7 Simple Ways to Improve your IT Security
Right Now… With No Money!
1: BETTER SPAM PROTECTION (FREE)
Email is still the primary attack vector, where users receive emails with suspicious attachments or links, unknowingly execute these items, and then – *BAM* – a bad day ensues. If you aren’t protecting your email from spam, phishing, and malware, get something now! On the other hand, if you are using something standalone and on-premises, consider a cloud-aware email security solution to build another layer of separation and provide the constant, real-time updating needed to stay ahead.
Phishing emails have also become a major concern as one of the leading attack vectors into an organization. Aggressors are able to gain access to networks and, on average, are not discovered for over 200 days! Most of the time, those discoveries are made within larger companies with dedicated security teams, so it is even more important for small businesses to reduce this threat as much as possible. While there are no technical controls or software that will replace good user education, we can try to reduce the number of messages that actually reach users by properly setting up your DNS records. While SMTP has been around for a while – it has needed some help. That help has come in the form of additional controls:
- Sender Policy Framework (SPF)
- Domain Key Identified Mail (DKIM)
- Domain-based message authentication, reporting, and conformance (DMARC)
All modern mail servers and services have the ability to read and act on these items. These are recipient-based rules – meaning the recipient of your messages will need to honor your configuration. If you already have an SPF record, it is important to understand there are limitations with it. That is why DKIM and DMARC were created. You should be using all three together to get the most benefit. Once configured, the people who interact with you can be relatively confident that these messages are actually from you. With Exchange Online Protection, you can create mail rules that block messages from your domain but come from an external source and fail these checks. This can drastically reduce the number of phishing attempts.
Exchange Online Protection (EOP) and Office Advanced Threat Protection
At eGroup, we’ve assisted hundreds of organizations with upgrading, migrating, and maintaining on-premises Exchange environments and cloud-based Office 365 solutions. Implementing Exchange Online Protection and Office Advanced Threat Protection can provide you with increased threat management, advanced phishing controls, link (URL) checking, and detonator chamber to validate attachments for both on-premises and cloud deployments. Once you’re ready to move beyond the “free” changes you can implement on your own, we can help you understand how Exchange Online Protection and Office Advanced Threat Protection can be leveraged to protect your organization. Start your free trial of Microsoft Office 365 with us today!
2: CISCO UMBRELLA (PAID/FREE)
Cisco Umbrella and OpenDNS are DNS providers that block malware automatically through name resolution whitelisting. Both are part of Cisco System, however each focus on different market segments. Cisco Umbrella is focused on the Enterprise networks, providing deep control and insight to network filtering and security, while OpenDNS has both free and Prosumer packages aimed at the Home/SMB markets providing similar functions.
It’s free to use for basic functionality (blocking malware/phishing). Paid functionality unlocks content filtering and visibility into traffic patterns – which is still ridiculously economical considering the heightened visibility gained.
Both Umbrella and the Prosumer/Free version of OpenDNS allow URL whitelisting, providing you with over 50 customizable filtering categories. Additional protection is provided through Umbrella and the Prosumer version of an agent installed on devices to provide additional protection when not on the Corporate or Home networks.
To quickly test if your network is protected by Umbrella – or not (an indicator you are prone to ransomware redirected attacks via DNS query) – try to visit Internet Bad Guys – this is a safe phishing test to see if you are exposed.
To implement the free version of OpenDNS, simply configure the DNS Servers on devices to 220.127.116.11 and 18.104.22.168. This can be done directly on network devices, Servers and clients (mobile devices, laptops, etc.) To simplify this even more, add the OpenDNS servers to a DHCP scope to ensure all devices are consistent.
If you need more details, read on here.
Bonus points: Configure your perimeter firewall to block outbound DNS queries to DNS servers OTHER than OpenDNS (block TCP/UDP 53 to destinations other than 22.214.171.124 and 126.96.36.199) This prevents malware from bypassing DHCP and directly querying standard or malicious DNS servers.
3: PERIMETER ANTI-MALWARE
Perimeter Anti-Malware has become a must-have on any internet facing network device today. The need to protect not only the outside door from inbound traffic while also eliminating any inside sourced traffic from reaching back outside is more and more important in today’s ever-growing networks.
At eGroup, we often position the Cisco Meraki MX appliances with the Advanced Security license for anti-virus, anti-phishing, and IDS functionality using the Cisco Sourcefire engine for our small to medium-sized businesses, or remote offices of larger organizations.
