Covering The Basics
Low- to no-cost security controls you can implement to significantly improve your organizational security posture.
If you work in the Information Technology space, you know the grind of being constantly marketed to by what seems to be every manufacturer and service provider on the face of the planet. Those of us who have specialized in Information Security have the distinct pleasure of being told that everyone has the key to our security supremacy. Each manufacturer or service provider has the silver bullet that will thwart all attackers, all the time, and from all vectors.
It's easy to become enthralled by the blinky-lights and knoby-knobs but, much to the chagrin and dismay of our manufacturer and supplier friends out there, no solution or manufacturer has all the answers. Far too often, we become enamored by the newest or trendiest new tool. We become wrapped up in the propaganda, maybe even feeling waterboarded by the Kool-Aid.
To be fair, there are a ton of really cool and effective tools and solutions out there. Many are quite effective when configured and tuned appropriately. Unfortunately, there are too few organizations out there that spend the time and effort to thoroughly tune their security tools to their environment. They rush it into production, for various reasons, and the way it is installed is how it remains until it's being replaced with new gear years down the line.
Before you whip out the checkbook to buy that latest blinky-lighted gizmo or knoby-knobbed doodad, let's talk about a few no- to low-cost security basics first that will **significantly** improve your overall security posture. Unfortunately, I rarely see all - or even most - of these controls implemented at the onset of a consulting engagement.
Before we get too far into this discussion, let's start by laying out some groundwork, caveats, disclaimers, or *choose your own terminology*.
There is no silver bullet. There is no single provider or manufacturer that will solve all of your security woes. That's it, that's the universal truth.
Always defense-in-depth. No excuses and no exceptions.
This is a discussion for another time but, when and where possible, invest in your people and processes before anything else.
The controls discussed below are in no particular order.
This is neither an exhaustive list nor an in-depth description of each control. I can already hear the turbo nerds tuning up now...ackchyually! This is A list, not THE list, and contains generalized information for the sake of brevity.
Without any further preamble, let's get after it. Here's what we're going to discuss:
Critical Asset List
Data Location & Mobility Mapping
TLS Interception
Windows Firewall Configuration
Geo-Fencing
DNS Security
Egress Firewall Filtering
Two Factor Authentication
Network Segmentation
Canary Accounts
Basic Administrative Account Hygiene
Disable/Reduce Cached Credentials
Password Vaults
Time Synchronization
Patch Management
Vulnerability Scanning
Logging
Culture of Security
Critical Asset and System List
Create a list of assets critical to the day-to-day operations of your organization. This could be a list of domain controllers, environment services systems (DHCP, DNS, etc.), application servers, print controllers, file servers, etc. The goal is to identify the systems that would cause a significant impact to your organization should they be compromised or impacted as a result of an incident. This list will be used in multiple areas from firewall policies to SOC correlation and escalation. Keep in mind, this may not be limited to just IT-owned systems. HRIS systems, accounting software platform, and marketing systems are just a few examples. In modern environments, these systems could live in a cloud environment or could be part of any *aaS platform.
Data Location & Mobility Mapping
Partially overlapping with defining critical asset lists, data location and mobility mapping is the process by which we start to define where our data sits, where it goes, and how it gets there. Start by identifying the Crown Jewels of your organization’s data and intellectual property. On what system(s) does it reside? How does it get there? Where does it go when/if it leaves and through what methods?
Understanding how data flows through your environment will not only augment your understanding of business processes, it will also help you identify previously unconsidered critical assets and systems. The tagalong benefit to gaining this wisdom is that it will potentially uncover areas within your organization that are exposed in unintentional ways. Understanding the risks associated to each business process will help you prioritize the security controls you place around each as well as help triage response in the event of a security issue.
TLS Interception
A conservative estimate from Google indicated that approximately 80% of all internet-bound web traffic was using encrypted protocols as of January 2019. We can confidently assume that number has increased since then and will continue to do so indefinitely. Server certificate / SNI inspection is effective but only to a certain degree. It is imperative to inspect the payload of encrypted traffic even from legitimately-used websites – e.g., Dropbox, Box, SharePoint.com – as these are commonly used infection vectors by malicious actors. TLS interception will greatly increase the visibility you have into your internet traffic and significantly increase the capability of your security posture.
