Tips to Improve your Security Program From a Seasoned CIO
Author: Mike Gentile with Cameron Cosgrove
Many times, at CISOSHARE we present our perspective from the viewpoint of security practitioners that have built hundreds of security programs around the world. While we think that this experience is crucial to effectively build a cyber security program, there are many other viewpoints that are just as important. The most important of these that comes to mind is the knowledge and experience of a veteran CIO.
Recently, I had the opportunity to get exactly that from one of the most seasoned Fortune 500 CIO’s I know, Cameron Cosgrove. He has deep expertise in enterprise computing space and we have worked on many projects together over the last 2 decades. His blogs contain interesting articles at – DIGITALCTO with Cameron Cosgrove
I asked him one simple question:
What would be the top things you would tell any CIO to build programs around when it comes to cyber security?
What I liked most about his response was that it was short, easy to understand, and to the point. So, for all you CIO’s out there looking for some footholds on where to start with cyber security, in Cameron’s words, here are the top areas to focus on that will give you the best return for investment:
If all else fails…you can get your data back. Remember the SONY attack? Their back-ups were a significant issue that was not uncovered until recovery efforts were underway. It took them years to rebuild and recover. So, here is the question CIO’s need to ask: how do we know the back-ups are in place and will work when you need them?
Perform a one-time audit of all PROD applications, files, directories, folders to ensure they are actually being backed-up. You may be shocked at the number of files never backed-up or fail on a regular basis. Have the team use the audit to get all files in a backup job. You may also find that the backup infrastructure is not sized big enough to handle all of the files—and that will spin off another project to address your backup strategy.
Have the team present a monthly report showing backup fails and completes. The team needs to test the recovery of random files every quarter—and show that on a report—that you look at.
Next step after PROD, consider a bi-weekly or weekly backup of key non-prod data such as all development libraries, files, and builds. Make sure IT Ops has
Make sure IT Ops has backup files accessible for a quick recovery for urgent business needs; but also make sure system back-ups are stored off-site. I recommend using tools and storage platforms that enable a real-time automated synchronization to an off-site location or cloud service. Finally, consider putting your back-up on a separate network to reduce traffic, impacts to network performance and protect back up files/images from being stolen or erased by an intruder. If you are faced with a large price tag for additional backup infrastructure consider the cost and disruption of recent ransomware exploits or just an issue with equipment failures, flood, etc. If IT has a current, viable back-up—you can get back up and running no matter what happens. This is one of the most basic functions within IT, but often over looked; because it is assumed it is working.
2. Account Validation
The #1 method bad actors gain a foothold in your network or on a server is to comprise a valid account and then start installing malware. If they can comprise an administrator account, then they can create new accounts including new admin accounts. With access to a network, bad actors can remotely load their exploits at will and then send instructs to active them at a time of their choosing. By using valid accounts they can work for months with minimal risk of being detected. The #1 way to prevent that is to detect and disable those accounts immediately. Doing this is simple, but takes an effort to establish.
Here is how:
Nightly, create and export a text file from your HR system of all people that should have access such as employees, consultants, contractors, etc. From your network directory, (e.g. Active Directory) export all accounts that do have access into a text file. Establish a batch job to compare those two files—looking for differences. There are directory sync products that will do this.
In most cases, you will detect new employees and terminated employees on the list….which is a good thing to know by itself. But if there is an account on your network directory that is not in your HR system—that is a potential bad actor that has gained access and has created their own an account. Track these accounts down to determine if they are authorized. When in doubt suspend those accounts while you investigate.
Typically, organizations that are compromised have learned that these bad accounts went undetected in their system for months and months.
Another daily report to run is to show all new administrative accounts created within the last 24 hours. Have a person review all new accounts created with elevated privileges and double check them for proper authorization; especially domain administrator. Producing and reviewing this report is the most important thing you can do after back-ups.
Lastly, run a monthly report for all accounts with elevated privileges and reconcile it to each person. While this sounds like an extra step, keep in mind, administrative privileges are used to install and run ransomware and kill programs in your environment.
