All organisations are at risk of cyber-attacks, no matter their size. Recent attacks have shown that while technology helps form a protective barrier for organisations, the need for a jointly accountable and layered approach to cybersecurity – incorporating technology, policies and procedures, and employee training and awareness – has never been more crucial. 

With that in mind, our cyber team have pulled together an expanded advisory list for our customers to consider. These items represent Datacom’s view of "priority for action" activity, based on what we are observing as the attack vectors in the most recent ransomware attacks.

Priority of action

Technical actions to consider

Establish Multi Factor Authentication (MFA)

Establish MFA on the user community, internally on your network and all other endpoints; this includes all standard, privileged and service accounts in your environment and connectivity to supply chain partners and support vendors.

On-prem Exchange Server

 If you are on an on-premise Exchange Server infrastructure:

  • Immediately review your patching levels – including all optional patches.  The recommended mandatory patches are not enough to protect against the latest round of vulnerabilities. Co-existence environments with Exchange 2010 (for “legacy reasons” remain vulnerable to authenticated user attacks) and environments with advanced load balancers also remain vulnerable unless specific protections are deployed on those load balancers.
  • Isolate the Exchange environment from the internet if / where at all possible – if you don’t need to be connected to the internet – don’t.  Essentially, activate a technical strike squad to remove servers from firewall NAT rules and encourage the prohibition of all outbound access from this generation of servers.
  • Migrate with speed to an alternate cloud-based mail platform. End-of-life or unsupported versions of Exchange should be decommissioned immediately.  Exchange 2010 provides a high level of privilege to Active Directory due to Windows 2000/2003 compatibility requirements.

Review backup policy and practice against best practice

  • Retention of all important data, including domain and AD configurations, system states, as well as operational and customer data.
  • Immutability of backups.
  • Are backups sufficiently isolated on the network or air-gapped.
  • Review best practices for data rehydration due to a cyber event, specifically application priority and backup policy alignment. 
  • AI / ML on backups to see what changes in configurations are on the fly.
  • Consider if backups are ‘on network’ – move them off network and check that the access policy is appropriate and least ermissions based.

Ingress and egress review

Review all ingress and egress points on your network, cloud (public and private) and SaaS / PaaS.

  • Correct security configuration has been applied.
  • Infrastructure permissibility/user and system permissions are appropriate.

  • Scope – defunct domains, domain rationalisation (number of).

  • The number of domain admins and permission types – shut down permissiveness for convenience.

  • Service type and service owners for all ingress and egress.

  • Pay particular attention to lesser or unmanaged environments like staging and development.

  • Understand and secure where those environments may access the corporate network through service or user accounts – particularly privileged accounts.

  • Logging – review all logging and ensure traffic and assets are captured for analytics.

Review credential security

Enterprise password vault – mandate and audit compliance against strong password policy.

  • Consider forced password rotation on infrastructure/system on a much more regular basis than traditionally done – application and service impacts will need to be balanced against increased levels of security.
  • Ensure no credentials/keys/secrets are hard-coded into applications and systems.
  • Map service accounts to applications and make these transparent in the CMDB, along with service account and application owner clarity.
  • Consider the use of PAM/PIM systems and move towards “Just in Time” privilege (e.g. AzureAD, Thycotic, Centrify etc.)

Review encryption

At rest and in transit – a must for all systems – no exceptions. Manage the private keys securely.

Review identity and monitoring - AD controls

  • Review and implement best practices, including domain functional levels, legacy accounts and hardening.   

  • Review complexity and simplify.

  • Review Domain admin numbers and reduce / appropriate roles (permissiveness for convenience) .

  • Strong audit and backup of system state.

  • Ensure logging is being sent to an identity-aware logging solution (to detect lateral and suspicious use).

  • Ensure time of day logging – why is an admin logging in at 3am?

  • Consider the use of Identity Agents (Defender for Identity, Crowdstrike) that hook into threat feeds and prevent the reuse of breached passwords and reuse of passwords on known poor lists.

Dark Web monitoring

Ensure you are enrolled into Dark Web monitoring service for credential leakage.  Pay particular attention to execs and administrative folks in your organisation.

Metrology

Review what is being logged and the retention policies as well as the ability to make changes to those logs.  

  • SoC / SIEM is mandatory for all systems that involve identity management and customer data. Minimum 90 days.

  • Make sure you have an adequate long tail for data for forensics – 90 days may not be long enough – longer is better and advised threat actors persist in organisations for this reason.  Will need to be balanced with cost of retention.

  • Have metrology on identity – Azure, Okta, Crowdstrike etc – see point above.

Review supply chain - 3rd party supply chain vulnerabilities

  • Significant attack surface and vector – understand what in their technology means you are potentially vulnerable.

  • Audit with precision and consequence.

Application PII hashing

What are your hashing and token controls here?  Should you be hashing/obfuscating data at the record level?  Development environments should be especially included in these reviews.

Legacy technology

Migrate off all unsupported hardware, operating systems and databases now – don’t wait.  Most of these technologies have known unpatched exploits available to threat actors:

  • Servers

  • Endpoints

  • Database 

  • Middleware 

Data access and classification

 Review both policy and practice for data storage and classification standards.

  • Data access and implement least privilege access.
  • Logging and alerting aliens to data classification. 

Organisational actions

Contemporary policy review

Don’t delay and do it as soon as you can. If your IS / ITSM policies are two years or older – they are probably not comprehensive in today’s malware landscape.

Cybersecurity specific gap analysis

Conduct an audit of how your organisation’s existing cybersecurity posture stacks up against local standards/ legislation and privacy requirements. Not only will it identify what you are doing right, but more importantly, it will also tell you where improvements need to be made to ensure you are keeping up with current legislation, best practices and latest technologies, and that you are not leaving your organisation open to attack.

People

People are simultaneously an organisation's strongest and weakest link and where the greatest opportunity to improve will likely lie.

Consider:

  • Comprehensive and frequent user education targeting cybersecurity awareness – including phishing simulation, password management practice and a general understanding of digital citizenry accountabilities both at home and in the workplace.
  • Auditing of user behaviour – practice against the policy. 
  • Use Dark Web Monitoring services to identify who in your organisation is most vulnerable and have plans in place to remediate compromised accounts regularly.

Practice versus policy

Audit it meaningfully – having the policy is one thing – do your people practice that policy? Think about having a published and understood minimum operating security standard. Test your business controls against the minimum standard regularly.

Security incident management

Does the organisation have a fit-for-purpose incident management construct that has both the capability and capacity to manage the dynamic and urgent nature of a security event – even small events are consuming? If not, do your partners have one?

BCP / Security runbooks

Does the organisation have a runbook for security incidents, including the approach to data capture and incident timeline catalogue? The time of an incident is definitely not the time to formulate your response to the emerging crisis.
Related industries
Technology
Related solutions
Security