Barely a day goes by without reading about a new breach, organisations both large and small are under constant thread from cyber criminals and most organisations are either living in ignorant bliss or are one mistake away from being pwn3d. To this end I wanted to publish a list of activities that small businesses can conduct on a regular basis to help improve their security posture. The focus here is on organisations that operate an active directory domain environment but some of the areas can apply to many systems/architectures.
Regular Security Maintenance
The following is a list of activities I’d recommend that are routinely conducted:
- Review backup configurations and ensure your crown jewels are protected
- Port scan backup systems to ensure attack surface is minimal
- Ensure backups are not on domain joined systems
- Restoration Testing
- Test restoration of item level and system level objects
- Password Audits
- Conducting an active directory domain password audit isn’t that hard and you can knock out some of the low hanging fruit with a low spec rig.
- Don’t forget those line of business systems as well
- Security Log Review
- Hopefully you’ve got a central logging service but even if you don’t some PowerShell foo and you can check logs
- Account Review
- Validate accounts are still required, disable accounts that are not in use
- Change the TGT Service Account Password (twice)
- In active directory this service account needs its password changing every 90 days (twice) so make sure you have done that
- Check the status of your devices and deploy updates
- It’s easy for some devices to slip through the net! Keeping an eye on this is a great idea
- Conduct regular vulnerability scans
- Keep an eye on your network and device posture by conducting regular vulnerability scans and make sure you have a process for knocking those high/critical vulnerabilities out of the box
- Check AV Coverage
- Make sure your AV solutions are up to date and deployment coverage is complete
- Least priviledge access
- I’ve added this in because I don’t know how but I forgot it… please please stop running everything with administrator rights. deploy a tiered account model (I have three accounts in a typical environment, domain/system/server admin, desktop admin and normal account). So the ops task here is to review priviledges on a regualr basis! Access rights creep is a thing, keep an eye out for it!
Security is a daily activity, not yearly
There’s loads more activity that goes into securely operating an environment however that’s a list of some relatively simple activities that organisations often do not conduct. Whether you in house these, outsource them or use a hybrid its key to ensure you have continual security operations activities conducted. A pentest of your website once a year is not a good idea as being your only security assurance activity, regular checks and validation are the way to improving security posture and helping reduce the likelihood and impact of cyber incidents.