Salus - Seven steps to better Cyber Security

Considerable guidance is available for organisations across the industry from various resources; however, much of it can be perceived as either overly prescriptive or very explicit. Our seven simple steps guide is our effort to provide free-flowing information without lengthy control statements and compliance documentation. We know cyber security is much more complex once you scratch the surface. It is not a case of simply following guidance, and your problems will be resolved. However, attackers often move onto easier targets when faced with well-secured organisations. While numerous expensive silver bullet solutions are available, the efficacy of these offerings is being questioned by the national technical authority and other parts of the UK Government. Salus advocates for a practical approach and believes in doing the basics well, precisely what our seven-step guide is designed to help you achieve.

1. Governance – strategy first

We see a lot of investment going into cyber security around the world in various industry verticals and within government organisations. Unfortunately, a lot of this investment is implemented without an underlying plan or strategy to ‘string it all together’; and subsequently the investments are often not entirely effective in achieving the thing it was supposed to. We recognise it is easy for us, a company specialising in penetration testing and offensive cyber operations, to find cyber investment as ineffective (it’s in our interest some could argue), but this blog post is designed to offer guidance and assistance on improving without significant capital expenditure. The Cambridge Dictionary refers to governance as 'the way that organisations or countries are managed at the highest level, and the systems for doing this'. Unfortunately, there are countless examples of organisations deploying cyber security in discrete projects or procuring 'silver bullet solutions' without sufficient governance or effective strategies to hold it all together. The NCSC has a great starting piece found here. Good cyber governance should be appetising to all leaders and organisations as it helps to incorporate cyber into the broader organisation strategy. You’ve probably heard the Chinese proverb, “A journey of a thousand miles begins with a single step”, but without adequate governance and strategy, how do you know in which direction to step?

Identify stakeholders

Make sure they’re the correct stakeholders. These could be IT, legal, risk, finance, security, but each will have requirements and inputs that need capturing.
You will need their support and buy-in to ensure the strategy’s effectiveness.
Ensure key stakeholders (senior leadership et al) are kept regularly informed of progress.

Write a cyber strategy

Align to your organisational strategy, if you don’t have one, align to the UK cyber security strategy or the MOD strategy.
Doesn’t need to be war and peace, can be a paragraph or two (and you can always revisit and refine as you evolve).
Think ‘desired posture’, and then move onto setting objectives.

Make your objectives reasonable

Identify short-term objectives and how they feed into long term strategy. Make them S.M.A.R.T. Don’t set out to achieve a zero-trust capability in 3 months if you have an environment with no controls or assurance (unless you’re going to just go entirely greenfield and invest heavily).
Identify outcome requirements, their measurability, and the timelines.

Underpin with organisational principles

If you’re unsure of where to look, look at your mission or vision statement and your core values, you’ll find some.
If you don’t have these, speak with the stakeholders, and create them collaboratively.

Map to laws, regulations, and policies

Keep a register of applicable legislation, for example The Data Protection Act.

Align to a framework (NCSC CAF, NIST)

Frameworks provide structure to your security controls.
Find a framework which suits your organisation and conduct a gap analysis to see what your position is (we can send you a template if you’d like, just reach out).

Record decisions and outcomes, keep track

Keep a change and improvement log to capture any decisions you have made.
Record minutes of key meetings so any actions required are not forgotten.

Establish cyber security roles and responsibilities

Understand who has ownership of what process via a RACI.
Map your structure with an organisation chart.

Identify outcomes and measurability

What are the outcomes you are hoping to achieve, maybe a higher Microsoft secure score, some kind of certification, etc?
Identify how performance will be measured, recorded and results discussed (S.M.A.R.T. again – we’re fans of S.M.A.R.T., if you hadn’t realised).

Hold people accountable

Provide training to people who make mistakes.
Encourage admitting mistakes, no “days since last accident” counters.

