Oren Elimelech, CISO and VP Privacy at Atera spoke to us this week about ensuring you’re better prepared for security, especially for an increase in ransomware attacks that could leave your business disrupted for days or even weeks at a time. If you missed the live event, you can watch it here – or catch up on the highlights below.
Is your business ready for a disaster?
There was a 150% rise in ransomware attacks in 2021, and around 65% of these attacks used the RaaS model – Ransomware as a Service. You can download RaaS attacks from the internet, and they can be sold for as low a cost as a single cup of coffee. The average time that a business is down due to ransomware is 11 days, causing a huge hit to business continuity and profit. Behind the scenes, attackers regularly lie dormant in their victims’ infrastructure for as long as 200 days, after leveraging the common ports that we all use every day to infiltrate your environment, from SSH and HTTPS to RDP and MySQL.
Oren walked us through the CISA (Cybersecurity Infrastructure Security Agency) Shields Up, which assists the cybersecurity community with special measures and guidance for staying safe. Key takeaways included:
- Adopt a heightened security posture: No matter the business size, this will help you reduce the likelihood of a cyber intrusion. Know what you have under your own roof, and make sure you can recognize known vulnerabilities by using the CSV file found here. By downloading this file, you know exactly what hackers might be attacking and what could be exploited, taking steps to shore up these gaps.
- Make sure you have an incident response: What would you do if there was a breach or an attack? A document that you can follow step by step and provide to your end-users is really important, ensuring that no plan is inside anyone technician or stakeholder’s head. Test your incident response plan often with drills and simulations, to make sure everyone is on the same page. Make sure you have a balance between the business goals (getting back to normal ASAP) and technical objectives (investigating further to make sure you find the root cause).
- Test your backups: If you don’t test your backups, then you don’t know how resilient your environment really is. Does your backup contain all the data? Have you verified that it is coherent? This is an important regular step for keeping yourself safe. Controls can fail, so you need to add manual checks and balances.
- Ensure corporate leadership: Not all organizations have a CISO, but make sure you have a stakeholder who is responsible for cybersecurity, one who understands the security and the business impact of a breach. Lower the reporting threshold so that everyone knows who to reach out to and report to, and work with legal counsel to make sure your plan is ready for relevant regulatory mandates.
MSPs have a critical role in ensuring customers have a strong security posture
As an MSP or IT professional, you have a unique role in ensuring that the environments you manage are safe. One way to do this is to leverage least privilege. This means that users only have access to what they need, and no further. For example, provide access to specific data only to the technicians who need that access in their line of work. If they only need read access, don’t give them write access. Regularly validate that they are using this access, at least every 90 days, but perhaps more often depending on your business needs, and remove them if necessary.
When it comes to credentials, make sure to use unique and strong passwords; opt for case-sensitive words made up of letters numbers, and symbols. As well as this, all technicians need to be using MFA, or it’s easy to lose control. For privileged admin controls, the security needs to be even tighter. Create a dedicated account for administrators, and make sure that admins use unique privileged credentials for their admin tasks, separated from their normal account for everyday access and email or browsing. The domain account will only be used for the specific admin tasks that need to be carried out, and only used to connect to domain controllers. It should never be used when connecting to workstations or endpoints.
This brings us to password management systems, safes, or vaults. These require the users to “check out” used passwords and may rotate them on your behalf. They are a great tool, and well worth investing in or utilizing in your environment. An added benefit? When you use a key safe or a password vault you have an automatic audit trail to keep track of every time a login attempt is made or successfully completed.
Another very good precaution is to use PAW, which stands for Privileged Access Workstations. These don’t have access to the web or email, and so are a great jump box to administer critical systems, such as managing the firewall, handling remote access, and dealing with authentication servers, domain controllers, and more.
One critical failure point is Active Directory. Oren recommended PingCastle as a great solution for securing this part of the business. It can be downloaded for free, and it will provide a detailed report on trust between domains and what can be done to shore up this essential pivot point.
Network segmentation is an important strategy, as when areas are segmented, this lowers the risk of hackers making it inside, and increases the amount of work the threat actors have to do to penetrate or move laterally. Oren highly recommends you follow the Enterprise Access Model strategy by Microsoft, and the Rapid Modernization Plan. You can learn more about these using the guide attached to the end of this article.
Segmentation is also about users, and it’s important to minimize the number of user accounts in Domain Administrator groups and to look at any cascading groups that are inside the DA group, too. Take a hard look at service accounts, as these can allow attackers to get high privilege access on your network, and regularly have interactive login, which if you are aware of, you can disable. Create a specific username and password for each application, at least 24 characters in length, and make sure to change it at least once a year. Another trumpet blow for using a password vault – this kind of solution can handle this task automatically.
13 Practical Recommendations for Cloud Security
There’s a lot to think about, but here are 13 quick steps you can take to get started in heightening your security posture.
- Implement conditional access policies: These should use a zero-trust mindset and be based on your actual organizational needs.
- Establish a baseline for normal network activity: If you don’t understand your normal traffic, how can you differentiate when something is going wrong?
- Routinely review logs: This should be for Active Directory sign-ins and also unified audit logs, both of which could show anomalous activity.
- Implement and enforce MFA: Ensure you have multi-factor authentication for all users, with no exceptions. Atera works with Auth0, making this simple.
- Create alerts for new rules: User created rules for email forwarding can be a sign of a business email compromise or another attack. Set up relevant alerts.
- Put a mitigation plan in place: Understand when, how and why passwords should be reset or session tokens revoked, for example.
- Mobile device management: Before allowing employees to use personal devices for work, have a MDM solution in place.
- Add local DNS filtering or full URL filtering and proxy: Ensure traffic is validated and filtered for suspicious or malicious domains.
- Log user access: Make sure this integrates or forwards logs to a SIEM, allowing you to go back and investigate if something goes wrong.
- Block open Remote Desktop Protocol ports: All cloud instances that have a public IP might have open RDP ports. This should be behind a firewall, and only accessed via VPN.
- Focus on education: Awareness and training are an important part of prevention. With information on upcoming risks and vulnerabilities, employees can become your first line of defense.
- Establish blame-free reporting: Make sure users can come forward if they have made a mistake, or when they suspect a cyberattack.
- Implement built-in tools: From URL filtering to spam prevention and malware detection, an all-in-one solution makes it simpler to stay secure.
Coming up – our next cybersecurity session will talk about what to do in case of a breach, don’t miss it!