Unfortunately, TLS Interception does have an impact on your environment. In addition to the potential problems it can cause with your internet-based business applications, it will also place a burden on your firewall hardware as it works to decrypt and re-encrypt internet traffic. The impact to business applications can be reduced by proactively compiling a list of critical business applications and employing best-practices with regards to category- and service-oriented exclusions. As an added bonus, most modern firewalls can now perform this task in specifically designed hardware.
The next logical question is what to intercept. The two primary schools of thought are to intercept everything or intercept everything except for specific categories. There are pros and cons for both
Windows Firewall Configuration
Enabling the Windows firewall via Active Directory GPO is an easy win. We can create policies that will prevent workstations from talking to other workstations which, by extension, reduces the capability of malware from spreading laterally across your network. This may create opportunities to centralize some operational services instead of leaving them spread across your environment; e.g., print services.
Testing for this is fairly simple as the GPOs can be assigned to a specific set of machines before being rolled out to the general population. The rollout itself can be completed in a phased process targeting specific systems, locations, or business units.
Geo-Fencing
Quite simply, employing geo-fencing will prevent connections to and from areas of the world you do not conduct business. Malware is commonly sourced outside of the United States; in areas where there are little to no punitive consequences for conducting computer-related crimes. While geo-fencing is not foolproof, it will certainly – and significantly – reduce the exposure to malicious repositories hosted outside of the US. Typically, starting with the counties that are on the OFAC list of sanctioned companies is an excellent kick-off point; i.e., China, Russia, Iran, Syria, North Korea, etc. This can be tightened down as necessary from there.
Geo-fencing is possible on almost all current-generation firewall platforms.
DNS Security
DNS security is a broad topic but, for this discussion, I am speaking specifically to two aspects; logs and sink-holing. From a logging perspective, recording and analyzing DNS queries can allow for detection of malicious traffic. Often times, malware makes use of randomized domain names which will stand out in logs and analysis. This will help you identify potentially compromised systems based on their outbound queries and other such anomalous traffic. There are commercial and open-source solutions for DNS analysis.
Almost all current-generation firewalls have the ability to sink-hole malicious traffic using DNS rewriting.
Egress Filtering
Instead of restricting only inbound traffic from the internet, the same approach should be applied to traffic leaving your environment. The use of aggressive egress filtering on your firewall will further reduce the ability for an attacker to make outbound connections and/or exfiltrate data from your environment. Always default to closed or blocked. Only open up access in or out of your environment when it is required with proper business justification. This tactic is focused on controlling or directing traffic in a deterministic manner. DNS resolution is a good example. We want our internal systems to use our sanctioned DNS servers instead of being able to circumvent our controls by using an external, internet-based DNS server. Controlling SMTP is another example. The only thing in our environment that should have the ability to connect to other external mail servers is our own mail server.
This process usually requires a review of the existing policy set, creation of several initial controlling policies, and then an iterative approach to further reducing the amount of allowed traffic. The end result is removal of all generic rules that allow “any” or “all” traffic leaving the environment that has not been specifically allowed.
Multi-Factor Authentication (MFA)
Take the approach of “MFA-all the things”. If it is internet-exposed, it needs to be wrapped with MFA. If it is an internal system and can use RADIUS or LDAP, wrap it with MFA.
Network Segmentation
Internet and internal DMZ networks should be implemented to create separate risk zones and compartmentalize networks and systems. There is no reason guests should be able to reach any internal network, ever. There are very few reasons internet-exposed systems should sit laterally from internal systems that reside in your data center. Segment the network.
Aside from minimizing risk exposure, sound network segmentation will also streamline network administration operations and provide greater modularity.
Canary Accounts
Canary accounts are enticingly-named but unused accounts that serve no purpose beyond alerting to attempted access.
Basic Administrative Account Hygiene
Don’t access the internet with administrative accounts, don’t log into workstations as domain admins, don’t share credentials, etc.
