CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they are willing to accept on behalf of the organization. This risk decision cannot be outsourced to IT people, it must be made by the executive level leaders responsible for organizational policies and controls. This document lists relatively simple tactics for lowering cybersecurity risks. It is meant to be a checklist leaders can use to assure they are proactive with being involved in the level of risk they are taking with cybersecurity. We ve included multiple levels of tactics and provided general indications of associated costs. Not all of these items will apply to your organization. We want to provide you with a wellrounded set of tactics. Go through this list and find the ones your organization is not currently performing. Then, use the list to facilitate a conversation with your technologists and vendors about options. Denotes services provided by TriCorps Cybersecurity. Effort / Cost LOW EFFORT + COST Employee Training Employee Testing Employee Testing Education around types of common cyberattacks as well as protection tactics. Most organizations need a blend of periodic instructor led sessions and elearning modules for new team members who have not had the instructor led training. Following cybersecurity training, scenarios covered in cybersecurity training are acted out (e.g., social engineering attempts, emails with suspicious links, dropping storage devices around your building, etc.) to make sure all employees are following protection advice. Enforce a password policy setting requirements for the amount and types of characters used as well as the frequency with which new passwords are created.
LOW EFFORT + COST Policies & Procedures Technology Technology Technology Physical Security Enforce a screen saver policy detailing the situations in which a screen saver must be in use and that a password is required to unlock. Antivirus/Antimalware scanner on network ingress / egress points and hosts. (Low to moderate cost.) Implement content filtering for outbound web traffic through the use of firewalls, web caches, or dedicated servers/applications that track and log web usage as well as alert you to people visiting unauthorized sites or downloading unauthorized content. (Low to moderate cost.) Enforce host-based firewalls on internal systems. Physical access strengthening (e.g., locking doors to server rooms, cameras, enforcing access controls at the front door and in various parts of the office, etc.) (Low to moderate cost.) 2
Effort / Cost Tighter Security Policies / Governance Plans (we can assist you with creating or strengthening your governance policies and procedures if needed). - Setting access requirements for third-party vendors or contractors you work with who would need access to your network or data. Governance - Activity logging across your network and data sources to flag suspicious activity or perform forensics after a breach. LOW EFFORT + COST Policies & Procedures - Enforcing version and patching requirements on all software to avoid unnecessary vulnerabilities and utilize all of the latest protections. - Standardize access requirements and identify sources of harmful activity through monitoring devices that access your network. Develop and constantly improve infection and incident response plans. In the case of a major breach it is a best practice to have a third party do the forensics to understand what led to the incident (we can help you create incident response plan and can do the post breach forensics if needed). Technology Restrict email attachments known to spread viruses by reconfiguring your email server to block certain attachments and ensuring all security updates are current. Technology Monitoring Email security gateway to protect corporate users from spammers and malware. (Low to moderate cost.) 3 rd party scan for vulnerabilities on publiclyexposed systems. Whether this is a one-time service or continuous monitoring, have a thirdparty check all of your public-facing ports to determine if any are open or at risk due to known vulnerabilities. (Low to moderate cost.) 3
Effort / Cost End of Life Procedures Ensure all drives are properly disposed of or are wiped when decommissioned or after failure (servers, workstations, and copiers). LOW EFFORT + COST Connection Permissions Removing Default Credentials Vendor Login Protections Only permit secure connections (e.g. SSH or HTTPS) for device management. Ensure default credentials are changed on all hardware and software added to your system. Some of these tools are built with a known, default set of system credentials (i.e., username and password), and they are an access point to anyone outside of your organization until those credentials are changed. Have a policy for changing login credentials on all network hardware and software whenever any IT employee or contractor who has worked with these systems leaves your organization. Effort / Cost MODERATE EFFORT + COST Internal Cybersecurity Audits / Assessments External Cybersecurity Audits / Assessments Performed by third-party security firms. This includes a thorough hands-on review and report on aspects within your digital domain such as Access controls, Malware, Physical Security, Wireless and Mobile, Change Management, Patch/Update Management, Remote Access, Backups and Disaster Recovery. Performed by third-party security firms. This consists of Penetration Testing, Firewall and Security Device operation and configuration review, System Change Management appraisal, Public Facing Access evaluation, and more. The most common, Penetration Testing, is an examination of your network perimeter that will look for security weaknesses that an attacker could potentially exploit to gain access to internal systems and data. 4
