Endpoint Hardening

Cybernews is full of statistics telling you how bad cyberattacks can be. You constantly read about how this major company lost billions or millions. But how is that reflected in small businesses without big cybersecurity budgets? You’re barely scraping a profit, so how can you afford to mitigate these risks?

Let’s start with putting in some context.

While writing the thesis for my Masters degree, I reviewed over 4,500 articles about cybersecurity stretching over the past 10 years, including survey data from multiple publicly available sources covering more than 60,000 respondents.

My research showed that articles which appear on the websites of companies that sell cybersecurity products tend to “cherry-pick” their statistics from data that supports the need for their product. Other articles that appear on the news sites misunderstand bias data, or rely on unreliable sources.

A good example if this, is this article found on the Harvard Business Review. The article states “The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022″

It’s not that the data is incorrect, it’s that the source is biased. That is, the IBM Cost of a Data Breach Report includes ONLY data from businesses that were impacted by data breaches (Figure 1). And while I cannot find the 83% referred to by HBR within this report, the only conclusion that you could draw from this report, is that 83% of businesses that have ALREADY suffered a data breach, suffered further incidents, which is not what is implied by HBR.

Figure 1 – IBM Cost of a Data Breach Report 2023 Executive summary

So, how can you sort the wheat from the chaff? Well, for a start, you need to look at reliable sources, which I will discuss below. Allocating a budget for cybersecurity is a challenge at the best of times, but if you are misallocating your budget, you’re unlikely to get the best return on your security investment. Knowledge is key.

Below is information that I’ve drawn from my Master’s thesis. I intended to show the relative impact of various processes associated with the implementation of Zero Trust. However, this data applies to all Cybersecurity implementations. The total number of data points represented by this table are 62,296. The “Non-Compliance” column indicates the percentage of companies surveyed that had not completed the process, and the “Breach” column shows the number of breaches that mentioned this as part of the root cause (undiscovered assets, overprivileged accounts, unmanaged risks, threats that hadn’t been addressed)

  Non- Compliance Breach Relative Risk
(Breach/Compliance)
Devices Discovery 86% 73% 0.85
Application Discovery 53% 50% 0.94
Shadow IT Discovery 36% 41% 1.14
Service Discovery 80% 75% 0.94
Data Discovery 52% 76% 1.46
Least Privilege 61% 67% 1.1
Risk assessment 20% 92% 4.6
Threat Modelling 64% 60% 0.94
Average/Total 57% 67%

Table 1 – Cyber Discovery Processes vs Breach Incidence

The point of this is to show you that the reality is that on average, two thirds of organisations have at some point suffered a breach, and that 57% of organisations are, on average, failing to undertake basic processes that would help mitigate these. By far, the most effective way to mitigate the risk of a breach is to undertake risk assessments and have a risk management program implemented.

So, let’s look at how we can address this:

Find reliable and actionable information

First, whether you work in IT, or you have oversight for IT within your organisation, you need to find reliable information. News outlets tend to have knee-jerk reactions, they need clicks so they make drama. However, there are some fairly sober and reliable sources. I’ve curated a number of RSS feeds from sources I trust, you can find them here.

In addition, statistical information can be a convincing way to elicit budgets.

I’ve already mentioned the IBM Cost of a Data Breach Report which you can use to help justify the amount you spend on cybersecurity.
The Ponemon Institute has released reports associated with cybersecurity (Although these seem to have stopped in 2022)

SANS Institute regularly releases Cybersecurity white papers.

And Verizon releases their Data Breach Investigations Reports on an annual basis (among other reports)

There are, of course, many other sources of information:

For Managed Security Providers:

MSPsRUs (On Discord)

CyberDrain (On Discord)

MSPGeek

For IT Admins

WinAdmins (On Discord)

sysengineer (On Discord)

For Cybersecurity

BSides

Defcon Groups

Formalise Endpoint Hardening

Now we’ve established some reliable sources, it’s time to move on to the actual hardening of endpoints. To do this, you need a process that you can reliably follow over and over again. Policies and Processes are known as Governance, and by having a clear set of written governance processes and policies to follow, the likelihood of missing critical steps is reduced.