Conduct risk assessments

Understand what risks your organisation currently faces.
Create a prioritised risk register to understand what your highest risks are.

Is this an everyone problem akin to health and safety?

Who has access to sensitive information?
How should I direct my efforts to prepare those people?

2. Know your assets

You need to know what you have to defend, but just knowing what you have isn’t enough; you need to know as much about it as possible; this will make defending it much easier. Once full knowledge on your assets is gained, you can begin to design your security to defend these assets appropriately. Your IT Team will be essential during this stage – support them however you can.

Know what you have

Create an asset register (we think Snipe-IT and Netbox are great for this, and they are free!)
Your asset register needs to be all encompassing: hardware, software, operating systems.
Record the version number of each asset.
Record what make, model, and OS each device is

Know who “owns” it

Record who is using the asset.
Record who is responsible for the asset.

Know where it is

Record where the asset is hosted.
Record where the device is meant to be (e.g., a central office or if it can be taken home).

Know its purpose

What does the asset do?
What is the asset needed for?
What can it communicate with?

Know what data is stored, processed, or forwarded

How sensitive is the data held on the asset?
Where can data traverse to and from on this asset?

Know when it goes end of life

Record end of life at this stage – you’ll thank yourself later.

Shadow IT

Audit and understand shadow IT within your organisation and apply policies to control dataflows and access (and ideally segregate it).

3. Patch and update

We know that this step is overly simplistic in its presentation, and that modern organisations have complex interconnected environments with multiple applications and endpoints. In keeping with the core theme of doing the basics well, if operating systems and applications are kept up to date, it makes attackers lives so much more difficult to achieve their objectives.

Patch applications

Applications frequently have bespoke patching methods compared to Operating Systems, and therefore should be accounted for separately.

Patch operating systems

Automating and deploying operating system patches is a well understood problem, with multiple solutions for all use cases. If you’re struggling with doing this effectively, please reach out to us.

Patch equipment

Devices like printers, UPS, switches/routers, VoIP phones & phone systems, and out of band management (iLO/iDRAC) can often be forgotten but can carry vulnerabilities like anything else (management devices should also be on a separate network entirely but that’s for another post!).
This may sound far-fetched, but we’ve compromised entire organisations because a network printer was left unpatched.

Patch mobile devices

Mobile devices, due to their requirement for ease of use, make this easy to implement but can be challenging to keep track of.

Patch Anti-Virus

Ensure your Anti-Virus definitions and applications are up to date to ensure they’re in their most effective state and compliant with good practice.

Check the patches have applied (trust but verify)

Centralised vulnerability management systems, asset management systems, and other methods can ensure this is completed (a lot of automated systems fail without alerting you).
Continue to verify that automatic update processes are working, and patches are being applied.
Associate patch management results with asset logs to cross-reference and ensure everything is being patched.

Implement continual vulnerability management to make this easier

Low-cost vulnerability management is available and can be implemented without significant capital investment (some are free).

Leverage automatic updates to increase efficiency and assurance

Enable automatic updates for systems that support it to ensure the latest patches are always applied without impacting time investment.
Ensure Antivirus/antimalware systems update automatically at least once per day.

Plan ahead

Identity products and systems that are reaching EOL (this should be performed through step 2).
Plan to migrate, isolate, or decommission software and systems before they reach end of life.

4. Segregate your legacy assets

We recognise that it is not always feasible to update and upgrade everything on your estates; however, it's essential to bear in mind that vulnerabilities found in unsupported products will remain unpatched and will be exploitable by relatively low skilled attackers.

Reduce the likelihood of compromise by preventing obsolete assets from accessing untrusted content

Block legacy assets from accessing the internet. If they need specific internet configurations, apply fine grained controls to only allow explicit named hosts/URLs and block everything else.

