It’s called essentials it’s not called advanced!

Have you ever wondered what the absolute minimum you should do is to protect against cyber criminals? I’ll be honest I haven’t, that minimalistic approach to be seems kind of risky… BUT the world is not me and if you want to achive greatness you need a good foundation! So the essentials are good to know.

The following standards must be adhered to when operating a production PC device within the environment:

Up to date antimalware must be installed and enabled
Real time scanning must be enabled
At least a weekly full scan must be performed
Applications must be licensed
Applications must be authorised
Smart Screen must be enabled in EDGE or if using an alternative browser other controls must be in place e.g., google safe browsing
Full disk encryption must be leveraged for OS disks
Sensitive data should be encrypted at rest and in transit
Removable Media should be managed
- Use encryption for sensitive data, you might consider using bit locker to go or simply archive based encryption (e.g., encrypted zip files)
Unique usernames and passwords must be utilised
General purpose computing accounts with administrator rights should not be used to browse the internet.
- A dual account model might help you manage this.
Ensure host-based firewalls are blocking inbound connections except where there is a documented business case
- This makes lateral movement very difficult so check if you have SMB/RPC/WMI or RDP enabled, you might want to consider using a reverse connection based remote management and monitoring solution.
Ensure patches are set to deploy automatically (Ensure critical patches are deployed within 14 days of release. I tend to configure laptops for weekly patching and desktops for daily patching but the more often the better from my point of view)
Ensure mobile devices are up to date
Ensure mobile devices are not rooted
Ensure only authorised applications are installed

Now you might be thinking even though I’ve said this is the essentials you are still thinking, “Dan this list is tiny! Where’s the other controls?”. Well, you are right. This list is nowhere near as long as a comprehensive endpoint security list is when you want to assure you are in a good place. What I’m doing here is mapping the real essential basic controls (currently in line with Cyber Essentials) so that people have an idea of the bare minimum.

Layers

We need to think about other areas:

Physical and Environmental Security
Personel Security
Supply Chain Security
Hardware Security
OS Security
Data Security
Applicaiton Security
Monitoring
Network Security
Identity and Access Management
Legal and Regulatory Compliance

Boy the list is long! as you can see in this post we are only scratching the surface.

Getting Blue Team 1337

I wrote an endpoint assessment standard a few years ago, it’s over 70 questions and covers a whole range of controls and good practises. Here we need to consider way more details technically but also in terms of process and integration. You are going to want to know you can respond when something bad does occur! You’ll want to expand on antivirus with Endpoint Detection and Response etc.

On Solid Foundations

Well, the idea here was to give people a view on not just the essential but what relatively advanced looks like. More on that in the future! For now here’s the basics, trust me some orgs will struggle to even get these in place.

If you want to look into a bit more detail at modern Windows Endpoint security there’s a post here which starts to go into a range of areas and features: