Professional Documents
Culture Documents
Each year in the security summary reports provided by vendors present the conclusion that from year to year
the security breaches are becoming more sophisticated and multifaceted. The challenge is also there for
the companies that must maintain and keep up to date cyber security defense strategy.
Unfortunately during the hundreds of security audits performed we have noticed that in the organizations
there are committed all the time the same mistakes. Sometimes they relate to the architecture and design
where as a mistake we consider some solution missing, in most cases though these are solutions used that
lacked good practices during the implementation or they suffer a time-effect where the more we use them the
more they are getting miscongured.
The lesson from these breaches suggest that all organizations need to look at their policies, procedures
and infrastructure with an eye on adopting the most rigorous and modern approaches to cyber security. Since
the objective of the security assessment is to identify security risk exposure and provide mitigation strategies
to reduce risk to critical business processes and provide secure conductivity for IT operations we would like
to present you with the comprehensive technical list of areas that should be well thought through
in the organizations and step-by-step be effectively implemented in order to prevent the common and
uncommon threats. If you wonder why we did not mention for example Pass-The-Hash prevention etc. it is
because code execution prevention stands a bit higher in the attack prevention hierarchy and these 14 steps
present the complete solution preventing pretty much all the interesting examples of the attacks.
Our list refers to what is missing and needed in most of the enterprises, we have delivered security penetrations
tests and audits for.
1 Ofine access protection on workstations, laptops and servers when necessary (BitLocker etc.).
2 Implementation of the process execution prevention (AppLocker, BeyondTrust, Avecto, Viewnity etc.).
3 Log centralization, log reviews - searching for the anomalies, certain log error codes. Performing
the regular audits of code running on the servers (Sysmon, Splunk etc.).
4 Maintenance: Backup implementation and regular updating (vendor specic solutions, WSUS, etc.).
5 Review of the services settings running on servers and workstations (examples: using the accounts
that are not built in, that are too privileged, reviewing service les locations, changing permissions
where necessary Security Description Denition Language, changing accounts to gMSAs where
possible, limitation of the amount of services running on the servers (SCW and manual activities).
7 Reviewing the conguration of the client-side rewall and enabling the programs that can
communicate through the network only. Currently in most of the companies outgoing trafc
from workstations is all allowed.
8 Management of the local administrators password (Local Administrator Password Management etc.).
9 Identity management (example: smart card logon) and centralization, password management (Public
Key Infrastructure, Microsoft Identity Manager etc.). In approx. of the companies there is a PKI
implemented but almost everywhere it is not done according to the best practices (to be sincere we
have never seen it done well) and not in the alignment with the business needs. Almost every company
we have cooperated with expressed the need of using certicates somewhere and technically it was a
reasonable need.
10 Implementation of the Security Awareness Program among employees and technical training
for administrators.
14 Periodical conguration reviews and penetration tests (internal and external) performed by
the internal team and 3rd party company.
One can imagine that these 14 points may look too overwhelming, but do not worry.
Focus on one point, do it well and prioritize and plan the rest. The list above presents
the most important areas to verify and implement in the typical enterprise.
GOOD LUCK!