ICT department: How to get a company into the newspaper?
Are marketing colleagues wondering how to surely get your business on the front pages of newspapers? We have a guaranteed tip for you, how you can help from the ICT department. Get infected with ransomware and don't try to keep it a secret.
Ransomware. A reliable way to the front page.
You would probably have to turn off televisions, radios, and the Internet to miss what has happened in several Czech companies and institutions in recent months. After the ransomware attack, organizations returned from the digital age to almost the prehistory. In our country, a relatively new thing, the daily bread of a journalist abroad.
Advertising, although negative, was unprecedented. But try to pay for the logo in the airtime and on the front page of printed newspapers and all industry publications. It will not be cheap. In such a case, not only crisis communication begins, but also ICT crisis management.
Usually, a colleague "Someone" appears while investigating a similar incident. A colleague who works part-time in almost every other company. Because this colleague:
Someone did not believe.
Someone did not want to.
Someone did not update.
Someone did not respond.
Someone has not set it up correctly.
Someone bought and forgot.
Someone considered Password1 as a password.
Someone did not follow the procedure, the regulation, the standard.
Someone considered the stamp from the auditor to be sufficient.
Someone considered security to be functional through ignorance.
Once the incident that half of the republic has heard of has taken place, all you have to do is to pronounce the obligatory sentences in a style that you have a quality team of leading ICT specialists, work in coordination with security forces and until the incident and investigation is terminated, you cannot comment on it.
In the background, you hope the incident simmers down. You are quietly waiting for the final receipt for the loss of profit, unless you are a state institution. And you are preparing a press release on how the heroic performance of that team of leading experts managed the whole evil world around. Ideally in the form of a contribution on a respectable conference.
While marketing colleagues are watching with a smile the growing graph of the number of searches for the phrase ransomware combined with the name of the company, you just have to believe that the same, above-mentioned colleague "Someone" will suddenly do his job properly. Or at least better than last time.
And this colleague is also the reason for this article. To find a more capable Someone, maybe a female colleague, in his place. Because she will explain to you that it can happen to you too!
Data. Identity. Device. Application. Data.
So, if you don't want to take advantage of this, in quotes, cheap marketing, let's introduce ten basic points to focus on. Points concerning the fundamental pillars for ICT security. The security that does not hinder the users. Of course, this is not a dogma. But a reasonable start.
Point one: Bulletproof backup
Proper backup is a must. Because we have to work with the idea that even the best security can be overcome by someone. It is only a matter of time, money, and quality of knowledge of the attacker versus the defender. Or the simple probability that a failure will occur. Failure of a man, or the machine itself.
However, backup alone will not help. It is only a reaction to an incident. However, a reaction regarding which it is necessary to realize that it usually leads to recovery to the state before the incident. Probably to the point where the same incident can occur again.
At the same time, it is not the solution to the media crisis, because the backup is somehow already expected. You are expected to release the information to the media what percentage of the environment, systems, and data has already been restored.
Whether you have set up a backup strategy correctly and in high quality only becomes clear when you need to carry out the recovery. So please do not think about the backup in terms of how many copies of data and where you have stored. But how can you do the recovery. Of the file. Of the system. Or the whole environment on a green field.
Tip: OneDrive for Business is able to recover data up to 30 days retrospectively. You can save there documents and also a desktop from a computer running Windows 10. Together with Windows Defender, it can prevent data from being encrypted by an unknown application. Azure Backup or Azure Site Recovery then allows you to recover data from the remaining servers or run the entire production in the cloud in the event of a failure or incident in the local environment.
Point two: Regular updates.
We would not know about most of the incidents if all the applications and systems in the environment were properly updated. Because the incidents simply wouldn't even happen. Most untargeted threats exploit vulnerabilities that are fixed by new versions. And not versions that were released yesterday, but even a few years ago.
To find in the environment the systems that are beyond the manufacturer's support, do not receive security updates and are connected to the Internet. This is the golden grail for the attacker.
Today it is no longer just operating systems, but office applications, internet browsers, special file readers, web, and content management systems that can run codes on servers and have access to a customer database. It is also network elements and firmware of smart boxes of the Internet of Things.
