Assume Breach

Today’s threat landscape is downright scary. If you really start looking at the numbers and disclosures, it’s like contemplating the existing of earth in the Universe. It truly is a miracle we are here at all. Just look at these numbers from the 2016 Cybersecurity Trend Report (Ponemon Institute for HPE):

  • Average number of days before a breach is detected: 197
  • 66% of respondents indicated Phishing and Social Engineering attacks are the new normal, and top external threats.
  • 48% of respondents indicated insider threats were the next big problem.
  • On Average it took 46 days to resolve and recover from the breach
  • I don’t list these out to scare you, it’s just the reality of today. And if you think your too small to worry about it, think about these from 2016 State of SMB Cybersecurity (Ponemon Institute for HPE):
  • 50% of SMBs have been breached in the 12-month period preceding the report
  • Phishing and Social engineering are the most prevalent types of attacks
  • 59% of SMB’s have no visibility into account security practices and hygiene
  • 65% of SMB’s that have password or account policies do not enforce them

Those last two bullets are telling. A lot of folks think they don’t have a problem and don’t need to think about this stuff. Fact is smaller business are more at risk, and a breach has the potential to put you completely out of business, which means no job for the IT admin. Speaking of that – data breaches themselves do tend to be what we classify as a RGE.

RGE = Resume Generating Event.

Yup – you’re in IT, regardless of how overtaxed you are, it’s your job to help educate the business and implement the controls to protect the business. It’s just the way the world is now. To help you with that, keep reading and we have some tips for you.

Here are 6 areas you most likely can improve with not too much effort

First things first, make sure you have the basics down.

Access Control is the first stop. Ensure you have not setup your server access, or file share permissions with overly generous rights for all users. This makes it easy once a malicious actor has gained access into your system. They can exploit things like guest user account access and session host stealing to elevate their privileges.

Next up – your patching. Recent exploits like Wannacry live because systems go unpatched. There is no room today for patching cycles that take weeks, let alone months. Your systems and applications need patches applied in days. If you’re not applying patches in under 10 days – you need to review your lifecycle management and do what it takes to get it there.

Backup and Recovery needs to be considered for business continuity. If you have a compromised system it is not always the best choice to clean it up. In some cases, just reverting those changes from a backup will server you better. However, if they have hold of your backups, your screwed. Make sure you secure and test those things regularly.

Despite what you read on the internet, Anti-Virus is not dead. Yeah, threats will morph and change, but these keep all things we do know about out of your house. How silly would it be to get hit with something that we thought died out 5 years ago? Ensure you are running something. Do remember though that most of those “free’ programs are for home use only, they are not licensed for business use. The exception to that is Windows Defender that Microsoft ships with its latest OSes.

Speaking of OSes. The later version of Windows come out of the box more secure than earlier efforts. That’s not to say you can’t harden these more, but it is to say DON’T decrease your posture. Don’t turn off UAC or remove admin level prompts just to make your day to day easier. You’ll pay for it if you do.


Interested in security? eGroup is hosting a series of session with Microsoft and Zerto on 11/1 in Greenville and 11/2 in Columbia. Zerto and Azure are bedrocks of making your business resilient so you can recover from issues. We are talking about Azure Active Directory (AzureAD) and how that relates to Identity and Access controls, and we’ll be talking about Citrix and remote access strategies. You can register for the events here:


Roles and Responsibilities

Here I’m not talking about things like role based access, or permissions. I’m talking about your auditing and incident response. If we are going to assume the network is breached we need a team to address this. You don’t want to guess or fumble around getting people on the phone when you need to move to contain or reverse a threat. Identify who owns what and their responsibilities, and have a roll call sheet.

You also need an action plan. What are the first few things that need to happen when a threat is found? How will you isolate it? How do you determine if you need to clean the threat or just restore? You’ll need a plan for each of your systems. Again – you want this process to be automatic and not have to trial and error your way thru an event.
Oh – word of caution. If you need to keep evidence for discovery or auditing, makes sure you create a backup or clone of the machines.

