It’s mid-2022, and it’s the perfect time to review your network’s plans, goals, and risks, especially given the changing threat landscape. Ransomware, for example, has become more of a target for humans. Ransomware operators are now looking for additional methods and payloads and uses of ransomware. Ransomware entry points range from email targeting and phishing scams and unpatched vulnerabilities to more targeted attacks.
With that in mind, here are ten tasks you should do for your mid-year security review:
1. Review third-party credentials and access policies
Attackers will scan for Remote Desktop Protocol (RDP) access and use brute-force attacks such as credential stuffing. They know that people tend to reuse credentials that attackers get from stolen databases to try to gain access to your network.
I seek to better handle credentials or other access approvals for external consultants because I am most concerned about their security processes and procedures. When dealing with outside consultants, include in your contract the security safeguards you want them to use. Whether it’s including them in your multi-factor authentication (MFA) plan or at a minimum opening access rules and firewalls to restrict access to specific networks, you should have a processes that you include in your service agreements and contracts. how consultants handle access and login information. User credentials are never transferred from the company to the consultant in a way that would unnecessarily expose them. Storage of these credentials should be done in a manner consistent with the recruiting company’s policies and procedures. Review and evaluate these processes accordingly.
2. Review security scan results
Review the results of scheduled scans and ensure that they are performed on assets that actually expose the company’s external risks. I recently had a company perform external scans of resources on my network. When I reviewed the results of the automated scans, I realized that they had scanned a bunch of computers that didn’t reflect the outer edge of my network. The report, while interesting, is not a true assessment of the external risk to my network. So, when hiring any external pen testing or scanning company, make sure that the assessment and delivery they provide you reflect the real advantage of your network. Automated scans are worthless if they don’t provide you with useful information.
3. Consider cloud rights and resources
If you’re moving computing assets to the cloud, don’t just set up a mirror of what you have on-premises. Review how resources are set up, what permissions are set up, and who gets permission to what content. Then, go back to your on-premises deployment and consider what security fundamentals or NIST principles might provide more rigidity to your intranet.
4. Implement Attack Surface Reduction Rules
If you haven’t implemented attack surface reduction rules for your workstations and servers to help block suspicious activity, make this your goal in the second half of 2022. You may need to must test and see the impact, but start with this first set of rules and enable as many as you can:
- Block all Office applications from creating subprocesses.
- Block executable content from web email and email clients.
- Block executables from running unless they meet the criteria for popularity, age, or trusted list.
- Block execution of potentially obfuscated scripts.
- Block JavaScript or VBScript from launching downloaded executables.
- Block Office applications from creating executable content.
- Block Office apps from injecting code into other processes.
- Block Office communication applications from creating subprocesses.
- Block untrusted and unsigned processes from running from USB.
- Intercept persistence through WMI (Persistence) event registration.
- Blocks credential theft from the Windows local security authority subsystem (lsass.exe) (Privilege Report).
- Block process creations originate from PSExec and WMI (Side Movement) commands.
5. Review network security settings and policies
Review how your revolution is set up. For a long time, we have set up networks with more limited permissions and even to the point of disabling the firewall inside the network. Review how you set up your workstation and move to where your workstation firewall is set to specific protocols.
Review password security and policies, and consider adding Azure AD Identity Protection to your existing Active Directory to better identify weak passwords in your network. Make sure you look at the options for MFA with Windows Hello or other third-party MFA solutions.
6. Reviewing Workstation Deployment Processes
Review your workstation installation and deployment process and make sure that you are not using the same local admin password when deploying the workstation. Review your options for managing local admin password solutions that randomize and encrypt local admin passwords.
7. Review backup policies
Review the process you use to back up and protect your important files. Review backup procedures for multiple backups, two backups on different storage types, and at least one offsite backup, and consider using OneDrive cloud storage for additional backups. additional to protect your files.
8. Use email filtering
Use email filtering and scanning to ensure that your email is reviewed before it reaches your workstation. Links contained in emails must be scanned on click and must be removed from your inbox if they are later found to be malicious.
9. Review the patching policy
As you work on the patch, review what problems you’ve had in the past in your network. If your high-end devices don’t have issues with patching, you may want to streamline and update update times for competing devices faster than those with update issues. Review the side effects you’ve experienced and what mitigations you need to take to recover from any. Review if there are alternative software or other alternatives that can be implemented to minimize the side effects of patching.
10. Consider anti-ransomware and endpoint protection solutions
Make sure your endpoint detection and antivirus solution can identify typical symptoms of a ransomware attack. From situations where file backups are suddenly deleted, to Cobalt Strike activity in your network or other suspicious activity, your solutions will alert you when attackers are starting to set entries in place for ransomware.
Copyright © 2022 IDG Communications, Inc.