And yes, even Windows 10 needs to be kept up to date, as new versions are released up to twice a year. Set up regular cycles to check and update these systems in your environment. Test new versions.
Tip: With Microsoft Endpoint Manager, you can not only manage the distribution of updates to your client and server operating systems. Use Microsoft Defender Advanced Threat Protection to monitor the vulnerabilities in the environment and any configuration errors and deficiencies.
Point three: Quality password.
Passwords are often the only thing that protects your system and your data from an attacker. And perhaps these passwords are of high quality, long enough and complex, and, above all and mainly, unique. Passwords that users do not use in the e-shops and private e-mail. They do not note them on the yellow cards under the monitor or in the passwords.txt file on the desktop.
Do you force the users to change their password every 30 days or never? Somewhere between these values there is probably the correct value. You teach users to use passwords correctly and you monitor their misuse. And can you even recognize the access of a regular user and an attacker by entering the same password? Maybe based on a location of the login or device?
Do the users have to remember the password to each system? Each with a different demand for change and complexity? Perhaps it would be easier to use single sign-on (SSO) to protect the main entry to the company rather than ten systems separately.
Tip: Azure AD Premium is able not only to enforce a password that doesn't contain selected keywords, but also alert you to non-standard user account activity, such as impossible time and space travel. Microsoft Cloud App Security identifies non-standard activities within the services as unusual file downloads.
Point four: Another factor.
Winning in the third point is difficult. And that's why this point comes. Which verifies the user's identity at login by another factor (MFA). For example, by entering a numeric code from an application or SMS, confirming a notification on a mobile device, or using biometrics on an end device.
However, this factor must not bother the user too much. Otherwise, he will start looking for other applications to start confirming instead of him. Ideally, another factor could be, for example, ownership of a business device or access from an internal IP address range.
And finally, it will also help you identify the accounts that leaked the insanely complex password containing lowercase and uppercase letters, numbers, characters, special characters, unicorn blood, national anthem, and company name with the year of entry changed every 30 days.
Tip: Azure AD Premium allows you to deploy a second factor that is secure for companies and in a user-friendly form. Windows Hello for Business can securely authenticate the users without entering passwords using biometrics or a combination of other factors, such as the location of a computer on a network.
Point five: Uncompromising encryption.
Technology is disappearing. From the pockets of the users. It remains forgotten. In a taxi and in public transport. And the finders do not always return it and sometimes also look at its content. It will only be good if they do not find the entire archive of the customer database there.
It is not only the whole laptop, mobile phone or improperly stored USB drive or keychain what is considered as technique. It can also be a server located in the company´s premises, accessible every evening not only to the cleaning crew.
So far, you have secured your data upon saving. What remains is their transfer. Web applications functioning without a secure HTTPS connection, unsecured databases, unauthorized data sharing applications, e-mails traveling over the Internet without proper protection.
Tip: BitLocker integrated in Windows 10 can protect fixed and removable media in case of loss or theft of technology. Microsoft Information Protection encrypts and protects the documents themselves, regardless of their location. It also enforces protection against copying the content. Microsoft Cloud App Security prevents sensitive data from being uploaded or shared outside of approved repositories.
Point six: Training makes the master.
Train. Your users, management, and administrator of ICT. Teach them to know common methods of attacks, fake e-mails, malicious behavior. How to recognize them in practice and how to treat them. Create a culture where users are not ashamed to report suspicious e-mails, websites, or the behavior of their system.
Company management must lead by example. Policy requiring PIN on mobile phone. The director is one of the first to consider it as a matter of course and not ask for an exception. He realizes that computers are not just a better typewriter, but that a large part of the business depends on them, therefore he is ready for justified requests for a budget.
Computer colleagues then realize that computers are meant to help the company achieve its desired goals. They are not at the center of the universe and must think about how to make work easier for the users. Requests for new applications are not thrown out, but they look for more secure and affordable alternatives. They work with the users. Not against them.
And above all, they know their systems well. They can reveal non-standard behavior therein, and they don't have all those beautiful toys just for decoration.
