Many Cyber Insurance policies and quite frankly contracts in general will look for “reasonable security controls”. You have probably asked yourself what does that actually mean? In many cases, it is possible to implement reasonable security controls without spending a great deal of money and simply exercising due diligence. Here is a rough idea of the key things to include:
Perform a hardware and software inventory – Remember you can’t protect what you don’t know. So, make sure you know all your equipment and the software running on it.
Routine and consistent patching – Routine patching provides the ability to not only implement security patching but also will impact availability. Effectively, patching will help make your equipment more secure and more reliable.
Disabling dangerous services, ports, and protocols – For any Windows server, it is critical to eliminate or very tightly restrict usage of the following protocols:
- Remote Desktop Protocol (RDP, Port 3389),
- Telnet (Port 23),
- SSH (Port 22)
- SMB (Port 445) and
- SQL Server (Port 1433)
As with any change you make, it may be necessary (although unlikely) to keep some of these in place. If so, you need to take extreme precautions such as limiting attempts. If authentication is necessary, use MFA or at minimum a 25-character password.
Current Software – It may seem simple. However, one of the best ways to make sure you protect your systems is to utilize current software. Turning on automatic updates is highly recommended for those systems that allow it. Many 3rd party applications allow for automatic updates and have the most frequent and zero-day vulnerabilities. These include:
- Microsoft Updates – if you do not distribute updates through your IT department
- Browsers – Google Chrome, Microsoft Edge, Mozilla Firefox
- Acrobat – Reader or full version
Cloud Best Practices – If you are running in the cloud (Amazon, Azure or Goggle Cloud, follow the guidelines from the manufacturer for basics. Include the following:
- MFA for administrators
- Implement specific access for individual roles
- Implement a Web Application Firewall with at least blocking for known bad countries
End Point Configuration – For any endpoints it is critical to implement the following:
- Windows Firewall
- BitLocker
- Limit Admin Rights
- Enforce a minimum of a 10-digit password with 4 factors (upper case, lower case, numbers and symbols. To make sure that you are using a good password it is best to choose from phrases or patterns. If you would like to check if your password has been you can visit sites such as https://haveibeenpwned.com/Passwords which maintains a list of over 600 million breached passwords.
Network / Firewall Hygiene – For any firewall implement the following:
- Remove or tightly restrict (limit connection attempts) common services, ports and protocols described above (ports 22, 23, 445, 1433, 3389)
- If available, implement geo-blocking for countries you don’t do business in.
Multi-factor Authentication – MFA or more commonly referred to as Two Factor means something you know (for instance a username/ password combination) and something you have (a phone with SMS or authentication client). What MFA protects against is compromised credentials. If you give up credentials a bad guy will “share” or have similar access your email or be able to login to public facing sites. This can come from phishing emails or links that redirect to something that looks identical to popular login pages such as Microsoft Outlook. Many scams such as fraudulent invoices start this way.
- Free tools in this space such as Google Authenticator and Microsoft Authenticator
- Paid tools include DUO, Okta & RSA
In general, utilize MFA wherever you can. It is critical for any usage of email and VPN. Without MFA for email and VPN any phishing attempt could result in compromised credentials to critical assets.
Endpoint Detection & Response – EDR tools are more powerful than standalone anti-virus and, in many cases, offer a necessary way to defend against Ransomware. Tools in this space are numerous. Some of the key tools in this space include Cybereason, Carbon Black, CrowdStrike and Sentinel One. In some cases, these tools also provide insight to your inventory where other tools won’t.
Network Segmentation – Just as it sounds is difficult to do. Particularly, for companies that are large and have been around for several years. Quite simply, network segmentation separates systems from one another on different network segments to prevent what is known as lateral movement. Lateral movement is moving from one machine to another.
Security Awareness Training –A complete list of free or low-cost security awareness training and/or videos can be found at: