The PacketWatch Dozen: 12 P's for Cyber Resilience

This week, Simon Taylor, Executive Vice President of PacketWatch, goes over the 'PacketWatch Dozen,' 12 "Ps" for cybersecurity resilience.

See how many of our "Ps" match your current security strategy:

1. Passwords

As of 2022, it's estimated that 24 billion usernames and passwords are available in cybercriminal marketplaces, like the dark web, according to research by Digital Shadows. Strong password management is critical.

• Use complex passwords, unique for each credential
• Change them often
• Don't store passwords in browsers; it may seem like a convenience, but it's also an opportunity for hackers who can steal them!

Password managers are an excellent solution.

2. Prerequisite

It should be a prerequisite to enable and use Multifactor Authentication (MFA) to access any service exposed to the Internet, such as email systems, remote access facilities, file storage, file transfer services, SaaS services, and bank accounts.

• Authentication apps are preferred over SMS codes.
• Multi-factor authentication should be enforced, not just enabled, for everyone.

Microsoft stated that there was only an 11 percent MFA adoption rate among its enterprise cloud users, according to a 2021 Systems Engineering article.

3. Patching

Most hackers use known, existing vulnerabilities for which patches already exist. Approximately 80 percent of the attacks observed throughout 2020 utilized vulnerabilities reported and registered in 2017 and earlier, according to a Checkpoint report.

Don’t leave yourself unnecessarily exposed.

• Have a defined weekly schedule for patching your servers and at least quarterly for other infrastructure.
• Schedule daily workstation patch checks and try to avoid user opt-outs where possible. No one should be considered a special case.
• Implement critical security patches immediately for Internet-facing infrastructure.

4. Protection

You can’t prevent every attack, but you can give yourself a fighting chance with some core security tools.

• Endpoint Protection: A high-quality endpoint detection and response (EDR) tool is critical. Invest and deploy it everywhere you can. (You’ll be glad you did!)

• Email Protection: Email is still the number one attack vector for hackers – implement SPF, DKIM, and DMARC and employ a decent email security/spam filter product or service.

• Web Traffic Protection: The web can be a dangerous place. Protect yourself with a DNS filtering service and consider using a Web Application Firewall (WAF).

5. People

‘Happy-go-clicky’ folks are always the weakest link in the chain.

Conduct regular security training that simulates real-world phishing and social engineering techniques, and don’t limit this to email-only.

PacketWatch has found rewarding good performers rather than punishing failures creates better incentives and outcomes.

Also, don’t give everyone admin privileges. Restrict admin capabilities to only those that absolutely need it for their jobs. Even then, make separate and specific accounts, not ‘daily drivers.’

6. Penetration Testing

Address vulnerabilities you have, hopefully, before hackers can exploit them.

• Conduct external vulnerability scans at least twice a year and internal scans once per quarter.
• Risk weight the results and execute a remediation plan.

Invest in custom Web-application penetration testing if your business relies on a Web-facing application or service. You will want to find weaknesses before malicious actors do.

7. Portfolio

You can’t secure what you don’t know about.

Create and maintain an inventory of all your hardware and software assets and understand how each fit into your business operations.

In the days of increasing privacy regulation, extend that to include an inventory of your data as well. You will want to take account of what it is, where it is, and what regulatory requirements may apply to it.

Asset discovery and management tools are available, but even a spreadsheet is better than nothing.

8. Perimeter

Even in the world of hybrid working, cloud computing, and SaaS services, most companies still have a network perimeter.

Protect this critical entry point to your network by:

• Implement a high-quality firewall and configure it to block any protocols that are not strictly necessary for your business operations.

• Implement geo-filtering where possible and only permit traffic with countries necessary for your business. Block any traffic to/from countries on the OFAC sanctions list.

• Create a demilitarized zone (DMZ) and place any external-facing services within it, with tightly restricted connections into the internal network.

9. Protocols

Don’t restrict protocols just at your perimeter firewall.

• Remove any unnecessary, vulnerable, and insecure protocols from within your network. Almost no one needs certain address resolution protocols like:
  • Link-Local Multicast Name Resolution (LLMNR)
  • Multicast DNS (mDNS)
  • Simple Service Discovery Protocol (SSDP)
• Avoid clear-text protocols that can expose user credentials and sensitive data, such as:
  • File Transfer Protocol (FTP)
  • Simple Mail Transfer Protocol (SMTP)
  • Simple Network Management Protocol (SNMP)
• Ensure that you are not allowing legacy Transport Layer Security (TLS) and Server Message Block (SMB) protocols, which are vulnerable to snooping and abuse.
  • Remember WannaCry? Look it up.

10. Proven

Data backups are critical to protect against attacks like ransomware or destructive malware.

Backups are important for disaster recovery and business continuity (BCDR), but only if they are tested and shown to be reliable when you need them.

We recommend performing file restore testing on at least a monthly basis to assure yourself that your backups are valid.

Following the “3-2-1” model is also best practice:

• 3 copies of data (original and two copies)
• 2 different types of media
• 1 copy offsite and “immutable” (cannot be directly accessed or altered by an attacker)

No one wants to fund criminals (and increasingly risk sanctions) by having to pay a ransom to try to get your data back.

11. Preserve

Log files and other event data for conducting proactive threat hunting and retrospective forensic analysis.

It's great if you have a Security Information and Event Management (SIEM) tool, but there are other less expensive ways to aggregate and retain logs. It is most critical to have the logs for when you need them. You will also need to take note of any industry regulations or legal requirements that necessitate retaining them for set periods of time.

Ensure you have maximum visibility across your entire operations, including server, endpoint, network, infrastructure, and cloud services.

PacketWatch advocates for having full network packet capture capabilities within your network. Having PCAPs allows you to ‘go back in time’ and replay network traffic when you need to perform investigations.

Remember, not all infrastructure can support tools like EDR, such as the Internet of Things (IoT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) systems.

However, everything must talk on the network.

12. Plan

Don’t wait for an incident to suddenly try to work out what you’re going to do.

Have an incident response plan ready and written, clearly stating what needs to be done, and who needs to do what.

Of course, a plan is no good if you don’t practice it. Conduct regular incident response tabletop or simulation exercises to create ‘muscle memory’ so everyone knows what’s expected of them in a time of crisis.

Also, don’t put yourself under the stress of having to find an incident response partner at 5 p.m. on a Friday. Prepare yourself with an IR Retainer with a trusted provider so you know you’ll get priority service.

Conclusion

As much as PacketWatch excels at incident response, we would rather not have to meet our clients under such traumatic circumstances. By following the 'PacketWatch Dozen,' we are confident you’ll sleep a lot easier, and we can look forward to meeting you calmly and pleasantly without "that" phone call!