Paul Watters, Ionize
Abbas Kudrati, Microsoft
Cyber security is often portrayed as something only large, deep-pocketed organisations can afford to do well.
Why?
Because modern cyber mythology would have you believe that you need to buy an awful lot of expensive software and services to “beat the bad guys”. However, with the huge investment made by the major IT infrastructure & cloud vendors, there’s an awful lot of great security tools that you’re probably already paying for, that you and your teams can leverage, if only you knew how to switch them on.
As security practitioners and evangelists, nothing makes us sadder (and sometimes angrier) than to see organisations’ defences being exploited through what is often a preventable attack. The purpose of this post is to help dispel some of the myths that lead to overblown cyber security plans, which as a result, are often never funded, and therefore never actioned. We then provide a list of relatively simple, inexpensive actions every business can take to tighten up their defences, and make themselves a less attractive target to opportunistic cyber criminals.
First up, let’s address the elephant in the room – the vendors who would have you believe that the socket to your network port is more dangerous to your business than a natural disaster, pitching a single product or approach that claims to be the “only way to truly secure your business against cyber attack.” The resulting technology cost to the business is often higher than that of the tools you use to generate actual business value, such as CRM and ERP software. Protecting the “crown jewels” shouldn’t cost more than the jewels themselves.
That is not to say that cyber attacks are something we should tolerate – quite the opposite. Responding to (and recovering from) a cyber incident can be extremely expensive. One of the authors worked on a methodology that estimated the tangible cost of a data breach (using a well-known Australian example) was in the order of $1.941m. This is why preventing, defending and detecting early are so important. When a detected event becomes an incident, costs begin to escalate rapidly, as more staff and tools are required for incident response, recovery and remediation.
High costs should not be a barrier to engaging with cyber security, and taking the responsibility to develop a cyber security plan, with clear executive visibility and responsibility ultimately accepted (and owned) by the board. The flip side is that many companies buy a single product or service offering and hope that it will work some dark magic to prevent all cyber attacks – this is really wishful thinking, as if you have something valuable to protect, you can be sure that someone else (at some point) will try to take it away.
Fortunately, there are many things which are free, or low cost, which can significantly reduce the cost of a cyber security program. In fact, some of them can be done even before an organization begins the journey of a cyber program. The examples we review in this blog are relatively straightforward, and may represent the beginning of your cyber journey. They also represent some examples from across the spectrum of cyber products and services, where we would typically recommend control implementation once a risk framework has been established.
There’s no doubt that for high value targets that getting a helping hand from a dedicated cyber security vendors can make a huge difference, but for the rest of us, what can be done?
Our free recommendations can be split into four categories; Prevent, Analyse, Formalise, & Educate. Let’s take a look at each, starting with Prevent.
Prevent (or at least slow them down)
Whilst nothing can be done to completely prevent a cyber breach, you can certainly make it as inconvenient as possible, knowing that most cyber criminals are businesses and like most business, they tend to avoid high-cost/low-return investments of their time and if you’ve made yourself just that little bit harder than average, chances are they’ll move on to a softer target. The great news is there’s a lot we can all do to make us a tougher target.
Windows Virus & Threat Protection
Included with Windows is everything you need to protect against most malware variants. You can undertake a “Quick Scan”, configure any “Allowed threats”, and enable real-time and cloud-delivered protection. You can also configure Controlled folder access to protect files, folders and memory from ransomware, and enable data recovery in the case of a ransomware attack. This is considered “Cyber 101” stuff, but amazingly, many (most?) endpoints remain unprotected.
Locked Screens and Secure Sign-on
Having a locked screen prevents unwanted physical access or modification while you are away from your desk. Windows allows you to use a range of unobtrusive measures like your face, a PIN, fingerprint, security key or password – or a combination of two of these. Combine with two-factor authentication for maximum impact.
Windows Firewall
You can setup Windows for “least privilege” access to the network by blocking all applications and services by default, and only enabling those which are absolutely necessary. This also protects you from new vulnerabilities which may arise in a network service that you may not even use.
App & Browser Control
You can enable reputation-based browser protection to make sure that you are better protected from malicious applications and websites. Windows also makes it harder for malicious software to access data in predictable places by implementing Address Space Layout Randomization (ASLR); this can be configured across the whole system, or on a per-application basis.
