How effective have you been in helping your clients to harden their IT environments to protect them from cyberattack – particularly SMB clients who are an increasing cyber target, but lack sophisticated security defences?
‘Harden and protect’ is a message that is gaining a lot of traction among MSPs. But what does hardening systems actually mean? How can you be sure you are doing it right? And what are the most effective areas to focus on for some early results.
The simplest explanation of hardening I have seen describes the process as trying to make a system ‘bulletproof’. As a goal, that works for me.
We need to harden systems to reduce the risk of cyber criminals getting into your IT environment – and your clients’ IT environments. That means eliminating vulnerabilities all too often found in operating systems, servers, networks and applications – because it is these vulnerabilities that are being exploited by cyber criminals looking for a technology backdoor into your or your clients’ IT ecosystems.
Attackers, who may be located anywhere in the world, are constantly scanning the network and cloud doors and windows of small companies, waiting for new and possibly unprotected systems to be attached to the network.
They are particularly interested in devices which plug in and out of the network – laptops or bring-your-own-devices (BYOD) which might be out of synch with security updates or could already be compromised.
“The number one cause of every US data breach going back seven years has been unauthorized assets such as personal laptops joining private company networks”
They also take advantage of any delay in protecting new hardware. A box may be installed on your network in the evening but not configured and patched with the appropriate security updates until the following day – by which time it may be too late.
Hardening is all about reducing the ‘attack surface’ of any IT environment. The attack surface is the sum of all the different points (attack vectors) where a hacker is able to enter. These points need to be prevented or plugged and the IT ecosystem made as close to bulletproof as is realistically possible.
Systems hardening is about reducing security risk: managing your IT assets properly, controlling the business environment, having sound access controls and following best practices. It is about going about this in a methodical, auditable way and being guided by a recognised framework and set of standards. It’s not about ‘one-time only’; it’s about putting it at the heart of your security defences
on an ongoing basis – particularly as it is also required to comply with regulatory jurisdictions such as PCI DSS and HIPAA.
Fortunately there are frameworks and controls to guide you through the hardening process.
The CIS Top 20 Critical Security Controls and NIST Cybersecurity Framework
In 2017, the United States Government was so concerned by the spiralling number of cyberattacks that it spent $2bn. developing the NIST cybersecurity framework, a collection of standards, guidelines and best practices to manage cybersecurity-related risk. The framework is based around five pillars: Identify, Protect, Detect, Respond and Recover.
The Center for Internet Security (CIS) in the United States regularly publishes a list of Critical Security Controls (CSC), a prioritized set of actions designed to protect organisations and data from known cyberattack vectors.
NIST uses the CIS controls to underpin many of their recommended best practices.
The NIST framework and the CIS controls are fundamental to the security services we deliver to our MSP partners.
When you sign up with inSOC, we harden your clients’ IT environments to the CIS Top 20 controls. This is a vital element in protecting them against known cyber threats. A full listing of the CIS 20 critical controls is available here, but I am picking out here eight controls that can make a real difference to you. We have seen these lower the most noise and fix common insecure MSP misconfigurations that allow MSPs’ clients to get breached or ransomed.
CIS Critical Control 4: Controlled use of administrative privileges
The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise.
- 4.9 Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account
CIS Critical Control 6: Maintenance, monitoring and analysis of audit logs
Deficiencies in security logging and analysis allow attackers to hide their location, malicious software and activities on victim machines. Collect, manage, and analyse audit logs of events that could help detect, understand, or recover from an attack.
- 6.8 On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.
CIS Critical Control 9: Limitation and control of network ports, protocols and services
Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services.
- 9.2 Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
- 9.3 Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.
CIS Critical Control 12: Boundary defence
Threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organisation.
- 12.2 Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.
- 12.3 Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization’s network boundaries.
- 12.4 Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.
- 12.6 Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries.
Looking for a silver bullet?
Your aim may be to make your clients’ IT environments bulletproof – but to turn the analogy on its head, sadly there is no silver bullet to achieve this; no one solution to guarantee total protection against cyberattack.
But there is help at hand
Partner with inSOC and we will help you to harden your clients’ IT environments to the CIS Top 20 critical controls as part of the first 30 days onboarding process.
This is a key element of ONE STOP SOC, our pre-configured, AI-driven detection platform, powered by Starlight from Stellar Cyber with vulnerability scanning from Rapid7. It’s quick to onboard, easy to deploy and profitable to resell to your clients.