Principal of Least Privileged

So back to our technical controls. Principal of least privilege is a well-known concept, but often not actually practiced. It is very simple, grant only the access an account needs to do its job. It doesn’t matter if it’s a user, admin, or a special service account. By limiting what rights and access it has, it limits the damage it can do.

That means yes, you if you’re an admin you will have at minimum, two accounts. Depending on the sensitivity of a system you may have more. Don’t cheat – NO shared accounts. Yeah it can be a pain, but it’s a lot less pain than spending a weekend cleaning up an enterprise wide mess, or worse polishing up your resume.

Single Sign On (SSO)

I’m sure you’ve heard of SSO. It’s usually talked about in the frame of usability. SSO however, also has a play in protecting your environment.

That may sound counter intuitive, but it’s true. When you have multiple systems with different accounts, you are more than likely at some point to have account linger that should exist. You are also more apt to not monitor the access of all those applications and servers.

Integrating these accounts thru a single identity provider, allows you visibility into who is accessing your services, and it also gives you a crucial point of control. Shut off the main switch (account) and kill access to the associated services as well.

Be warned however, if you don’t approach your SSO configuration with security in mind, you may create a wider footprint for attack.

Multi-Factor Authentication

Passwords have long been known to be unsecure. Users don’t like complicated passwords that they will forget. If it’s long and hard to remember, they will write it down on a Post-it and put under their keyboard. So, anyone with the right username and password can wreak havoc in your system.

To mitigate against this, we use a password plus another piece of information. This is our Multifactor part. There are many different systems out there that will provide this capability for you. The most oft used methods are SMS, Authenticator App, or a token.

With SMS, the system sends you a code after you enter your password. You then enter the code you received, and if both the code and password are correct you are in the system.

If your using an authenticator App, it uses a rotating code, or a direct alert notification. With a rotating code, you enter whichever code is showing in the app at the time of login. With the app alert, you will just acknowledge the request. Again, once this is complete and the password is good you will be allowed access to the system.

The last method most commonly used is a hardware token. RSA is the leader in this space, and the hardware token works like the app with a rotating code. You enter the code that is displayed when you logon, and if password was good as well you are granted access to the system.

As you can see this can be valuable. If your username and password are stolen, they also have to have your alternate method before they can utilize your account.

Dedicated Management Machines

It sounds like a big deal but isn’t.

In places where you must have air gapped networks, and separation of concerns for highly sensitive or critical information, it makes sense to have controlled dedicated machines that only a few users can get into. You probably are not allowing remote access if you’re going this route and the systems they control are probably scoped down tight. If that’s you – bravo, I have nothing more to add.

But for most admins out there – they don’t have separate workstations or accounts. If that is you, first go back and separate your accounts (we covered that a few hundred words back).

So, you have your two accounts, privileged and unprivileged, how can you work this Management machine thing in. First – you’re going to cheat a bit, and not have a 100% Dedicated machine. Instead you will have your single machine, and use a VM. However, that VM is not for privileged work, no sir. Instead that VM is your normal work area, and the machine itself is your management machine.

Why? Well think about that for a moment. If you run a privileged VM inside an unprivileged machine what happens when the machine is compromised? That’s right – they own the VM too! So instead you work in the VM and if that is compromised it’s easy to roll back, and helps separate it from your privileged machine.

Now word of caution – if you want this to work, you really should lock down the workstation. Don’t browse sites on it, don’t install tools you don’t need. Keep it minimal to only the tools you use and that’s it.

What are you waiting for?

Your environment will have its own challenges and you may have some unique decision points, but that should not stop you from implementing the above guidance. If you need to prioritize – get the basics, that’s why they are called basics. Don’t skimp on AV, don’t weaken your settings, and update your software. Then move on to the other stuff as you can get it done.

Security is like the time value of money. You invest early and often, and the payback is exponential.


Interested in security? eGroup is hosting a series of session with Microsoft and Zerto on 11/1 in Greenville and 11/2 in Columbia. Zerto and Azure are bedrocks of making your business resilient so you can recover from issues. We are talking about Azure Active Directory (AzureAD) and how that relates to Identity and Access controls, and we’ll be talking about Citrix and remote access strategies. You can register for the events here:


Leave A Reply

Your email address will not be published. Required fields are marked *