Secure Boot
Secure Boot makes sure that your system is not vulnerable to rootkits, spyware and other malware that tries to load malicious changes to the operating system. Alongside Core isolation features, such as requiring memory integrity checks, you can be more assured that Windows is operating the way it’s meant to.
Bitlocker
Bitlocker encrypts the hard drive of your laptop or desktop. This is a key control to prevent disclosure of confidential data if your system is lost or stolen. Be sure to backup your recovery key!
Analyse
Most consultants would suggest you start with an analysis before taking any action, but the steps we outlined above are so universally beneficial we’d argue that you should start with action before going into analysis. If you’ve skipped that bit, go and implement them now and then come back to the rest of this post later!
The purpose of this analysis is to help guide & prioritise longer term actions in context with your business priorities and circumstances.
The ACSC has a great tool for businesses known as the Cyber Security Assessment Tool (https://www.cyber.gov.au/acsc/small-and-medium-businesses/cyber-security-assessment-tool). This tool allows you to measure your cyber maturity by identifying strengths and weaknesses of your current cyber security posture, and suggestions for improvements.
For a low-cost commercial assessment, try the 100 Point Cyber Check (https://www.100pointcybercheck.com/), which provides an assessment of your current cyber posture across technical controls (networks and systems), operational controls, and legal and regulatory controls.
A range of financial institutions in Australia are required to comply with Prudential Standard CPS234 Information Security. Ionize provides a checklist for institutions to follow to ensure compliance with CPS234, covering board responsibilities, information security program requirements, required controls and the notifiable incident scheme.
Formalise
Once we’ve got a sense of your strengths and weaknesses, we’re ready to formalize company policy – the challenge with company policy is that it often winds up on a shelf somewhere, never to be read or actioned by anyone other than the author! Thankfully, there are some great tools you can leverage to both leverage the prior policy of organisations just like yours and then implement automated compliance monitoring.
Most organisations will need to develop a formal cyber security program, aligned to one or more internationally-recognised or nationally-mandated standards. These include NIST , CIS Critical Security Controls, and the ASD Essential Eight.
Microsoft Compliance Manager provides templates for 689 different standards and frameworks, which can be integrated with Microsoft 365 SaaS products to provide real-time compliance data. From a practical point of view, self-assessing using one or more frameworks can be critical if a regulator launches an investigation. For example, in Australia, eligible organisations must comply with the Privacy Act 1988 by taking “reasonable steps” – demonstrating what is reasonable will most likely require alignment of control sets to an international standard. More than 10 of these templates are free (eg, GDPR, ISO 27001, NIST etc) with additional templates such as Australia’s IRAP and ASD being premium (paid). Microsoft 365 Defender also have a cross-domain security suite, that integrates detection and response, with incident management, threat analytics and related activities, all within a single dashboard.
Educate
Ironically, the weakest link in any cyber security program is not the technology but the people. You can get everyting else above right, but if our staff are handing out their passwords or opening phishing emails, we’ve wasted our time. This is why awareness and education are so critical to s successful program. Again, this doesn’t need to be an expensive exercise.
NIST maintains a list of free or low-cost cyber security training modules. This includes content from a wide range of vendors and providers, such as short cyber awareness courses, CISO workshops, cyber fundamentals and free exercises. A standout program is Genius Armoury , which provides free basic cyber security training using universal basic instruction to introduce careers in cyber to a broader range of people. Finally, learn.microsoft.com has heaps of free training, including role based training and certificate based learning, plus explore the Microsoft Security Technical Content Library for all your skilling and readiness needs.
Conclusion
What became evident in producing this post is that the real cost of cyber isn’t always the technology, it’s getting good advice. Good cyber security shouldn’t be the domain of the few. We hope with this article we’ve been able to demonstrate not only that it can be cost effective, but that there are many simple things that each of us can do TODAY to make our businesses and our loved ones a tougher target for the bad guys.
Additional Resources
Microsoft Defender for Endpoint Ninja Training
Microsoft Defender for Identity Ninja Training
Microsoft Defender for IoT Ninja Training
Microsoft Defender for Cloud Ninja Training
Microsoft Defender for Office 365 Ninja Training
Microsoft Defender for Cloud Apps Ninja Training
Microsoft Sentinel Ninja Training
Microsoft 365 Defender Ninja Training
Becoming an Microsoft Sentinel Notebooks Ninja!
Microsoft 365 Advanced eDiscovery NINJA
https://lnkd.in/d5UGHZwx Azure Network Security Ninja Training https://lnkd.in/d-rkktJs