Cybernews is full of statistics telling you how bad cyberattacks can be. You constantly read about how this major company lost billions or millions. But how is that reflected in small businesses without big cybersecurity budgets? You’re barely scraping a profit, so how can you afford to mitigate these risks?
Let’s start with putting in some context.
While writing the thesis for my Masters degree, I reviewed over 4,500 articles about cybersecurity stretching over the past 10 years, including survey data from multiple publicly available sources covering more than 60,000 respondents.
My research showed that articles which appear on the websites of companies that sell cybersecurity products tend to “cherry-pick” their statistics from data that supports the need for their product. Other articles that appear on the news sites misunderstand bias data, or rely on unreliable sources.
A good example if this, is this article found on the Harvard Business Review. The article states “The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022″
It’s not that the data is incorrect, it’s that the source is biased. That is, the IBM Cost of a Data Breach Report includes ONLY data from businesses that were impacted by data breaches (Figure 1). And while I cannot find the 83% referred to by HBR within this report, the only conclusion that you could draw from this report, is that 83% of businesses that have ALREADY suffered a data breach, suffered further incidents, which is not what is implied by HBR.
Figure 1 – IBM Cost of a Data Breach Report 2023 Executive summary
So, how can you sort the wheat from the chaff? Well, for a start, you need to look at reliable sources, which I will discuss below. Allocating a budget for cybersecurity is a challenge at the best of times, but if you are misallocating your budget, you’re unlikely to get the best return on your security investment. Knowledge is key.
Below is information that I’ve drawn from my Master’s thesis. I intended to show the relative impact of various processes associated with the implementation of Zero Trust. However, this data applies to all Cybersecurity implementations. The total number of data points represented by this table are 62,296. The “Non-Compliance” column indicates the percentage of companies surveyed that had not completed the process, and the “Breach” column shows the number of breaches that mentioned this as part of the root cause (undiscovered assets, overprivileged accounts, unmanaged risks, threats that hadn’t been addressed)
| Non- Compliance | Breach | Relative Risk (Breach/Compliance) |
|
| Devices Discovery | 86% | 73% | 0.85 |
| Application Discovery | 53% | 50% | 0.94 |
| Shadow IT Discovery | 36% | 41% | 1.14 |
| Service Discovery | 80% | 75% | 0.94 |
| Data Discovery | 52% | 76% | 1.46 |
| Least Privilege | 61% | 67% | 1.1 |
| Risk assessment | 20% | 92% | 4.6 |
| Threat Modelling | 64% | 60% | 0.94 |
| Average/Total | 57% | 67% |
Table 1 – Cyber Discovery Processes vs Breach Incidence
The point of this is to show you that the reality is that on average, two thirds of organisations have at some point suffered a breach, and that 57% of organisations are, on average, failing to undertake basic processes that would help mitigate these. By far, the most effective way to mitigate the risk of a breach is to undertake risk assessments and have a risk management program implemented.
So, let’s look at how we can address this:
Find reliable and actionable information
First, whether you work in IT, or you have oversight for IT within your organisation, you need to find reliable information. News outlets tend to have knee-jerk reactions, they need clicks so they make drama. However, there are some fairly sober and reliable sources. I’ve curated a number of RSS feeds from sources I trust, you can find them here.
In addition, statistical information can be a convincing way to elicit budgets.
I’ve already mentioned the IBM Cost of a Data Breach Report which you can use to help justify the amount you spend on cybersecurity.
The Ponemon Institute has released reports associated with cybersecurity (Although these seem to have stopped in 2022)
SANS Institute regularly releases Cybersecurity white papers.
And Verizon releases their Data Breach Investigations Reports on an annual basis (among other reports)
There are, of course, many other sources of information:
For Managed Security Providers:
MSPsRUs (On Discord)
CyberDrain (On Discord)
For IT Admins
WinAdmins (On Discord)
sysengineer (On Discord)
For Cybersecurity
Formalise Endpoint Hardening
Now we’ve established some reliable sources, it’s time to move on to the actual hardening of endpoints. To do this, you need a process that you can reliably follow over and over again. Policies and Processes are known as Governance, and by having a clear set of written governance processes and policies to follow, the likelihood of missing critical steps is reduced.
Your process should reflect the following:
- Identify the risk – As I showed in Table 1, Undertaking a risk assessment has 3x more of an impact on your security posture than the other processes. If you don’t understand your risks, then your remedial efforts are likely to be costly and misplaced. I strongly recommend adopting a Risk Management framework such as the one described by NIST (NIST RMF, SP800-30, SP800-37, SP800-39)
- Read through the configurations below and develop the endpoint configuration that remediates or mitigates the risks that you have assessed.
- Test those configurations to verify that the issue has been mitigated and that the endpoint can still be used. Remember, the point of security is to mitigate risks while allowing the business to continue.
- Deploy the mitigations. Do this in phases to ensure that any unforeseen impacts are managed, and ensure that you have a backout plan if these unforeseen impacts make it impossible to continue normal business operations.
- Document the changes and report any exceptions along with remedial plans where needed.
Configuration Checklist
Mitigate the Vulnerable Legacies
As Windows has evolved over the years, it has maintained backwards compatibility with several protocols and services that underpinned and supported core services. Unfortunately, with the passage of time, they’re creaking at the seams and suffering from vulnerabilities.
