.
Having powered-down copies of virtual machines in the cloud, ready to be cloned and powered on, is extremely cheap compared to maintaining a cold, warm, or hot site with physical devices.
Comments