For larger organizations, we position the Cisco ASA with FirePOWER next-generation firewall from Cisco. If you already have Cisco ASA technology, FirePOWER can be added to certain models of ASA – check with our sales engineers for details.
Almost all Firewall appliance vendors (enterprise and SMB/Home) have added this functionality either embedded into the appliance, or through a 3rd party integration. Palo Alto and CheckPoint both provide very strong capabilities with Anti-Malware engines for Enterprises, and for home users vendors like Ubiquiti have started adding Thread Management capabilities integrated into their platforms.
You don’t leave your house unlocked and keys in the front door, so why do it with your network?
4: MORE FREQUENT BACKUPS (FREE)
File shares are a frequent target of ransomware attacks, which encrypt their content – locking up valuable documents, spreadsheets, other critical end-user information, and holding it ransom for an exorbitant sum.
More frequent backups and snapshots of critical data sets reduce the pain and time of rolling back after an attack. Increasing the frequency of backups, coupled with snapshots and transaction logging, can greatly help to reduce the damage. Data protection products like Rubrik, Veeam, or Dell Avamar can be configured to perform backups at multiple points throughout the day, and storage-enabled snapshots can reduce data loss to just minutes. And for environments with even more stringent requirements, replication products like Zerto, Azure Site Recovery, and Dell RecoverPoint for Virtual Machines can reduce data loss to just seconds (or less) through the use of transaction journaling that permit rolling back to a specific point in time.
When considering modifications to the backup environment, be aware that backup repositories that are accessed through CIFS and NFS protocols are every bit as vulnerable as the file systems they protect. These backup targets should be replaced with systems that are based on an immutable file system or are accessed through proprietary protocols, or both. Copying backups to an “air-gapped” repository that is only attached to the network during backup operations provides an additional measure of security.
For critical workstations with local data storage, look for products like Veeam Endpoint (free, community- supported) or Carbonite Mozy.
Just as important as frequent backups, is the ability to restore quickly. eGroup has seen more than one client suffer from long restoration times (12+ hours) for a full dataset that was only a few hours old. Routine auditing and testing of your restore capabilities is a must to ensure operational readiness.
5: TIGHTEN RBAC PRIVILEGES TO FILE SHARES (FREE)
Typically, ransomware attacks files to which a compromised user account has write privileges on a mapped drive. To combat this, evaluate the “minimum write permissions” a user needs to have, then craft an Active Directory RBAC (role-based access control) group with matching permissions, add the user to the group, and remove any permissions granted at the user level. Repeat this process until all explicit user permissions are removed and all permissions map to AD groups. This will reduce the write access that specific accounts have to different information silos, reducing a malicious actor’s ability to infect these areas with malware.
Among other publicly available free tools for assessing permissions, SolarWinds makes a free tool to help analyze permissions.
6: ACTIVE DIRECTORY SOFTWARE RESTRICTION POLICIES (FREE)
If you run a Microsoft Active Directory environment, which 99.9% of our clients do, then the embedded Software Restriction Policies allow you to limit the locations from which executables are allowed to run. To date, most ransomware has downloaded itself and attempted to run from the %AppData% directory. Implementation of Software Restriction Policies is strongly recommended for all workstations. It’s probably good for servers, too, but there is a small possibility it might break some poorly written applications, so we make the customer aware of the change and craft exceptions where needed. The policy shown below will prevent any files from executing in that directory.
7: MAKE INFORMATION SECURITY EVERYONE’S RESPONSIBILITY (FREE)
Engage and educate your entire family, team, staff, company, and tribe on the perils of clicking on untrusted bits of information. Create a culture of “if it doesn’t look legit, it probably isn’t” and that it’s always safest to get a second opinion from the IT team – or a locally accessible knowledgeable user.
Where possible, company or IT leadership should routinely train new and established employees alike on the organization’s security policies and procedures and provide periodic updates on emerging threats and countermeasures. eGroup is always happy to assist with crafting or refining security policies and facilitating organizational awareness.
To encourage constant vigilance, consider employing a tool like KnowBe4 to regularly test users’ ability to detect and properly respond to phishing emails. There’s no better preparation than practice.
We’re always here to assist new and existing clients with ensuring they have the knowledge, expertise, and street smarts to run a risk-reduced security environment! Contact us today.