Bob and are now multiple years in discussing the same thing - how to improve your district's security footprint. For most of that time many ignored our warnings as too hard, too expensive, or "on my list". But when a member of the family dies, everything becomes very real and suddenly what is impossible becomes absolutely necessary.
The major breaches of districts in our region have been that canary in the coal mine for everyone else.
I am very proud of many of you. Suddenly reports that were never really read are scrutinized and I get questions, "Why does this backup fail every night"? Or, "Please add these people or this report" Or "What does this report show me?" Servers and workstations are being examined for what is really on them and I get the question, "What is this software and why is it here on my server?" I get questions about, "Can we do this with 'less' rights"? Or, "Is there a way to do this safer?" It has suddenly become very real and very scary.
Keep those questions coming.
We have talked about advanced tools and services that can substantially reduce your attack surfaces. You should implement them.
However, some of you say you still cannot quickly find the money, or get full buy-in to do what we all know is really necessary. We can help you with some of that.
Hoping you won't have something bad happen is not a security strategy. In this day and age, it is probably a resume generating event.
Also, I am hearing discussions about cyber security insurance companies critically looking at, "Did you, do your due diligence on your end in properly securing the district from an attack?" That sounds a lot like the dreaded "reasonable and customary" that is always used to underpay on your medical claims. That is disturbing.
Here is what you can do TODAY:
- Are you sure that ALL your traditional antivirus is installed EVERYWHERE? You should have better, but it is what you have to work with now. I cannot tell you the number of servers that have absolutely no antivirus and how many workstations have broken antivirus that just sits broken. In this day and age that is just asking to die.
- Do you have all your antivirus on a central console so you actually see what is going on? Does someone look at it? Does it alert you?
- Do you know your definitions are downloading?
- Do you run scheduled scans?
Remember Trickbot tends to sit around for a long time before it brings in its friends and kills you. Even reactive antivirus will eventually see these type of bad things and a scheduled scan will minimize the likelihood that it will be completely undetected - unless it can get a strong enough foothold that it can alter your antivirus.
- Do you have ALL Windows firewalls enabled on ALL servers and ALL workstations? If not, do this TODAY I see this all the time. Generally despite all the concern about the impact on the network, ABSOLUTELY NOTHING BAD HAPPENS TO ANYONE. Realistically you'll probably have zero to two people complain and need a custom firewall rule that will take you minutes to implement Don't let fear of a trivial tweak keep you from aggressively implementing this. DEAD is a whole lot worse.
- Do you have local administrator everywhere? I still see in a lot of places. Turn this off TODAY. This is another thing that generally does absolutely nothing bad to anyone. And even if you have two people who complain, would you rather spend time finessing badly written software on two machines or be DEAD on ALL of your machines? It isn't a hard choice.
- Kill VNC
- Kill RDP
- Implement Microsoft's FREE Local Administrator Password Service (LAPS)
- Are you doing your Windows patching INCLUDING ALL your Servers? Surprisingly that is a no for many on the servers because they are a pain to patch.
- Are you patching third party apps? That is mostly a no.
- Have you implemented password protected screen savers?
- Do you have UAC turned on?
I have much more, but all of this dramatically reduces your attack surface starting TODAY and doesn't require large expenditures of cash.
The key design principle is DENY the footprint and if it gets past that, know it is here and DENY lateral movement. You cannot kill what you cannot see.
When do you don't know what to do, look at your tool set and ask, "What do I already have that, if fully implemented, improves my present visibility and reduces my present attack surface?"
I have mentioned a few times to people that I have been watching a lot of breach postmortems analyzed by ex-NSA guys among others. There are some common themes:
- Every attack is a long known exploit that there was a well-defined, stable patch for vs. a "day zero" attack.
- The bad guys were in the network for a long time and no one saw them.
- People were really lazy about all the basics I laid out above.
- The fact that they had an administrator level ID and had easy lateral movement shredded the site.
- Since they now have many actual recorded screen sessions of hacking attempts at various companies, they are seeing that sometimes the dumbest things like a password protected screen saver, leaving UAC on turning on LAPS, and turning off RDP make your site too much like work for targets of opportunity attackers so they literally disconnect and look for simpler site to hack.
- The average time to die is three minutes - down from four minutes.
- You need to expect a protection system to fail. Everything can be defeated. You need to have multiple layers of defenses - each looking at your network from different perspectives so that at least one protection layer stops, denies, kills, or alerts us to what is going on with enough time to save the network.
There is much more on the free list than space and time allow me to do now.
Do this while you are planning how to do all those other things. My list is the foundation regardless of what your more advanced next steps are.
We are happy to help you quickly implement all of this. We are happy to help plan and implement what you should be doing on top of this list.
Give us a call and let's talk about what your next steps are.
Have a wonderful Thanksgiving break!