You have probably read in the news that the last major cybersecurity incident for organization X or product Y was related to basic cyber hygiene practices, not any sort of zero-day vulnerability. Despite the recent focus on these types of vulnerabilities, many cyber incidents are still caused by unpatched known vulnerabilities, misconfigured systems, and bad practices.
Implementing “core” cybersecurity practices such as multi-factor authentication (MFA) access controls, automatic patching and configuration, and active cyber defense, is crucial to minimize vulnerabilities, protect against threats, prevent incidents, and ensure overall cybersecurity posture. The following four core areas are most critical to effectively defending environments:
1. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA)
Passwords are no longer enough. It’s important that ALL users move away from passwords with appropriate role-based access control. There should be at least two methods of authentication on an application or device. These include something you have (like a hard/soft token or identification device), something you know (password or hash), and something that you are (like a biometric identification, such as a fingerprint).
Having just a “token” for example does not satisfy that requirement. The industry is moving toward password-less authentication. This is why multifactor authentication and encryption are tracked as part of Federal Information Security Modernization Act (FISMA) reporting. A system is not MFA-enabled unless all applications included within the system’s boundary have been MFA-enabled. So, agencies should:
- Ensure 2FA/MFA is applied up and down the technology stack (system, application, data).
- Move to passwordless, derived credential, and/or phishing resistant MFA.
2. Vulnerability and Patch Management
Vulnerability tracking is key. With the advent of threats and new AI capabilities at the ready, adversaries are able to exploit vulnerabilities at an unprecedented pace. It’s more important than ever to ensure vulnerabilities are continuously being scanned and remediations are automated. Automated patch management is critical for network devices, systems, and applications. Balancing stability with an up-to-date security posture is an essential measure of whether organizations are taking vulnerability management seriously. Against this backdrop, agencies would be well advised to:
- Use tools such as AWS Systems Security Manager to automate patching.
- Implement automated vulnerability scanning with tools such as Tenable or AWS Inspector to ensure comprehensive visibility across containers, Lambda functions, and the CI/CD pipeline.
3. Attack Surface Reduction / Misconfiguration
Establishing the right technical controls are key and should be baselined to industry best practices. Know what devices, networks and environments you have, where they are, and how they are hardened and configured. The smaller the attack surface the less adversaries can target and exploit. Cloud service providers are making it easy to force cyber-hardened technical policies and controls and to understand the risks of cloud environments. Agencies should:
- Use tools such as AWS Security Hub to baseline against Center for Internet Security (CIS) controls and cloud security best practices.
- Ensure secure builds from the start and embrace secure by design principles.
- Use external attack surface management to understand your perimeter and, importantly, an adversary’s view of your system.
4. Active Defensive Cyber Operations
You can’t defend what you don’t know you have. Many incidents are caused by cybersecurity monitoring gaps. Ensure that automation is an integral and active component of your cybersecurity tool deployment. Having visibility into all ingress and egress points is critical. It’s important to:
- Use tools such as Crowdstrike Falcon XDR to ensure that you have point protection for all your assets. Ensure auto deployment of agents on instances when deployed.
- Use visibility and analytic tools such as Splunk to centralize all security telemetry.
- Ensure that your applications have cyber defense monitoring. This is your last line of defense against unpatched vulnerabilities. Ensure web application firewalls (WAFs) and/or next-generation firewalls (NGFWs) are inline and are actively defending against common attacks.
- Limit access and permit by exception.