Your process should reflect the following:

  1. Identify the risk – As I showed in Table 1, Undertaking a risk assessment has 3x more of an impact on your security posture than the other processes. If you don’t understand your risks, then your remedial efforts are likely to be costly and misplaced. I strongly recommend adopting a Risk Management framework such as the one described by NIST (NIST RMF, SP800-30, SP800-37, SP800-39)
  2. Read through the configurations below and develop the endpoint configuration that remediates or mitigates the risks that you have assessed.
  3. Test those configurations to verify that the issue has been mitigated and that the endpoint can still be used. Remember, the point of security is to mitigate risks while allowing the business to continue.
  4. Deploy the mitigations. Do this in phases to ensure that any unforeseen impacts are managed, and ensure that you have a backout plan if these unforeseen impacts make it impossible to continue normal business operations.
  5. Document the changes and report any exceptions along with remedial plans where needed.

Configuration Checklist

Mitigate the Vulnerable Legacies

As Windows has evolved over the years, it has maintained backwards compatibility with several protocols and services that underpinned and supported core services. Unfortunately, with the passage of time, they’re creaking at the seams and suffering from vulnerabilities.

Server Message Block v1

  • Background/resource: Stop using SMB1
  • Special note: SMB1 is being removed from Windows 11, and that includes the binaries needed to use and install it.

Powershell 2.0

  • Background/resource: Windows PowerShell 2.0 SimplyCyber

 TLS 1.0/1.1, and SSL (All versions)

 LanMan (LM) and NTLMv1

 Digest Authentication

 Patching

OS Hardening

At the core of modern security efforts is first improving the security posture of the operating system and its

configuration. Strengthening the build at this layer allows the rest of your efforts to sit on a solid, and modern foundation.

 ASR/Anti Exploit rules

 Restrict lateral movement tools and techniques surface reduction (ASR)

 Native features

 Reputation-based Protection

  • SmartScreen for Microsoft Edge
  • Potentially unwanted app blocking
  • SmartScreen for Microsoft Store Apps

 Secure Boot

 Logging

 Remove unneeded apps and features

Network hardening

Now that you’ve strengthened the local operating system, turn towards the wider network, and the services exposed amongst the interconnected world. This ranges from configuring the local network to reducing the acceptable inbound traffic allowed.

 Disable or harden RDP

 Disable DNS Multicast

 Disable NetBios

 Disable SmartNameResolution

 Configure the firewall

Account Protections

Restricting the attack surface available with local accounts, services, and the credential store frustrates attackers, and prevents the quick and easy elevation of privileges. This could alert you to an attack, increase the time needed to bypass the mitigations, or even prevent an attack from succeeding.

 Remove local admin rights

 Harden local administrator accounts

 Limit logon rights for accounts

 Utilize the protected users group (Active Directory joined devices)

 Credential Guard

Application Hardening

Attackers often attempt to exploit some of the most common tools and settings organizations rely on. These elements are widely distributed and installed on endpoints. Without further configuration they can lead to easy attacks of opportunity.

 Office Suite

 Adobe Reader

Make it a process

  • Pick an application
  • Evaluate its needs and risks
  • Work with key contacts to ensure a good balance between risk, and usability
  • Research hardening techniques for that specific program
  • Mitigate the risk and exposure with more comprehensive configurations

Browser Hardening

Web browsers tend to be one of the more overlooked elements in the stack. Yet, their configuration sets the scene for one of the most used programs installed on computers today. Locking down and enforcing a few basic security features can help secure this critical entry point.

Smartscreen Phishing Filter and Advanced Protection

 Dedicated Sandboxing of processes

Additional Resources

Universal Resources

 Australia

 Canada

UK

 USA