By: Charlie Crane
May 25, 2021
Cybersecurity Controls Checklist
By: Charlie Crane
May 25, 2021
Building a robust cybersecurity program often feels like an impossible task. This feeling can be caused by complex enterprise environments, company politics, vendor scaremongering, and jargon-packed marketing material that promises to provide you the silver bullet for the next-gen fileless malware. It doesn't have to be this way.
If we boil cybersecurity breaches down and peel away the marketing, we find the same tried and true attack techniques almost every time. These all-too-common techniques can be prevented by relatively simple cybersecurity best practices (controls in this case) that almost any technical person can implement. Sysadmins that includes you!
The controls listed here are not intended to be impressive, shiny, or exciting. They are simply fundamentals that provide the most security benefit for the effort and time spent.
The first common and preventable attack technique is vulnerability exploitation. Attackers enjoy gaining their initial access by running prebaked exploits for vulnerabilities that typically have easy install patches.
As such, administrators should have an easy-to-adopt plan that outlines a regular patching schedule on at least a monthly basis.
This plan can be as simple as meeting once a month to click the update button on your systems or as complex as a full-blown vulnerability management project centered around a tool like Tenable or Qualys. The important part is your systems are updated regularly.
First, focus on edge systems like Citrix NetScaler and VPN gateways, as these appliances are attractive targets because of their precarious location. Straddling the internal and external networks makes them a perfect bridge from the outside. An unpatched remote code execution vulnerability here can have devastating consequences.
Firewall inbound and outbound
Although enterprises are moving to the cloud, they still have on-prem assets that need protection from the harsh internet. This is where a firewall steps in as a first and arguably most important line of defense. When possible, a review of firewall rules should be organized to make inbound and outbound rules as strict as possible while maintaining usability. Finding this balance might be tricky but is essential to good security. A good starting place would be striking off all permissive rules such as "Accept All" and limiting any particularly dangerous inbound ports like RDP and SSH. It is known that some ransomware operators scan the internet for open RDP before brute forcing passwords and letting themselves in.
Endpoint agents (AV and EDR)
Almost all organizations run some endpoint protection technology, ideally a modern tool like CrowdStrike or Defender, ATP but in any case an agent.
The control here is operational. Are endpoint agents deployed everywhere? Compare a list of known hosts (e.g., form Active Directory) to the hosts on which endpoint protection software is installed. It should be possible to export directly from most control panels.
Are the agents working? Run a test file against a random selection of endpoints to see if an alert is triggered.
Do the right stakeholders receive alerts? Upon testing for alerts, ensure the right people see that alert.
2FA and Passwords
This classic control will never get old.
Ensure that all boundary systems that allow access to the network (VPN, Citrix, O365) require two-factor authentication to defend against credential stuffing, brute force, and successful phishing attacks. Suppose an account has two-factor authentication enabled, such as a six-digit code or push notification. In that case, it becomes extraordinarily more difficult, if not impossible, for an attacker to access accounts with just a stolen username and password.
Set password policies to modern standards. Longer passphrases that do not rotate regularly are considered favorable because forcing users to set complex passwords that rotate regularly encourages users to set weak, repeated passwords. This is a complex subject outside the scope of this post, but this blog post from Troy Hunt helps illuminate the issue well for more information. For even further insight, this guidance from the NCSC should help.
Most breaches are caused by a network's weakest part, its people. In the form of phishing and vishing, social engineering attacks are a cunning way to steal credentials or (more rarely) gain remote code execution. Cybersecurity training seems to fall short because training non-technical people on technical subjects is inherently difficult consistently. Unfortunately, the folks providing training seem to focus on the technical detail.
Users need to be trained to spot malicious emails, links, phone calls, attachments, and so on. It's a lot for them to take in, so making training sessions digestible without diluting the main points is ideal. This can be done by keeping training sessions short (thirty minutes or less) and free from technical jargon.
Organizations can help users understand that they need to look for things that don't feel right. Has any email come in at a strange time? Does the sender usually send emails that are formatted like this? Is the sender encouraging you to do something? Is there an unreasonable sense of urgency in the message? Has this sender ever sent this attachment type before? Lastly, ensure they are encouraged and able to report anything suspicious easily. Let there be no ambiguity around what action is required when reporting a phishing email.