6 Things IT Admins Should Validate Right Now

To CyFlare Partners & Clients

We know that our partners and clients depend on CyFlare for cyber security services. Due to the pandemic, and the havoc that is being experienced across the world, we wanted to offer up some preventive measures as a follow-up to ensure security compliance.

As IT organizations modify and change controls to enable business resumption for remote workers, changes to operations and Identity & Access Management changes, this can result in human error with mis-configurations, other un-controlled actions etc.  IT groups are being tasked to get employees and other remote services setup and running with new configurations.

Below are some “use cases” identified for your awareness to potential exposures created due to emergency actions / reactions during this time.  Please validate and address these areas to reduce potential exposures:

  1. Lock Down RDP – Triple check access control lists responsible for limiting access to machines allowing RDP connections from the public internet. This is one of the most common but critical mistakes a security team can make. If you must expose a machine, be sure your whitelists are very explicit. We also have simple to deploy solutions that take away any requirement for public exposure to RDP.
  2. Scrutinize VPN – Setting up VPN tunnels to access the entire network with trusting everything and everyone. Be sure your VPN ACL’s are heavily scrutinized and limit VPN users to just the specific items needed. Bad actors are extensively targeting VPN’s for obvious reasons.
  3. Scrutinize Firewall ACL’s – Mis-configuration of Firewall’s that may expose some specific group’s/users/machines to the Internet. This allows for scanning, brute force capability, exploit delivery and additional reconnaissance that must be avoided.
  4. Identify & Monitor Un-Managed Devices – Un-managed devices allowed to access corporate resources allows for irregular and dangerous situations. Allowing un-managed machines or devices to access corporate networks and resources unrestricted allows for countless possible catastrophic scenarios . Constant monitoring and paranoia for anomalous internal and external traffic must be investigated immediately, particularly if it is an un-managed machine.
  5. User Behavior Analysis – User behavior and login activity monitoring is now more complicated to interpret due to the remote workforce. Keenly check for any UBA related detections such as login location anomalies, application usage anomalies, payload anomalies, login time anomalies etc.. Machine learning is now essential to capture these changing behaviors. Static analysis will not be effective.
  6. Force Endpoint Protection All Devices – Not having a proper Endpoint Protection solution on un-managed devices may also cause possible bad download, misc alarms, anomalous processes that in turn causes data leakage, loss of confidential information, harvesting etc., but still visible in the network due to the traffic being captured by the sensor that may trigger alarms.

All of these lead to increase attack potential and can cause account take overs, privilege escalations due to accessibility / usability, suspicious IOC’s and many other use cases that may not have been thought through.

At CyFlare, our Analyst are aware that Clients are making various changes to their environment and want to ensure your IT organizations review all changes to avoid incidents.  We look at these areas outlined as part of our initial steps of our triage process in incident response.

Thank you for being a CyFlare clients and entrusting us with your Cyber network threats and security needs. These are challenging times, but I want you to know that we stand ready to help however we can. We understand the critical role we play in the Cyber Security of our partners and client’s infrastructure and we are continually humbled by the trust you place in us. Together, we will get through this.

Please subscribe, if not already to the CyFlare Trust page to receive continued updates and instant notification should there be any disruption to service or related communications.


Maneesh Thammishetti
Platform Architect
CyFlare, LLC ( www.CyFlare.com )

Straight Talk On Mid-Pandemic Cyber Security

Introduction

I have been thinking for a couple weeks now on what I wanted to share, how it should be shared etc.. I am glad I thought instead of wrote and shared in haste.

As it relates to enabling knowledge workers to remain productive and  secure while remote, It should have been a non-event.

What I’ve seen is propaganda by vendors, reaction and regression with clients. None of it was necessary. That said, we do have many clients who have done a world class job preparing and reacting.  They knew enough to look for help ahead of time and that says a lot!

Clients have repeatedly asked me what does this mean for CyFlare and how will it effect service. Even when the questions came to us early and a few details were still to be laid down internally, the answer was still quite simple because the answer is the same for us without the pandemic situation.

We have policy, we have controls, monitoring and an incident response plan in place for 365 days a year, not for a pandemic. We had to write a couple internal / external communication emails and deployed updated hardware to staff is really the net of the impact for us at least.

