Calibre 1: There are no shortcuts
What I’ve Done
This blog post tails on the LinkedIn post I made recently about a failure to validate a script costing 3 hours. Would I call that time wasted? No, certainly not. I had an epiphany – there are no shortcuts. Whether it’s through validating something as simple as a script, auditing a clients security posture, the Essential 8, Zero Trust or ISO27001. None of these things can happen overnight, and none of these things SHOULD!! Let’s go back to the start. Address Cyber Security from the beginning and take it all BACK TO BASICS.
All things start from a need, and all thing get more and more complex as those needs expand – We lead with Internet Connectivity, we’re not much good if we can’t connect to the internet, let’s get a Modem, Firewall and Switch together so we can connect to the internet, let’s make sure it’s sufficiently scoped to detect Intrusion and prevent it (IDS/IPS) and then additions like SSL inspection to capture encrypted traffic will help ensure we’re not letting our data escape. To protect yourself from accidentally sending sensitive documents out of a network, you might investigate Data Loss Prevention, and implementing data labelling – most don’t need this level early on, but possibly in the future, I’m a big fan of tackling these kinds of steps early to develop good habits. While you’re here set up content filters and prevent your administrator accounts from accessing the internet. Set up your DNS to use a secure provider like Quad9.net to protect from nasty queries. Firewalls to consider are the Fortigate’s from Fortinet.
Followed with Identity and Access management. We need this to be on a provider that can handle Single Sign On, Handle Multifactor Authentication, and take long Passphrases (16+, Multi Word Sentences). Azure Active Directory comes to mind as something that handles the things well. Reminder to keep your administrative accounts separate from your user accounts!! You can use other services that do this kind of thing – Okta come to mind, however they’re not in a great space right now following LAPSU$.
Now we can log in, what’s the first thing we do – we replace internet explorer with a better browser, let’s stop this from running, and while we’re at it, let’s make sure we’re only running the tasks that we ask the computer to do. This is where application control comes in to play – we can do this with Windows Defender Application Control, or with Airlock Digital.
Adding onto this we install Microsoft Office, so we have tools to access our emails and write documents, let’s stop office macros from running – we don’t use them, and they’re risky! Using Microsoft Endpoint Manager, or Group Policy we set up the security of the office suite to block execution of macros. We then want to make sure we’re not letting our PDF readers and browsers do anything they’re not meant to, so we restrict their capabilities to.
With user accounts we then have data that needs protection – we’ll install an Antivirus solution – This needs to pick up and protect you from active current threats, but also new threats like zero-day attacks and other non-standard behaviour. Microsoft Defender Plan 2, Fortinet EDR or Crowdstrike are all great examples of an effective Endpoint Detect and Respond tool or Next-Gen Antivirus (NGAV). Defender includes Vulnerability scanning in it, so if we have the function let’s turn it on, otherwise let’s invest in making sure we know about these things, Tenable.io, Nessus, Rapid 7 and Qualys all spring to mind as great Vulnerability Scanners.
One Step Closer
Now you have users and data that need protecting, so what happens if it was lost or deleted. Well, you need a backup. This needs to have adequate retention to make sure we can go back to those little accessed files that you need once a year, or longer if you need to keep records for tax, say 7 years. We realise that maybe 1 copy of the data may not be enough. We tackle this with a 3-2-1 Strategy (3 Copies of your data, including Live, 2 Different Types of Media, e.g. Hard Drive and Tape/WORM storage, and 1 of those copies is “offline). A daily full backup is a lot of data to keep and takes a lot of time to complete. So maybe your full backup occurs on a Friday, and you run a differential backup on a day to day. And then we build out a Daily, Weekly, Monthly, yearly (GFS) scheme to give backups that can be recovered all the way back several years. Backups are severely undervalued – I can’t stress enough how important this step is. There’s great software that makes this easy to handle, like Azure Backup, Veeam, Barracuda etc. Pick one and run with it. Make sure to use a separate backup account, and that the backup is not joined to the domain!
Now there’s bugs in the software, let’s get some patch management going. We’ve got browsers, Office Productivity Suite, PDF Readers, and Operating Systems. Handling patching, we want something that handles multiple types of operating systems, a strong suggestion for Microsoft Azure Automation to handle patching can be made as this handles windows and Linux systems. However, in a full windows environment, we can use Windows Server Update Services, or Windows Update for Business.
In the end
So, after visiting the basics, we’ve accidentally created the essential 8 with a couple of extra considerations towards the 37 recommended security controls from the ACSC. A lot of this comes naturally if you’re thinking of security first, but the reality is we don’t think about it until we need it. For example, delete a document by accident and we think about backup. Get a virus, install antivirus. All these things take your valuable time to resolve and so we look for those shortcuts. We make mistakes when we take shortcuts, and it ultimately costs you more time down the track. Afterall it’s difficult to get the toothpaste back into the tube.