Reduce the impact of compromise by preventing access to sensitive data or services from legacy assets

Log and monitor access, restrict to only those that need it.
Remove internet access from the legacy devices and legacy networks.
Segregate access from legacy systems to the rest of your network.
When creating separate network segments, ensure you deploy appropriate security tooling and firewalls to explicitly allow only specified trusted devices to communicate and reject everything else (an example could be if Bob and Alice need to communicate with a legacy application on an unsupported system, only their user devices should be able to access it, and everything else should be rejected).
Ensure security features are used where possible such as antivirus, EDR, or exploit mitigation technologies.

Document use cases of legacy systems

Have business justification of why the legacy system is required.
Complete regular reviews of justification and seek to decommission the system when no longer required.

Don’t enable new features or grant additional users access to legacy systems

Instead, encourage standing-up new solutions and seek to migrate away An example could be old building management systems with legacy applications; don’t add new buildings to old systems. Consider new systems for both, or a new system for new buildings and migrate old buildings to the new system in the future.

5. Secure your accounts, data & people

Whilst this step may seem like a lot of work to some, and you may have reservations about how much you can realistically achieve - a lot of this can be done via policy, education, and training with some robust technical controls to ensure policy adherence. An additional bonus is that a lot of this work (such as MFA, separating accounts, and assessing least privilege) can be done without cost.

Multi-factor authentication (no exceptions other than break glass)

If credentials are stolen, this ensures that attackers can’t get into your system.
Leverage phishing resistant MFA such as Security Keys.
Avoid phishable MFA such as SMS and Email (e.g. SIM swap attacks).
Push for passwordless (we can help you with this).

Restrict administrative privileges

Make sure that administrators can only conduct the activities they need to for their role.

Reduce number of administrative users

Limit the number of administrators to those who need elevated privileges.

Separate administrative and day-to-day accounts

Ensure that administrative accounts are only used for administrative duties.
Regular work should be conducted on standard accounts.
Nobody needs to be performing administrative functions all the time.
There should be a conscious choice from the user to enable their administrative rights.

Remove administrative account email and internet/external connectivity

Email and web are still a very common attack vector – remove the risk by disabling administrative accounts from accessing the internet or having email.

Disable Microsoft Office macros on all internet-accessible users

Confirm that users cannot install malicious macros onto your system.

Harden and encrypt email communication

Email hardening:
- Setup SPF, DMARC, DKIM, and MTA-STS.
- Enable security features for incoming mail (AV scanning, link protection, impersonation protection).
- Enable mailbox auditing if available.
- If you need any help with this, get in touch.

Protect your data

Enable full disk encryption (e.g. BitLocker) to protect against theft and unauthorised access.
Ensure that your storage solutions, whether cloud or physical, encrypt data at rest and in transit.
Limit USB/Removable storage to required users by issuing and only allowing corporate hardware encrypted drives recorded in your asset register.
Implement DLP to control who can read your data and prevent access even when it's been accidentally shared.
Set data retention periods in line with your legal, regulatory, and DPA requirements.

Least privilege model – less is more

Make sure that users can only access information they need to for their role. For example, a sales team member should not be able to access HR files.
Confirm that elevated privileges are restricted to only users that require it for their role.

Perform suitable cyber training and awareness

Undertake regular security training covering a range of subjects such as social engineering, GDPR, phishing, and staying safe online.

Logging

Setup extended log retention to ensure that logs are available long after an incident you may not be aware of. Log everything you need to make security decisions based on real data.

Vendor and Supply Chain Access

Limit vendor access by enabling controls like ‘Customer Lockbox’.
Secure your vendor and supply chain access, hold them accountable to meet yours or your customers/regulators cyber security standards.
Understand the cyber risk your supply chain and suppliers/contractors present to you – ensure you set a minimum standard that they need to demonstrate (Cyber Essentials Plus, ISO 27001, SOC 2, etc.)
Identify who is in your supply chain and what process they are responsible for.
Have assurance that your suppliers follow good security practices.