Server Message Block v1
- Background/resource: Stop using SMB1
- Special note: SMB1 is being removed from Windows 11, and that includes the binaries needed to use and install it.
Powershell 2.0
- Background/resource: Windows PowerShell 2.0 SimplyCyber
TLS 1.0/1.1, and SSL (All versions)
- Background/resource: Solving the TLS 0 Problem
LanMan (LM) and NTLMv1
- Background/resource: The LanMan auth level must be NTLMv2 only, and to refuse LM and NTLM
Digest Authentication
- Background/resource: WDigest Authentication must be disabled
Patching
- Background: Vulnerability management
- Resource: Cloud-based Patch Management
OS Hardening
At the core of modern security efforts is first improving the security posture of the operating system and its
configuration. Strengthening the build at this layer allows the rest of your efforts to sit on a solid, and modern foundation.
ASR/Anti Exploit rules
- Bitdefender resource: Configuration (bitdefender.com)
- Microsoft resource: Understand and use attack
Restrict lateral movement tools and techniques surface reduction (ASR)
- Resource: Preventing Lateral Movement GOV.UK
- Resource: Configuration (bitdefender.com)
- Resource: Restricting SMB-based lateral movement in a Windows environment | by Palan
Native features
Reputation-based Protection
- SmartScreen for Microsoft Edge
- Potentially unwanted app blocking
- SmartScreen for Microsoft Store Apps
Secure Boot
- Resource: Secure boot | Microsoft Docs
Logging
Remove unneeded apps and features
- Resource/background: Remove unused and unnecessary software (johnopdenakker.com)
Network hardening
Now that you’ve strengthened the local operating system, turn towards the wider network, and the services exposed amongst the interconnected world. This ranges from configuring the local network to reducing the acceptable inbound traffic allowed.
Disable or harden RDP
- Resource: HOWTO: Harden Remote Desktop connections to Domain Controllers – The things that are better left unspoken (dirteam.com)
- Resource: Methods to Enable and Disable Remote Desktop Locally | Interface Technical Training
Disable DNS Multicast
Disable NetBios
- Resource: Disable NetBIOS in Windows networks – 4sysops
Disable SmartNameResolution
- Resource: Preventing Windows 10 SMHNR DNS Leakage | SANS Institute
- Resource: Turn off smart multi-homed name resolution (admx.help)
Configure the firewall
- Resource (Video): Demystifying the Windows Firewall – Learn how to irritate attackers
Account Protections
Restricting the attack surface available with local accounts, services, and the credential store frustrates attackers, and prevents the quick and easy elevation of privileges. This could alert you to an attack, increase the time needed to bypass the mitigations, or even prevent an attack from succeeding.
Remove local admin rights
- Resource: Least Privilege | CISA
Harden local administrator accounts
Limit logon rights for accounts
Utilize the protected users group (Active Directory joined devices)
Credential Guard
- Resource: Protect derived domain credentials with Windows Defender Credential Guard (Windows) – Windows security | Microsoft Docs
- Resource: Manage Windows Defender Credential Guard (Windows) – Windows security | Microsoft Docs
Application Hardening
Attackers often attempt to exploit some of the most common tools and settings organizations rely on. These elements are widely distributed and installed on endpoints. Without further configuration they can lead to easy attacks of opportunity.
Office Suite
- Resource: Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 | gov.au
- Resource: How to secure Microsoft Office Desktop Deployments – A Technical Guide. – @Precursec (precursorsecurity.com)
Adobe Reader
- Resource: Hardening Adobe Reader – Security Musings
Make it a process
- Pick an application
- Evaluate its needs and risks
- Work with key contacts to ensure a good balance between risk, and usability
- Research hardening techniques for that specific program
- Mitigate the risk and exposure with more comprehensive configurations
Browser Hardening
Web browsers tend to be one of the more overlooked elements in the stack. Yet, their configuration sets the scene for one of the most used programs installed on computers today. Locking down and enforcing a few basic security features can help secure this critical entry point.
Smartscreen Phishing Filter and Advanced Protection
- Chrome: Use Safe Browsing in Chrome
- Edge: Configure Microsoft Defender SmartScreen to block potentially unwanted apps (admx.help)
- Firefox: safebrowsing.phishing.enabled (admx.help)
Dedicated Sandboxing of processes
- Most browsers now isolate the processes that form the stack we all use to experience the web, you can extend Application guard into other browsers which allows a hardware-isolated browser session for risky sites.
- Edge: Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs
- Other browsers: Microsoft Defender Application Guard Extension – Windows security
Control installed extensions
Additional Resources
Universal Resources
- SecCon-Framework: Windows security configuration framework
- CISA Insights: Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses
- CIS Critical Security Controls
- GitHub: Defences Against Cobalt Strike
- Embracing the Zero Trust Security model
- 10 Immutable Laws of Security Administration
- Endpoint Security – The Essentials – PwnDefend
- Removing Application UAC Requirements with Shims
- CVE Trends: Crowdsourced CVE intel
- Proactive Preparation and Hardening to Protect Against Destructive Attacks
- For [Blue|Purple] Teams in Cyber Defence