Tip: Attack Simulator can distribute targeted internal phishing to the users, in which you can easily evaluate users' caution and refer them to internal training, such as the one stored at SharePoint Online or in an interactive Power Apps application. MyApps gives users easy access to all of the company's applications. Microsoft Teams integrates other applications that users often miss.
Point seven. The Internet webs.
Building a high wall between the outside world and the internal environment in the form of a firewall is definitely not harmful. But it is necessary to be inspecting not only the access from the outside in, but also from the inside out. And ideally within the castle. A good question to think about, however, is whether the king and queen and the treasure are sitting inside the castle or have just gone to their hunting lodge.
And if the robber penetrates inside, he will hit the inner ditches. Network segmentation, 802.1X or simple VLAN, which prevents the simple spread of infection among unsecured stations. Stations that may not use a firewall internally because it was so laborious to set it up.
As well as separating the wireless network for visitors from the internal network, the network for printers and the server infrastructure. And give them the necessary access to the Internet without having to inspect the traffic. But allow remote work using a VPN connection. Possible secure publishing of applications again and only for corporate computers and identities protected by MFA, not everyone on the Internet.
Tip: Windows Defender Advanced Threat Protection can automatically isolate your computer from the network in case of malicious behavior. It also offers analysis of network connections outside the network perimeter. The user does not even recognize that Always On VPN on Windows 10 is automatically dialed with the start of the computer.
Point eight: Devices, not just computer.
Computers are no longer the huge boxes that take up half the warehouse. They fit in your pockets. They are running somewhere in the clouds. In cafes and not the office. And not all now run on the same operating system. Not everyone sees the domain controller from where they would download their domain policies.
Secure configuration is required at all of these endpoints. Running antivirus or at least disable any applications accessing company data. Block macros downloaded from the Internet but allow those for your accounting system. Why should any macro run a script on a PowerShell station? Doesn't that sound suspicious in itself?
Believe that Exchange policies work for non-mail applications as well. Or use mobile device management (MDM) and possibly mobile applications (MAM) instead. To prevent malicious applications from sending mail to colleagues or stealing your company directory. So that e-mail attachments first pass a virus scan not only on the basis of a static analysis, but also through a test of their behavior.
Tip: Microsoft Intune can deploy applications and policies on Apple, Android and of course Windows platforms. Not only in a restrictive regime, but also in an audit regime. It can check the status of their compliance and, in the event of a problem or risk on the device, refuse access to company systems. Office 365 Advanced Threat Protection can block dangerous attachments based on their actual behavior in the virtual system. Windows Defender Attack Surface Reduction blocks malicious application activity at the Windows 10 level.
Point nine: Reasonably with authorization.
Not everyone needs to be an administrator of a domain or cloud environment right away. Not all applications need local administrator authorizations. Divide and rule. We know, living with It is better and easier. But the great gate opens to the attackers.
On the other hand, dozens of special accounts for every purpose, system, and application lead to the exact opposite. You have no real control over any of the accounts. You monitor the use of privileged accounts. Adding and removing authorizations. Separate technicians who have access credentials to local computers. Maybe to your own as well. Use unique accounts and passwords for individual purposes as well as scheduled tasks, and have accounts available for emergency purposes.
Tip: Azure AD Premium offers dynamic authorization management, where administrators gain privileged access only for the required period.
Point ten: Monitoring to react.
Arranging the central collection of logs is a condition necessary for finding out how a possible intrusion occurred, what the attackers could get to and what systems, and by which method they gained the access. But it is only in the last place, unfortunately for someone in the first place. Which leads to the solution of white noise. Which does not stop. And thus, the defenders lose their vigilance unnecessarily.
Tip: Azure Sentinel allows free correlation of logs from Office 365. However, you can connect all the other systems to it and analyze the activities of systems, users, and devices in one place together with tracking the audit trail. Microsoft Threat Intelligence collects all the signals and offers a single console for investigation.
Get started today. Not tomorrow.
That you are doing it well may not prove right away. Ideally, this will never prove. But it is better to be prepared. And think about whether you don't have any major gaps in the above-mentioned ten points. If so, it's time to start working on it.
Aim further towards the Zero Trust concept. We can only wish your company to appear on the front pages on better and different occasions.