10 Essential Cyber Security Controls for Increased Resilience (and Better Cyber Insurance Coverage)
While threat actors continue to vary attack methods, these 10 essential cyber security controls can significantly improve your security posture, therefore making it harder for cyber criminals to compromise your network and increasing your opportunities for cyber insurance coverage. Validated by our seasoned cyber security experts based on frontline expertise and with a thorough review of the expanded questionnaires now requested by most cyber insurance carriers, key takeaways for each of the controls are presented here.
For more details, including hands-on support, get in touch with a Kroll expert today.
Multifactor Authentication (MFA)
- Passwords alone don’t offer sufficient protection, and with increasing rates of credential compromise attacks, it’s imperative to require additional forms of authentication, ideally via an app.
- All users, including senior executives and admins, must adhere to MFA procedures. Creating exceptions to MFA introduces openings for attackers.
- MFA should be enabled for every system account with special focus on systems that contain sensitive data such as financial, HR, and other statutory or regulatory protected data.
- Audit your implementation. Criminals tend to exploit and develop workarounds such as abuse of legacy system authentication protocols, which are frequently not included in MFA protections.
Virtual Private Network (VPN)
- Recently, VPNs have become a much larger focus for exploitation by bad actors whose intrusion vector focus is a potentially vulnerable or exploitable perimeter. It’s important to keep vulnerability scanning technologies as well as blending reactionary and proactive patch management.
- Antivirus solutions cannot detect an adversary who connects to the VPN with stolen admin credentials and is granted heightened privileges, operating as a normal user would. Consider frequent reviews of VPN logs for suspicious activity.
- All users should log into the VPN with minimum access privileges. Admins can escalate privileges once authenticated. Service accounts should not be allowed to authenticate and connect through VPN.
Remote Desktop Protocol (RDP)
- The category of “remote desktop” software solutions has grown tremendously due to the pandemic. Such solutions allow full control of a remote computer, including local network access and storage.
- Such extensive access presents a goldmine for attackers, and it’s crucial to keep remote desktop solutions inaccessible via the internet. Instead, make them accessible only via VPN or implement a virtual desktop solution, such as Citrix or VMware.
- RDP should not be openly accessible from the internet without 2FA or MFA protections.
- Like a variety of remote access solutions, vulnerabilities are constantly uncovered and a robust patch management program is essential.
Endpoint Detection and Response (EDR)
- EDR typically relies on a lightweight agent deployed on endpoints such as laptops, servers and workstations, giving systemwide visibility for spotting suspicious behavior.
- Unlike antivirus, which relies on signature-based detections to spot malware, EDR is tuned to look for suspicious behaviors like network scanning or lateral network movement.
- EDR agents should be deployed as wide as possible in the environment; attackers may enter the network through unmonitored systems.
- Until it is adequately fine-tuned, EDR systems may deliver a high level of alerts. An experienced team needs to monitor and validate alerts that could lead to a real incident.
Incident Response Planning
- Your incident response plan should always be readily available and not inaccessible if there is an incident.
- Make sure all the key stakeholders - departments, teams and people - are identified in the IR plan. Who should be contacted first? Where does PR fit in? Who is the contact from each team involved? What’s HR’s role?
- Test the IR plan regularly and update as needed. If there are role or personnel changes, make sure the plan is updated with new contacts.
- Time matters in an incident response so make sure law firms, forensic firms, etc. are approved ahead of time.
Infrastructure and Segmentation
- Having a layered approach to security is key. Threat actors know about critical vulnerabilities and exploits often weeks before they are known to the public.
- Antivirus isn’t enough anymore. A monitored detection and response platform (MDR) is needed to catch threats that include polymorphic code, abuse of legitimate tools and credentials, and “Zero Day” attacks.
- Patch management for your perimeter devices is critical. Patch management of your 3rd party contracts is no less critical.
- Have separate and distinct IT and cybersecurity roles. IT keeps things running. They cannot keep up with the ever-changing threat landscape as well.
- Attackers take advantage of poor recovery capabilities to further their extortion efforts. Assess and test recovery capabilities at least yearly.
- Offline backups are critical to recover from ransomware attacks.
- Multiple backups are key for dealing with data corruption, data loss and malicious events.
- Review data on all devices to determine what needs to be backed up, how often, and the best medium.
- Make sure backups are tested and all procedures documented. Restoring data is only half the equation. Knowing what to restore, when to bring it online and how to engage the business is a challenge most companies learn during a crisis.
- Overly permissive access rights can open an organization to both internal and external compromises. The more access granted, the more leverage a possible attacker has when compromising an employee’s credentials.
- “Least Privilege” is crucial. Users should only be granted access to information relevant for their job during the duration required.
- Coordinate with IT, Infosec and HR. Quickly remove access permissions for departed users and adjust permissions when employees transferring roles no longer need them.
- Managing access rights for IT administrators can be challenging but achievable with the use of privileged-access management solutions, network segmentation, password management and limiting admin level access users.
Security Culture Training
- Culture is key – employees need to feel they can raise concerns and report suspicious issues.
- Companies should have mandatory annual cyber security training for all staff and test awareness of identifying and reporting suspicious activity, email, and behaviors.
- Training employees includes knowing when to retain and delete data. What data is your company required to retain? For how long? Make sure to create and follow a data retention policy so to limit your company’s exposure.
- Give employees the right tools and training to be able to recognize external email, phishing email and report suspicious emails directly to the information security team.
- Train employees to understand how to identify and report phishing emails.
- Pursue a multi layered defense, including filtering controls on inbound and outbound messages with attachment sandboxing and URL rewrites.
- Visual cues such as tagging the subject line of external communications can be helpful.
- Cloud based email solutions can enable organizations to easily and cost effectively implement core security controls such as MFA and reduce the chances of an attacker gaining access to internal private networks through compromised on-premises servers.
- Adoption of Bring Your Own Device (BYOD) requires additional written policies and technical controls to manage associated risks when company data is accessed from external devices.
Strengthen your Security
These 10 essential controls, validated by our seasoned cyber experts, can greatly improve your security posture and resilience against a cyber attack when fully implemented. Kroll is here to assist in every step of the journey toward cyber resilience. To reinforce your essential controls, consider a robust managed detection and response solution such as Kroll Responder, which can deliver extensive visibility and immediate response in the event of a compromise. Talk to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.
Global, end-to-end cyber risk solutions.
Mature your cyber security with unparalleled visibility and constant protection.
Incident Response and Litigation Support
Elite investigators provide rapid, expert responses to support any cyber incident or litigation.
System Assessments and Testing
Solutions to identify, evaluate and prioritize risks to people, data, operations and technology.
Cyber Risk Retainers
Secure a true cyber risk retainer with elite digital forensics and incident response capabilities.
Ransomware Preparedness Assessment
Helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Remote Work Security Assessment
Identify vulnerabilities of work-from-home employees and networks and provide guidance to minimize risk.
Incident Response Plan Development
Strengthen your cyber incident response plan to respond quickly and decisively to a cyber incident.