This was spurred by my “Back to Basics – why can’t we get this shit right?!” talk that I gave at CrikeyCon 2021 – in order to assist people fixing these things, I have put together a checklist of basic security items that we should be doing in order to further secure our environments! (Thanks for the idea Charlie!)
This is an incredibly quick and dirty list, created literally the night before I gave the talk, and it will be evolving over time to be more extensive and include more information.
Feel free to print out and check off the items you’ve done…and wave it in front of your management and techs for some ammunition to get things fixed!
Identify all of your infrastructure - systems, operating systems, patch levels, appliances, applications Remove single points of failure - both people and technical Assign and document responsibility and risk Look for efficiencies - uplift systems, innovate your thinking Plan for the worst - focus on the "when" not "if" Improve your documentation - ensure all processes and procedures are documented
Educate your users - ensure they understand the WHY as much as the HOW Protect
Improve security of older systems - don't just focus on newer, shinier systems Eat your own dogfood - if you're asking your users to do it, you should be doing it Password management and hygiene - ensure we're not using default password, insecure passwords or reusing passwords Shared credentials - store securely (password managers) & manage your shared credentials securely Service accounts - assign specific rights, do not assign Tier 0 level permissions Least privilege - as an admin, have more than 1 account. Minimum of 2 (standard/admin) but can be up to 4 or 5, depending on Utilise RBAC - assign rights using RBAC, ensure that users are given the rights and permissions they need equivalent to their role Enable MFA - enable MFA and risk-based conditional access for all accounts Rank doesn't equal access - management shouldn't necessarily be given higher level privileges if they're not technical Remove any/any rules - software firewalls should be enabled and, while any/any can be used for testing, needs to be removed prior to production AV/Anti-malware - ensure it's installed on all machines: end users, servers, personal etc. Encryption - if you can turn it on, turn it on! Application whitelisting - look for the applications that are highly used and lock down to these. Start with servers before moving to end-user devices. Patching & Updating - ensure you're patching and updating all of your systems, appliances and software
Physical security - lockdown and secure your physical infrastructure Detect
Logging - make sure all of your logs (security, system, application) are being cecntrally stored and are being correlated by a SIEM Watch the watchers - ensure all of your security systems are also being monitored
Turn your systems - spend time tuning your alert systems so that you're seeing more signal and less noise Respond & Recover
Create a culture that it's okay to mess up - making a mistake is not a bad thing, remove the blame game Normalise asking for help - allow people to ask for help and feel empowered to ask for help Backup all of your data - ensure all of your data is being backed up and that those backups are tested
Disaster Recovery and Business Continuity Planning - ensure you have a plan, any plan!