Knowing how to approach cyber security presents many challenges for small and medium sized enterprises (SMEs). A few choose to outsource to managed services providers for peace of mind, while others take a DIY approach.
If you’re choosing to tackle cyber security yourself, there are a few crucial areas that need careful consideration. This checklist has been designed specifically for SMEs, but outlines important first steps for any business that takes its IT security seriously. Let’s get started!
1. Identify your assets
Start with identifying what you are trying to protect. This can include but is not limited to:
- External assets
- Internal assets
- Confidential and/or business critical data
It is crucial that your business maintains an up-to-date asset register. This will not only help you save money by reusing decommissioned assets, but will ensure that nothing is left attached to the network that doesn’t need to be. Dormant devices often go unpatched and become vulnerable, making them low- hanging fruit for attackers and malware.
2. Asset interaction workshop
Identify and establish which assets are linked together and how they interact. Ask questions specific to your business such as:
- Where can I access each file share from?
- Can I access any corporate networks from the guest wifi?
- What are my most important assets and who can access them from where?
- If an attacker compromises a member of HR’s account, what can they access?
- What level of administrative privilege do staff have on website accounts?
It is incredibly common for businesses to think they have certain access controls in place but in reality there is a misconfiguration or overlapping firewall rule. Make sure you manually test every one of the answers to the questions above – assuming everything’s in order can prove to be a costly mistake. You can do this by simply pinging devices or performing the interactions by accessing file shares, or whatever you deem appropriate to test the access constraints.
3. Identify the risks using DREAD
Now that you have an overview of asset interaction, assess the risks using DREAD. This risk assessment model was published by Microsoft and is applicable for every business from corner shop to multi-national bank.
- Damage – how bad would an attack be?
- Reproducibility – how easy is it to reproduce the attack?
- Exploitability – how much work is it to launch the attack?
- Affected users – how many people will be impacted?
- Discoverability – how easy is it to discover the threat?
Use this model in conjunction with a few attack scenarios such as:
– An employee being phished. Try it for each classification of staff member such as:
- Human Resources
- IT team member
- Board member or top-tier/upper management
- General staff
– An infected device joining each network
– Business critical assets being compromised or taken offline
- Domain controllers
- A disgruntled employee deleting or destroying assets
The higher the potential damage, the higher the priority for protecting these assets. Be as critical as possible when assessing each classification with DREAD. Always identify the worst case scenario and identify how to avoid or recover from it.
4. Restrict access to a need-to-use basis
Access restrictions are key to preventing lateral movement of attacks and malware within your network. It will even help those potential insider threats from snooping around areas of your network that they have no reason to access. Now that you’ve performed the exercise above, consider each access path and determine whether it is necessary for that business process to exist. If not, lock it down. Make sure you get permission first otherwise you might ruin someone’s working day!
For websites, minimize the use of administrative accounts for everyday activities such as content posting and analytics reviews. The impact of a least privileged website account being compromised through phishing or any other credential harvesting attack vector will have much less of an impact and will be quicker, plus less embarrassing, to recover from, minimising risk to your reputation.
5. Draft or review your Bring Your Own Device (BYOD) policy
This is a big area for concern that is often overlooked, especially for SMEs. Do you allow staff to connect their phones and home devices to the corporate WiFi? If you do, you are harbouring a large unnecessary risk to your business that should be addressed. Think about the impact of a staff member connecting their laptop to your network with a nasty worm such as WannaCry (hopefully hope you’ve patched by now).
Restricting device wireless access is a great starting point. You should aim to have as many devices connected via ethernet as possible. This will not only improve your network performance, but will mitigate any wireless attack vectors.
Disable any floor ports that are not in use – this is a common way we look for an entry point during on-site penetration tests. For corporate WiFi, identify the MAC addresses of each of your assets and use your wireless router’s MAC filtering feature to prevent unauthorised devices from connecting. This way, even if staff have the wireless password, the routers will reject their connection requests.
On the subject of wireless passwords: do not make the wireless network passwords freely available. After a wireless password is entered into a standard active directory user account, they should not have the administrative privileges to retrieve it. This minimiszes the risks of employees leaving it around the office on sticky notes, or and from being socially engineered into handing it out.
6. Encourage a positive culture of security in the workplace
Security is often seen as a blocker to most employees or developers – the neverending roll of red tape. The security community itself is largely at fault, as a lot of security professionals turn their nose up at the lowly user and assume they would click on every free holiday to Mauritius offered. This is a stereotype that needs to be changed.
Make users involved in security processes and explain why certain things need to be restricted. Empower staff with the right training and stress that are no stupid questions, no email worth dismissing and no strange computer behaviour worth ignoring. Practical examples often return the greatest results, so demonstrate a live hack if you have the tools available or show them a few quick videos. By seeing how attacks work, the thought process around staff identifying them will be improved dramatically.
If you’ve followed all the steps below and still have questions about cyber security, our team would be happy to offer advice.