This was spurred by my “Back to Basics – why can’t we get this shit right?!” talk that I gave at CrikeyCon 2021 – in order to assist people fixing these things, I have put together a checklist of basic security items that we should be doing in order to further secure our environments! (Thanks for the idea Charlie!)
This is an incredibly quick and dirty list, created literally the night before I gave the talk, and it will be evolving over time to be more extensive and include more information.
Feel free to print out and check off the items you’ve done…and wave it in front of your management and techs for some ammunition to get things fixed!
Identify
Identify all of your infrastructure - systems, operating systems, patch levels, appliances, applications
Remove single points of failure - both people and technical
Assign and document responsibility and risk
Look for efficiencies - uplift systems, innovate your thinking
Plan for the worst - focus on the "when" not "if"
Improve your documentation - ensure all processes and procedures are documented
Educate your users - ensure they understand the WHY as much as the HOW
Protect
Improve security of older systems - don't just focus on newer, shinier systems
Eat your own dogfood - if you're asking your users to do it, you should be doing it
Password management and hygiene - ensure we're not using default password, insecure passwords or reusing passwords
Shared credentials - store securely (password managers) & manage your shared credentials securely
Service accounts - assign specific rights, do not assign Tier 0 level permissions
Least privilege - as an admin, have more than 1 account. Minimum of 2 (standard/admin) but can be up to 4 or 5, depending on
Utilise RBAC - assign rights using RBAC, ensure that users are given the rights and permissions they need equivalent to their role
Enable MFA - enable MFA and risk-based conditional access for all accounts
Rank doesn't equal access - management shouldn't necessarily be given higher level privileges if they're not technical
Remove any/any rules - software firewalls should be enabled and, while any/any can be used for testing, needs to be removed prior to production
AV/Anti-malware - ensure it's installed on all machines: end users, servers, personal etc.
Encryption - if you can turn it on, turn it on!
Application whitelisting - look for the applications that are highly used and lock down to these. Start with servers before moving to end-user devices.
Patching & Updating - ensure you're patching and updating all of your systems, appliances and software
Physical security - lockdown and secure your physical infrastructure
Detect
Logging - make sure all of your logs (security, system, application) are being cecntrally stored and are being correlated by a SIEM
Watch the watchers - ensure all of your security systems are also being monitored
Turn your systems - spend time tuning your alert systems so that you're seeing more signal and less noise
Respond & Recover
Create a culture that it's okay to mess up - making a mistake is not a bad thing, remove the blame game
Normalise asking for help - allow people to ask for help and feel empowered to ask for help
Backup all of your data - ensure all of your data is being backed up and that those backups are tested
Disaster Recovery and Business Continuity Planning - ensure you have a plan, any plan!
Like this: Like Loading...
Pingback: Random Short Take #51 | PenguinPunk.net