Following these steps will dramatically reduce the #1 way your network can be comprised.
3. Server Patching
Most vulnerabilities sneak-in on servers and desktops because they are not running critical security patches. There are many examples of ransomware exploits being successful even when patches to prevent them have been available for months. For the patches to work—they need to be installed; so most shops have a monthly patching program.
Does your shop have a way to check that all (I mean all) servers are included in the program and actually running the critical patches? All it just takes is one unpatched server to allow access to your entire network. Run a monthly report on all servers and their patch levels. Applying missing critical patches is an easy fix to plug a big hole.
4. Enterprise class anti-spam filter and block links that don’t have a good reputation.
So many excellent solutions to block spam already in place. For best results, take it one step further for phishing messages that get through. Block any outbound connection that is not white listed or with no or bad reputation.
End-Users clicking on links is a high percentage method bad actors introduce malware into your environment. Shops use End-User security training that instructs people not click on links that are unknown. Unfortunately, some links are just too tempting—so block the outbound connection. If it blocks a valid business link, a quick call to the service desk can remedy that. It truly is a better case of better to be overly cautious than infected.
5. Desktop A/V
Most shops insist every network attached desktop, laptop is running an up-to-date AV. Does your AV and client support reporting status back to a central console in real time? A console can validate the client machine is up to date and will alert when a virus or attack is occurring—and can automatically disable network access and open a ticket.
A best practice is to block network access if a client machine is not running the AV with a current signature file. Protecting the network from infected or rogue machines by blocking network access, out weights the inconvenience of a single end user
6. Edge Security
Ensure All Entry Points into the network infrastructure are secured with Firewalls & IPS. There are many good products and strategies for this. Have your team present the current situation and talk about any missing pieces or outdated products. Ask the team what their process is for updating products including firmware. They should be able to produce a list of all installed product versions including firmware as compared to the vendor’s more current. Make sure products run on the most current firmware and there is a process for updating it. Lastly, don’t let products get too far behind on versions. New features and capabilities in current versions are designed to keep up with threats.
7. Event Coloration
Ensure logs of Infrastructure (Network, Server, SAN, etc.) are sent through an event correlation solution. This allows what looks like small events, to be correlated into an alert because in actuality, it is a larger event. This can be a cloud based service or you can develop an in-house capability. If starting from scratch, consider using a trusted vendor or consultant to support you on this. Doing this right has strategic benefits. Doing this wrong means being flooded with meaningless data and not be able to act.
8. 2 Factor Authentication
2 Factor Authentication for remote access to resources that would normally only be accessible if you were at a corporate location. For example; VPN & VDI. Most shops have this. Do you use it for Webmail? I would. Strongly consider
Strongly consider 2-factor authentication for (regular) local machine and network login for end-users that have access to move money such as set-up and execute fund and wire transfers. Or have the fund transfer application require a second authorization—so that a bad actor (internal and external) cannot gain access and transfer funds to themselves; (yes, that happens).
9. Social Engineering
Keep System Admins from being a target for social engineering and email phishing attacks. Ask every person in IT with elevated privileges to use generic job descriptions on all their social media accounts, especially LinkedIn, so they do not become targets of social engineered attacks. Because, yes, that happens. For example, instead of titles like Server Administrator, System Administrator, Back-Up Administrator, Systems Engineer – use something non-specific like Office of Technology Associate, Enterprise Services Technician, etc.
10. Be very serious about least privilege.
End-user and Service accounts should not be running with administrator privileges. The only accounts with administrator privileges should be trained professional system administrators (period). Protect the organization from end-users installing (unknowingly) malware on their machine by granting the standard user access.
With Windows 7 and 10, it is very straight forward to remove administrator level from the local user account. For some shops, this may require a desktop OS architect to look at your how applications run on the desktop without running as an administrator.
Service accounts running with administrative rights pose a danger as well. Most shops with a large installed base of homegrown applications use hundreds of service accounts. If your shop does not have a secure practice and naming convention for service account management—pull a team together to address this situation.