Effort / Cost Cybersecurity Insurance Obtain 1 st party and 3 rd party liability insurance for cybersecurity risk and ensure policies cover needs. TriCorps Cybersecurity can review your policy and offer advice if you need help with this. Utilize application-aware firewalls to protect publicly exposed systems. MODERATE EFFORT + COST Network configuration strengthening for wired and wireless connections. Consistent system updating and patching Utilize DMZ interface of firewall for publicly exposed systems as much as possible and restrict/prevent access initiated from DMZ hosts to internal hosts. (Low to moderate cost.) Use WPA2 enterprise or personal for Wi-Fi security; don t share PSK if used only permit IT staff to configure devices. Create separate wireless networks for corporate and personal devices; may filter access from corporate wireless devices to internal network; should filter access for personal devices to internal network. (Low to moderate cost.) As updates and patches are released for the pieces of hardware and software you own, it s important to perform those updates and patches quickly to close off the vulnerabilities that they are designed to eliminate. (Low cost.) Backups Ensure regular system and data backups are available; both on-site (system images) and offsite (critical data); ensure adequate retention policy. Drills Run practice drills to test your incident response plans. We can help you develop your incident response plans if you are starting from zero. (Low to moderate cost.) 5
Effort / Cost Access Controls Test, set proper access restrictions, change default credentials and make sure all updates/patches are current to all systems before they are deployed, especially those to be opened to Internet access. (Low cost.) Configuring Configure domain, fileserver, and SQL database auditing to ensure company knows what changes were made, when, and by whom. MODERATE EFFORT + COST Encryption Device Governance Incident Response Plans Device Updates Network Access Implement full drive encryption on laptops so data is safe if they are stolen. (Low to moderate cost.) Implement BYOD and mobile security so that company information can be wiped if device is compromised or stolen. (Low to moderate cost.) Implement policy to prevent ransomware/cryptolockers from launching. (Low cost.) Ensure firewall and critical network device firmware are updated regularly. (Low cost.) Ensure unused network jacks are, at a minimum, manually disabled, especially in conference rooms and other places that may receive visitors; if Network Access Control (NAC) is used to control access, this becomes a significant rather than moderate effort. (Low to high cost.) Firewall Configuration Regularly review firewall configuration and ensure access control lists are documented. (Low cost.) Egress Filtering Implement egress filtering by configuring your firewall to control web traffic leaving your network and require certain rules are followed before access to content is granted. (Low cost.) 6
Effort / Cost MODERATE EFFORT + COST Disabling Unnecessary Devices OS Malware Protection Limiting Internet- Facing Systems Removing Default Domain Admin Account Ensure unneeded services on network devices are disabled. These can be unnecessary programs that come with your/hardware or software that run when the system is started up and include ports that are open by default. Disabling these services will lower your cybersecurity risk. (Low cost.) Always reinstall operating systems upon receipt from vendor; default system installations have been known to include malware. (Low cost.) Open as few systems as possible to the Internet and restrict access by IP if possible; require use of VPN if possible. (Low to moderate cost.) Rename default domain administrator account; create bogus account called administrator with no permissions and disable this account. (Low cost.) Secure Network Management Properly secure network management (e.g. only permit management server to access various hosts with SNMP) (Low to moderate cost.) 7
Effort / Cost Security/Threat Leadership Assign person to oversee security/threat information and take action as needed. This person should lead efforts to track and rank risks as well as execute plans when necessary. SIGNIFICANT EFFORT + COST Disaster Recovery Out-Of-Band Device Management Disaster Recovery planning and bi-annual testing to make sure that you re prepared for potential disasters and you know exactly how long it will take you to get operations back online following an outage. Testing ensures everyone knows their roles and backup responsibilities in any potential scenario. The most critical element of this is having absolutely dependable back-up schemas in place in case data is corrupted by a cyberattack and must be regenerated from a backup. (Moderate to high cost.) Configure out-of-band (OOB) management for network devices. (Low to moderate cost.) Intrusion Detection and Prevention Implement network and host-based Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) solutions. An IDS is a visibility tool to monitor traffic across many points in your network to alert you suspicious access requests. An IPS is a control device, similar to a firewall, regulating network traffic access through rules set by the administrator. (Moderate cost.) 8
Effort / Cost Security Information and Event Management Security Information and Event Management (SIEM) solution: aggregate, analyze, and prioritize real-time analysis of security alerts from firewalls, network devices, server and device logs, net flow, SNMP events, and IPS/IDS alerts to ensure attacks can be detected. (Moderate to high cost.) SIGNIFICANT EFFORT + COST Network Access Control File Integrity Monitoring Sandboxing Data-Driven Threat Analysis Implement Network Access Control (NAC) for implementing policies, including peradmission endpoint security policy checks and post-admission controls, that describe how to secure network nodes as they initially gain access to the network as well as where users and devices can go on the network and what they can do. Implement File Integrity Monitoring (FIM) and Whitelisting to ensure changes made to critical system and application files follow known good actions or content access by approved users. Implement malware sandboxing, a.k.a. detonation platforms, to analyze the behavior of malicious code as it tries to execute in an isolated and contained environment. To become more effective at detecting security breaches, companies need to better accommodate larger, more disparate internal datasets, comb through that data looking for known and unknown patterns and creating correlations using more advanced techniques, and provide guidance on anomalies and potential threats that are discovered. Companies need to incorporate big data for persistent threat analysis. 9
WHAT NOW? If you find that this checklist results in high levels of effort which you need assistance with contact info@tricorpscyber.com We would be happy to help you prioritize next steps and take steps towards improved cyber health. 10