Everywhere you look, people are hawking various security products. The struggle for many is first, knowing what will work best for their environment and next, what fits in the budget. Throwing a ton of money and products at the issue should help harden the world, but most places lack that financial means and furthermore lack the expertise to implement IT. This is particularly evident on security issues that may not have bitten them yet. Once the reality of a compromise happens, their perspective and priorities likely will shift. But there are some protections that can be done ahead of time to help without bankrupting the firm by purchasing every product on the market.
Let’s start off with some basic items that are “free-ish” (since you typically still need a machine to run them on, and there are resource costs in your time to maintain or perform the action, etc.)
- Local Administrator Password Solution (LAPS) is a solution we mentioned a while back that helps ensure that your local administrator password is complex, periodically updated, and unique to prevent lateral movement inside an organization.
- Windows Updates – Are you properly maintaining all the systems in your environment? Microsoft has a steady monthly cadence of releasing updates to address security issues they’ve rectified. The problem is that we’ve seen organizations only perform updates on their systems maybe once a year, sometimes less frequent than that. If you have too much on your plate and can’t make the time for some routine maintenance, we do offer managed solutions to help reduce your time/effort while keeping your systems current.
- Firewall Updates – You should be performing updates to your firewall periodically and should have access to those updates with an active support contract with the vendor. Similar to the Microsoft Windows Updates, firewall updates frequently address security flaws that they’ve resolved. But if you’re not updating your firewall regularly or applying critical updates that fix a flaw that is applicable to your environment, you’re providing one more potential gateway into your network. Of course, we do have a managed solution offering to help reduce the chore for you and provide some additional benefits.
- Authentication – Your policy for passwords is something you can easily control. Some are now suggesting we should get away from passwords, or from changing passwords until necessary. Personally, I don’t agree with that. I see that periodic password changes help increase the likelihood that the password is unique for an environment. One standard I maintain is to never use the same password for my work as for my personal applications (i.e., Gmail, Comcast, Facebook, Amazon, etc.). When a 3rd party site is compromised, and people are using common passwords between sites, the trending strategy doesn’t help safeguard against that. But if you were regularly changing your password, your password most likely is different than the website that was compromised.
- Basic Multi-Factor Authentication (MFA) can be used with Office 365 if you own that. It may not be a perfect fit for your environment, but it can be a good starting point for people.
All of the above are solutions that most organizations own already or are “free”. If you really want to start stepping up your game, that’s when pieces such as Azure AD P1 or better, can start coming into the conversation for on-premises and cloud solutions.
- Authentication (Advanced) – Take for example the password complexity challenge. P@ssw0rd1 – that could be an acceptable password for an environment. However, if you happen to own the Azure AD P1 license, you can take advantage of Azure AD password protection and verify the password is not in the known compromised list, or on a list of easy to guess words you build that is relevant to your environment.
- Alerting/Response – But instead of just buying Azure AD P1 license, we often advise and sell a larger bundle with the EM+S E3 (Enterprise Mobility + Security E3) license. That license would also provide you with Advanced Threat Analytics which could help find suspicious activity inside your domain. The sooner you can detect an issue, the less time they can be taking advantage of your network.
- Conditional Access – That same EM+S E3 license (or Azure AD P1) would give you conditional access, where you could look at ensuring certain accounts can only be used at certain locations, helping reduce the attack surface of your environment.
Those additional licenses provide many more capabilities; I only mentioned a very small subset.
So, take advantage of what is free or what you already own to increase your security posture. Reduce your attack surface. Make it harder for “them” to get in. And when you’re ready to add the next layer, consider some of the bundles out there that include a lot of capabilities you can implement right away and more that you can roll out over time.
If you need help implementing any of these solutions or need us to take some of the routine tasks off your plate, email firstname.lastname@example.org. We are happy to help