6. Deploy defence in depth approach

Investing in a single element of cyber security will always leave gaps. Defence in-depth approaches are tried, tested, robust, and comprehensive - but they require much thought, planning, expertise, and time investment. Notice we mention time as the investment as a lot of the defence in depth tools, techniques, and processes can be implemented with no capital investment required – especially with the abundance of open-source security applications in use throughout the world.

Disable technologies not required

Conduct a regular review of applications, functionality, and assets and remove and disable things which are no longer required or not in use.

Look to implement secure by design principles

Ensure that security is considered early on in your development processes.
Leverage free advice from the NCSC.

Align security settings to good practices

Microsoft release guidance on how to harden their operating systems and applications.
CIS and DISA release compliance standards for hardening assets.
NCSC has guidance on securing assets.
All of these can be used to set your requirements for security based on widely used good practices.

Deploy security tools where appropriate (anti-virus is an absolute minimum)

Research what tools would be the best for business. If you are unsure, reach out.
Prevent unsanctioned system changes and apps with controls such as AppLocker or software restriction policies.
Ensure security features are all enabled within existing tools (for example, turning on all important Microsoft Defender features).

Push for continual assurance

Ensure that assurance activities are reviewed at a regular interval.

Use a SIEM

Whilst this may be overkill for some organisations, the benefit they bring cannot be underestimated.
There are completely open-source options available, we’re big fans of Wazuh.

Trust, but verify

Leverage external, independent validation of security posture and processes thorough assurance activities such as penetration testing, exercising, GAP analysis, audits.
These activities help keep things honest and are useful to prove to external bodies that your strategy, plans, controls, and processes are effective.

Re-validate steps taken (to ensure they still work and are relevant)

Make use of lessons learned.
Perform things such as an OODA Loop - Observe, Orient, Decide and Act - a four-step approach to decision-making that focuses on filtering available information, putting it in context and quickly making the most appropriate decision, while also understanding that changes can be made as more data becomes available.

7. Have a plan B

Implementing all these steps does not mean you won't suffer a cyber incident. As part of modern robust strategies, you should have the ability to recover in the event of a cyber incident. If this ever happens, ensure you have a plan B and prove it is effective, efficient, and suitable for your organisation before you need it.

Make sure you have administrative break glass accounts

Setup at least two (2) break glass accounts that are exempt from all organisational controls to ensure access in an emergency (e.g. exempt from conditional access).
Ensure alerting is setup for when they are used.
Annually test that the credentials are valid and then rotate them.
Keep these passwords physically separate from everything (think piece of paper in a safe).
Implement physical security to prevent unauthorised access to credentials.

Ensure you have a disaster recovery plan – then test it

What are your worst-case scenarios and how would you overcome them. For example, flood, fire, internet outage, and power cuts.
Consider your data (backups), systems (DR migrate to other DC), hardware/appliances (is alternative equipment available if a site goes offline), and staff (can they work from home or another office).

Create an incident response plan – then test it

Detail what steps you will take in event of an incident.
- Initial Reporting
- Escalation Paths
- Methods of communication: both internal and to the appropriate authorities
- Responsibilities for investigation
- Evidence collection

Properly segregated backups – tested and proven

Have a backup schedule that fits your business.
Ensure you have a regular schedule for testing backups.
Physical security for backups; do not lose data through them.

Exercise your controls and processes with someone outside your organisation

Practice enacting your incident response and disaster recovery plans, find out what works for your organisation.
This might sound like an unusual step, but they will 100% think of things you haven't – the lack of organisational bias will be extremely valuable (think NCSC exercising).

Continually improve and implement lessons learned

Conduct root cause analysis on any incidents.
Have a continuous improvement process which uses incidents to drive changes.

Gather and centralise your logs – without these it is difficult to respond

What logs are available?
Are these in a useful format?
Can they be easily analysed, and key details picked out?
Can you identify critical actions from the logs?
Are you only capturing what you need? (costs can mount up quickly if you are capturing everything)

Seven steps to better Cyber Security