Lockdown Lessons in Environmental Security
Ensuring even the most basic of security principles and methods are in place can have a material impact on your organization’s ability to fend off cyberattack.
MSPs are coming under attack more and more in 2019, causing concern among SMB customers around whether they are truly secure if their Managed IT Service Provider is compromised. SO, it is necessary for MSPs to begin to “clean their own house” and ensure its security. In our last blog, we looked at the need to implement a layered security stance that prevents, protects, and detects attacks. The layered approach has a lot to do with ensuring the right solutions are in place at the rights points in the environment to thwart an attack. But MSPs also need to be thinking about how to establish and maintain an overall secure environment.
This goes beyond solutions; this is more about how you approach the security of your environment, how it’s configured, and how you ensure users aren’t the weak link in the strategy. These same principles apply to both your network and your customers, as you both have something to lose should either of your networks be compromised by cyberattack – if you’re attacked, you may not be able to service customers; if your customer is attacked (whether directly or via a compromising of your network), it’s not going to go over well that they’ve become a victim, despite your best efforts.
So, what are some of the key considerations when attempting to secure your network environment?
There are four “low-hanging” aspects of establishing and maintaining environmental security that, when implemented, can have a material impact on your ability to fend off cyberattacks:
1. Patch and Keep Software Updated
Operating systems and applications are useful tools to cybercriminals; they represent potential methods of gaining privileged access to an endpoint. But to leverage them, there must be a vulnerability existing that can be taken advantage of. A database of common vulnerabilities and exploits (CVE) exists and serves as the basis for OS and application vendors developing patches to their product.
It’s imperative that you have patching in place for any and all operating systems and applications in use – this includes both Microsoft, and any 3rd party applications – so that updates to address known vulnerabilities can be applied, thereby sealing the method by which an attack could have occurred. The very same RMM solution you use to patch your customers should be employed on your own systems.
2. Enforce Strict Password Policies
Passwords are the lifeblood of a cyberattack; without credentials, attackers have no ability to access your network, move laterally within your network, or to access systems, applications, and data of value. RDP brute force attacks are a great example of how very automated the process of attempting to “guess” someone’s password is.
And, yet, passwords seem to be the one thing users don’t have a handle on. According to Ponemon’s 2019 State of Password and Authentication Security Behaviors report, it’s far worse than just choosing a bad password:
- 51 percent of users reuse passwords across both business and personal accounts
- An average of 5 accounts share the same password
- 69 percent of users share passwords with a colleague
Normally, the answer to this problem is password policies that include more frequent password changes and complex passwords. But, Microsoft recently surprised the world with a new set of password recommendations that include not forcing users to change passwords, and not requiring specific password compositions (such as requiring uppercase, lowercase, numbers, and special characters).
To put our organization in the most secure stance, the new thinking around what “strict password policies” entails some new password hygiene that includes:
- User education around using one unique password per application or website and to not use the work passwords for personal use
- A minimum length of 8 characters
- Discourage the use of single word passwords
- Banning common passwords
- Use of multi-factor authentication
3. Enforce the Security Practice of Least Privilege
The practice of least privilege dictates that users should have access to only those data sets, applications and systems necessary to accomplish their job, usually requiring separate credentials for elevated access. The purpose of this is to limit the exposure of privileged access to an external attacker. Since 60% of attacks involve lateral movement, we know that cybercriminals will take advantage of any access you allow them.
Here are three high-level steps you can take to implement and enforce least privilege:
- Separate Privileged & Non-Privileged Accounts – For a given user that needs elevated access, create one account to perform non-administrative job functions (such as web browsing, email, Office, etc.) and a second account for administrative functions.
- Limit Privileges – Establish access based on roles, re-defining and granting only the limited permissions necessary.
- Limit Access to Administrator – minimize the number of users that have access to any administrator account (whether on a workstation, in Active Directory, or anywhere in-between).
4. Segregate Your Network
Depending on how you have your network architected, there is the potential for a cybercriminal to gain access to critical applications and data on your network, as well as direct access to one or more of your customer’s networks. So, extend the thinking around the practice of least privilege to your network design.
Software-defined networking (SDN) as well as traditional network segmentation can be used as a means of segregating parts of the network that are accessible to/from the Internet and those that provide access to critical internal workloads and customer networks.
Locking Down the Environment
The environment itself either invites attackers to “come in and take a look around” or “go away – there’s nothing here to see.” The goal here is to limit. You limit the ability for an attacker to find a way in by minimizing any vulnerabilities via patching. You limit an attackers’ ability to get their hands on credentials that can help them carry out their malicious actions through good password practices and regulating privileged access. And you limit any ability to connect to critical systems and networks through segregating your network.
Cybercriminals want unfettered access. By putting these controls in place, you create an environment so limiting that attackers will simply look elsewhere for an easier target.
In our next article, we’ll discuss some of the security considerations necessary that can change on a daily basis, and what technologies you should leverage to ensure you are continually augmenting your security stance.
Check out our latest video Lockdown Lessons Episode 2 Reinforcing your Network to learn more on how to implement network security best practices.
I encourage you to start a free Webroot protection trial and see for yourself how our solutions can help you prevent threats and maximize growth: Endpoint Protection | DNS Protection | Security Awareness Training.