The Point

In the cyber security context, today’s “remote workforce” problem is not due to the Pandemic, it is due to an organizations collective failure to do the right things one day at a time over the last few years.

How do projects get years behind? One day at a time is the answer. To follow that up, there is a polish saying of “Sleep faster, we need the pillows”.  Therefore, it cannot be expected to rush through what should have been years of planning and doing into a couple of days of scrambled activity.

Transitional Starter Kit

There is no silver bullet but here are things that just have to be done. It does not have to be hard or expensive either. For the resources responsible for IT and / or Security here is some straight talk guidance:

People and Process Items

All organizations have varying levels of maturity, compliance drivers, associated risks, personality, culture etc.. The reality of the list below is that you have done, will do or will not do them will certainly vary. That said, they simply all need to be done.

  1. Determine but prioritize your organizations goals and fears
    1. Identify what your organization is trying to do, why and when
    2. Take inventory of what your organization fears as it relates to security, compromise, loss of data, systems etc…
  2. Communicate and educate leadership
  3. Ask leadership for decisions
  4. Create / Update Info Security Policy and basic related procedures
  5. Get informed about departments, roles, systems and needs
    1. Helps identify least privilege strategy
    2. Helps prioritize access and deployment

Security Control Related Items

    1. Protect your accounts!
      1. Enable MFA, like seriously, enable MFA
      2. Monitor every system you care about for authentication & action activity
      3. Know your accounts
        1. Who does what, when, from where, to what,etc..
        2. You need to know your baseline / normal otherwise you wont know the anomalous
    2. Deploy Full Web Proxy – Cloud Based
      1. Every connection to / from the internet must be fully inspected
      2. Every machine, protected from anywhere, same policies, everything logged
    3. Deploy Advanced Endpoint & EDR
      1. Last line of defense – make it a great one
      2. control usb & bluetooth, enable firewall etc..
      3. Ensure you have visibility to everything on the endpoint
    4. Kill your end user VPN, There is a better way
      1. Connect your people with apps intelligently and far more securely
    5. Know your vulnerabilities
      1. Scan your systems, get them patched / updated
      2. This is inexpensive and easy to do
      3. Start with public facing apps, machines, etc..
    6. Monitor everything you decided you cared about (or feared)
      1. Get in the knowing business, collect knowledge
      2. Determine Metrics

Continuous Improvement

Take your knowledge and metrics and apply them back through the mentioned steps.

Current events are forcing a scramble to do what should have been done all along. A proactive cyber security program and vigilant execution of it is not optional. Several well known frameworks exist to highlights layers of detailed directives to address many other processes, activities and controls that can take you further.

Cyber Security Community Support Program

In response to the global pandemic and massive movement to a remote workforce, CyFlare is offering consulting and solutions to Rochester area organizations who are looking for guidance on how to securely enable their remote workforce.

We are committed to supporting the greater Rochester area and doing our part while we all work through these new circumstances. We will prioritize essential services such as municipal, education, healthcare etc… and reserve the right to refuse assistance to protect the service delivery of our current clients and honor commitments made.

Given the nature of our business we work exclusively and extensively with our technology partners.

We recommend organizations reach out to any of these partners in the area to get us engaged:

You may also reach us direct at 877.729.3527 or via live chat on our website.

The details of the offering are as follows:

  • Free deployment and usage of our Sentinel One Complete advanced endpoint protection for 60 days, up to 25 endpoints per organization. 24×7 monitoring and & incident response is not included
  • Free Security Posture Assessment and guidance
  • Free Alien Vault deployment audit for those clients who have Alien Vault and want to make sure they have complete visibility
  • Free Darkweb scan against your organizations email domain
  • Free usage of the Breach Detection System for 60 days
    • Choose one cloud integration to enable account takeover related activities (Office 365, GSuite, AWS or OKTA)
    • Windows agent deployment to domain controllers
    • Setup and knowledge transfer is included
    • 24×7 Monitoring & Incident Response not included
  • Free CyFlare Remote Access for 60 days – Get rid of your VPN and provide ultra secure access to your internal applications for up to 10 users
    • Does not include optional appliance for easy setup and deployment
    • Includes initial setup and knowledge transfer
    • Protects your users from key-logging, screen-scraping, clipboard tampering and soon, session recording (movie replay)

We look forward to supporting the community that has supported us.