IT managers are builders. And, that’s great - when they have the resources to buy the components they need, and the staff to operate them. But, threat actors’ capabilities and tactics are advancing all the time, and the rise of long-cycle attacks that leverage “living off the land” tactics means that attackers can penetrate deeper into systems before exposing themselves to those detection mechanisms IT managers have painstakingly built.
Before you spend any more money tacking on to your existing security stack — or outsourcing management of it to an MSSP — I have four simple, inexpensive suggestions to fortify your systems just by properly configuring your existing technology and fully using the tools that come with your operating system.
Note: I am not saying that these included tools are as good as purpose-built or premium solutions. Adding premium options will improve your coverage, full stop. Nor am I saying that standing these up in a ‘one-and-done’ fashion will yield the preventative effect you are hoping for. These tactics must together become a cohesive strategy to configure for security. Whether you take it on internally, or ask for help from a partner, it’s not a tick-the-boxes list - this is the starting place for “configuring and architecting for security, first.”
So, that being (not) said - I am saying that there are ways to improve your security, without “buying a bunch of stuff”. It’s not just about what you have, it’s about how you have configured it - how have you architected for security? And, ultimately, that the whole is more than the sum of its parts. You will reduce risk more in taking these steps together, as part of the broader security focus I mentioned… So let’s get to the steps!
Introduce a Software Restriction Policy (SRP)
I’ve blogged about the reasons you need a SRP before. One such reason is that Windows is the operating system used by roughly 80 percent of all desktop computers worldwide, so SRP is a very accessible option. Use it to limit which scripts, applications, and other technologies are authorized on the OS. It’s available across all your endpoints, or on specific ones. Most malware depends on running executables or scripts; by locking down your endpoints with SRP you can remove the opportunities for an attacker to use them.
There’s additional compliance applications of using the SRP as well; the experts behind the CMMC are expecting you’ll do this. Application allow listing (enabled through the SRP) further affects your culture and awareness of your users, enabling them to enforce your standards. Barring environment-specific issues preventing you from doing so, utilizing SRP should be a priority for your Windows administrator; it is an economical way to defend against a wide assortment of malicious techniques.
Host Firewall Policy
Virtually any operating system you manage, be it Windows, Mac, or Linux, will have an inherent firewall capability. This is one of the more powerful defenses available on workstations and servers, and also one of the more overlooked, as people frequently find it a nuisance and turn it off. It’s often worth the inconvenience, however, as attackers depend on this capability being disabled or defeated to gain remote control of a system. Don’t allow any applications you don’t need going in, while severely restricting the applications that can go out. Controlling your own network right at the host level will dramatically improve your security posture — for free.
Restricted Groups Policy
There exists a widespread misbelief, especially in the Windows community, that a domain administrator should be responsible for controlling every machine on the domain. In truth, the admin was never intended for such wide-ranging privileges, and when networks are put together like this an attacker only needs to steal one set of credentials to gain the keys to everything else.
An attacker needs to control multiple machines to do damage at a wide scale — and they’re only able to control multiple machines if the accounts they’re using are allowed to control them. To put it bluntly, having one account control your entire enterprise is a very high-risk move, and almost certainly unnecessary. Instead, enact a restricted groups policy that ensures no single account has access to multiple systems, and limits which accounts can access each system.
Leverage the Antivirus capabilities of your endpoint OS
Make sure the free tools that come with your OS are turned on (if you don’t have a purpose-built solution that will conflict with them). Windows comes with Microsoft Defender, and Macs come with Gatekeeper. They might not be enough to stop cutting-edge ransomware, but they’re certainly better than running nothing at all (as much as that’s not the bar, you would be surprised how many SMBs forgo an AV). Again, this is just an initial step - you get what you pay for. Don’t take my word for it - PCMag recently reviewed and tested other free anti-virus tools, and cautions that “the best paid anti-virus software does offer more and better protection,” and that people looking to protect their business “should probably consider upgrading.”
While taking these steps won’t make your network invincible, utilizing all four could force long-cycle attackers to spend more time and cycles reconnoitering what accounts, scripts, and protocols are allowed on each system in order to coordinate an enterprise-wide assault. With so many hoops to jump through, a would-be hacker may just move on to an easier target.
Remember, these steps are meant to serve as a starting point. They are meant to get IT Managers and Administrators to consider at each stage “how am I configuring for security?” They are meant to allow IT VPs and directors to propose “how to use what they have” in situations where resources are limited.
With these four tactics implemented, your next challenge becomes validating their efficacy, and testing whether and when they fall down. I contributed to a white paper recently that discusses exactly that “Testing and Validating the Maturity of Security Programs”. I even offer specific ways to see whether these steps are having the desired effect without engaging a consultant for a penetration test, so check it out for a deeper dive.