It’s called essentials it’s not called advanced!
Have you ever wondered what the absolute minimum you should do is to protect against cyber criminals? I’ll be honest I haven’t, that minimalistic approach to be seems kind of risky… BUT the world is not me and if you want to achive greatness you need a good foundation! So the essentials are good to know.
The following standards must be adhered to when operating a production PC device within the environment:
- Up to date antimalware must be installed and enabled
- Real time scanning must be enabled
- At least a weekly full scan must be performed
- Applications must be licensed
- Applications must be authorised
- Smart Screen must be enabled in EDGE or if using an alternative browser other controls must be in place e.g., google safe browsing
- Full disk encryption must be leveraged for OS disks
- Sensitive data should be encrypted at rest and in transit
- Removable Media should be managed
- Use encryption for sensitive data, you might consider using bit locker to go or simply archive based encryption (e.g., encrypted zip files)
- Unique usernames and passwords must be utilised
- General purpose computing accounts with administrator rights should not be used to browse the internet.
- A dual account model might help you manage this.
- Ensure host-based firewalls are blocking inbound connections except where there is a documented business case
- This makes lateral movement very difficult so check if you have SMB/RPC/WMI or RDP enabled, you might want to consider using a reverse connection based remote management and monitoring solution.
- Ensure patches are set to deploy automatically (Ensure critical patches are deployed within 14 days of release. I tend to configure laptops for weekly patching and desktops for daily patching but the more often the better from my point of view)
- Ensure mobile devices are up to date
- Ensure mobile devices are not rooted
- Ensure only authorised applications are installed
Now you might be thinking even though I’ve said this is the essentials you are still thinking, “Dan this list is tiny! Where’s the other controls?”. Well, you are right. This list is nowhere near as long as a comprehensive endpoint security list is when you want to assure you are in a good place. What I’m doing here is mapping the real essential basic controls (currently in line with Cyber Essentials) so that people have an idea of the bare minimum.
Layers
We need to think about other areas:
- Physical and Environmental Security
- Personel Security
- Supply Chain Security
- Hardware Security
- OS Security
- Data Security
- Applicaiton Security
- Monitoring
- Network Security
- Identity and Access Management
- Legal and Regulatory Compliance
Boy the list is long! as you can see in this post we are only scratching the surface.
Getting Blue Team 1337
I wrote an endpoint assessment standard a few years ago, it’s over 70 questions and covers a whole range of controls and good practises. Here we need to consider way more details technically but also in terms of process and integration. You are going to want to know you can respond when something bad does occur! You’ll want to expand on antivirus with Endpoint Detection and Response etc.
On Solid Foundations
Well, the idea here was to give people a view on not just the essential but what relatively advanced looks like. More on that in the future! For now here’s the basics, trust me some orgs will struggle to even get these in place.
If you want to look into a bit more detail at modern Windows Endpoint security there’s a post here which starts to go into a range of areas and features: