Do you have a question? Want to learn more about our products and solutions, the latest career opportunities, or our events? We're here to help. Get in touch with us.
Establish MFA on the user community, internally on your network and all other endpoints; this includes all standard, privileged and service accounts in your environment and connectivity to supply chain partners and support vendors.
If you are on an on-premise Exchange Server infrastructure:
Review all ingress and egress points on your network, cloud (public and private) and SaaS / PaaS.
Infrastructure permissibility/user and system permissions are appropriate.
Scope – defunct domains, domain rationalisation (number of).
The number of domain admins and permission types – shut down permissiveness for convenience.
Service type and service owners for all ingress and egress.
Pay particular attention to lesser or unmanaged environments like staging and development.
Understand and secure where those environments may access the corporate network through service or user accounts – particularly privileged accounts.
Logging – review all logging and ensure traffic and assets are captured for analytics.
Enterprise password vault – mandate and audit compliance against strong password policy.
At rest and in transit – a must for all systems – no exceptions. Manage the private keys securely.
Review and implement best practices, including domain functional levels, legacy accounts and hardening.
Review complexity and simplify.
Review Domain admin numbers and reduce / appropriate roles (permissiveness for convenience) .
Strong audit and backup of system state.
Ensure logging is being sent to an identity-aware logging solution (to detect lateral and suspicious use).
Ensure time of day logging – why is an admin logging in at 3am?
Consider the use of Identity Agents (Defender for Identity, Crowdstrike) that hook into threat feeds and prevent the reuse of breached passwords and reuse of passwords on known poor lists.
Ensure you are enrolled into Dark Web monitoring service for credential leakage. Pay particular attention to execs and administrative folks in your organisation.
Review what is being logged and the retention policies as well as the ability to make changes to those logs.
Make sure you have an adequate long tail for data for forensics – 90 days may not be long enough – longer is better and advised threat actors persist in organisations for this reason. Will need to be balanced with cost of retention.
Have metrology on identity – Azure, Okta, Crowdstrike etc – see point above.
Significant attack surface and vector – understand what in their technology means you are potentially vulnerable.
What are your hashing and token controls here? Should you be hashing/obfuscating data at the record level? Development environments should be especially included in these reviews.
Migrate off all unsupported hardware, operating systems and databases now – don’t wait. Most of these technologies have known unpatched exploits available to threat actors:
Servers
Endpoints
Database
Middleware
Review both policy and practice for data storage and classification standards.
Don’t delay and do it as soon as you can. If your IS / ITSM policies are two years or older – they are probably not comprehensive in today’s malware landscape.
Conduct an audit of how your organisation’s existing cybersecurity posture stacks up against local standards/ legislation and privacy requirements. Not only will it identify what you are doing right, but more importantly, it will also tell you where improvements need to be made to ensure you are keeping up with current legislation, best practices and latest technologies, and that you are not leaving your organisation open to attack.
People are simultaneously an organisation's strongest and weakest link and where the greatest opportunity to improve will likely lie.
Consider:
Audit it meaningfully – having the policy is one thing – do your people practice that policy? Think about having a published and understood minimum operating security standard. Test your business controls against the minimum standard regularly.
Does the organisation have a fit-for-purpose incident management construct that has both the capability and capacity to manage the dynamic and urgent nature of a security event – even small events are consuming? If not, do your partners have one?