Disable/Reduce Cached Credentials
With very little exception, workstations and servers should never be in a situation where the domain is unavailable for authentication services. Disable credential caching on these devices. Laptops are an exception as they leave the environment in most cases. Reduce the number of cached credentials on your laptops to 1-3. This can be tested and honed to fit your environment and can be rolled out in phases via GPO and machine groups.
Password Vaults
While not as complicated as a full-fledged PAM solution, password vaults are an excellent way to ensure that you are using extremely strong and unique passwords. Password sharing or reuse is a bad habit and should be avoided whenever possible. There are a number of commercial and open-source solutions that can be deployed.
Time Synchronization
Make an effort to go through and ensure everything that can use NTP, is using NTP. This can be an internal or external / internet-based source. It does not matter provided it will automatically synchronize. The greatly increases the fidelity of your logs from a correlation perspective because they will all share an accurate timestamp. By default, domain-joined machines in an AD environment look to the domain controller with the PDC Emulation FSMO role. Make sure the domain controller with that role is properly synced as well. Lightweight Linux servers can be deployed to environments that do not rely on Active Directory for time synchronization services.
Patch Management
Patch management goes above and beyond basic WSUS capabilities. Take a look at something that can not only handle Windows patch management but also third-party applications; e.g., Java, Adobe, Firefox, etc. Companies will commonly focus all their attention on the Windows side of patching and, while important, it does not tell the entire story. Third-party apps are just as vulnerable, often more so, and are just as likely to lead to a compromised system.
Vulnerability Scanning
If you do not already have a vulnerability scanning solution, find one. These systems will help drive your patch management process.
Logging
There are multiple philosophies when it comes to logging.
One side is log everything. It's easy to default to this and turn on everything everywhere always but the tail that comes with that dragon is log fatigue. The impact is much higher on immature security teams because it can become an impossible task to prioritize and triage incident response events when you are inundated with logs and alerts. There have been several notable breaches in the past decade directly stemming from signal being lost in the noise.
The other side of the spectrum is to log only very specific things. The thought behind this is reduction of the opportunity for log fatigue or over-saturation of information. While this is maximum efficiency, it also comes with the risk of missing important logs if 1) you aren't careful where logging is disabled and/or 2) experienced enough to properly understand what should or should not be logged. A security team that takes this approach has to be extremely mature holding intimate knowledge of the environment, systems within it, business processes, etc.
Regardless of the philosophy you subscribe to when it comes to logging, it is vitally important that we log our environments. Prevention is important but, as we all know, things will slip by our controls. We need to have our barriers up, have the ability to see the events that slip by our preventative measures, and then appropriately respond to them. It’s awfully hard to detect suspicious traffic if we aren’t recording what’s happening in our environment.
Culture of Security
Honestly, if I had to prioritize any of these controls, this would be the first one I would start with. One of the most security-effective groups I have ever worked with was wildly successful because of the culture of security they built and fostered. Security became everyone's responsibility. Weekly meetings were scheduled and attended by senior engineers, managers, directors, even up to the CIO with a singular question and goal: "how can we improve security in our organization?" No one wanted their "CNN moment". Egos, roles, and responsibilities were left at the door and open conversations were had around what was being done right, what was being done wrong, and what could be done different or better.
With a room full of computer nerds - people known for their extrovertive personalities, right? - it took a few meetings before people came out of their shells but, in short order, the ideas came flying out and from every team represented. Within a year, the list of improvements made to their environment were numbered in dozens. In some cases, commercial products were adopted. The vast majority of improvements, however, were homegrown. They were new or modified policies, procedures, or configurations. In some cases, there were new tools built internally by developers or DBAs.
These meetings incited a sense of tribalism within the technology group as a whole. Everyone shared the desire to protect the environment by working together and sharing the burden together. That collective approach along with top-down support starting with the C-suite made this endeavor hyper-successful.
The vast majority of the items discussed above cost little beyond your time and effort. Most of the controls listed above are part of the environments you already own or utilize today.
If you have any questions about these items, want to discuss further, or would like to know how you could further secure your organization, do not hesitate to reach out to us.