You’ve no doubt experienced at least a small amount of cybercrime in your place of business. Whether it was something minute like a pop-up that was clicked leading to a virus on a single desktop or something more devastating like ransomware that took ownership of files and caused financial burden on your company. These events are continuing to drive businesses of all sizes to harden everything from the gateway to the application server and down to the desktops of our end users. In light of these attacks, companies are desperately seeking out information security talent. Even the government is listening to our pleas for help in combating cyber criminals. We all know it’s best to mitigate threats rather than procrastinate and put out fires. And this is where security hardening comes into play.
What are your options?
In 1998, the Department of Defense (DoD) put Defense Information Systems Agency (DISA) in charge of creating standards for protecting DoD information technology. DISA develops Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs) that the DoD’s IT force uses to aid them in hardening their systems. For the longest time, DISA required a CAC login to access the STIGs but recently announced moving their tools to the new DoD Cyber Exchange website. You are still required to a have a DoD issued CAC. So, if you’re not government you won’t be able to view them. However, the Cyber Trackr allows you to view the DISA and NIST guides without the need for any special tool.
The guides tell you exactly what to check (on over 350 different types of systems) for vulnerabilities and (almost) exactly how to fix them.
In addition to DISA’s resources, Congress put into effect the NIST Small Business Cyber Security Act, which states that “NIST must disseminate, and publish on its website, standard and method resources that small business may use voluntarily to help identify, assess, manage, and reduce their cybersecurity risks.” NIST put together the Small and Medium Business Resources page on their Cybersecurity Framework site as well as the Small Business Cybersecurity Corner. Both are chock full of tools, training and guidance. Over the last year I’ve seen a rash of articles mentioning the up rise of businesses adopting the NIST Framework.
On top of these two government resources, there are a great amount of other sources of information such as the ICC Cyber Security Guide for Business, CISA’s Resources page, and Sage Data Security’s guidance on Managing Cybersecurity with Third-party vendors. And if you don’t see your product on the DISA and NIST resources, don’t hesitate to just Google it. Chances are the manufacturer has guidance for you as well. For instance, I searched for “VMware cybersecurity guide” and landed on the VMware Security Hardening Guides.
What affect will this have on my Business?
Applying hardening settings is not for the faint of heart. Protocols and services that are necessary for the applications and devices that help your business run smoothly can “break” when the settings are applied. For instance, older encryption protocols are vulnerable to attack so implementing TLS 1.1 or 1.2 is suggested. Enforcing TLS 1.1 or 1.2 on a SharePoint server can cause a block in communications between the SharePoint server and the SQL server, the mail server, the client OS, the browser, and any other supporting servers or third-party applications that are accessed via SharePoint. Many admins get frustrated when this happens and give up, leaving their network vulnerable. However, if planning is put in place before executing the change, the setting applied should have little to no effect on performance or availability. In the SharePoint example, one would reference Enable TLS 1.1 and TLS 1.2 Support in SharePoint Server 2016. Be aware, you may even find some of your applications can’t support the newer protocols, such as Microsoft SQL Server 2008 (not R2). So you’ll be forced to upgrade before you can even apply the setting. If your app doesn’t support it then you should look into upgrading because it’s likely to be an end of life product anyway.
In addition to the effect that the hardening settings will have, your company may also need to dedicate additional resources such as: new employees or contracted help, newer versions of application or hardware that support the settings you plan to apply, and lots of time. Time to research, time to test, time to apply (and test again), time to monitor, time to document and then time to research new vulnerabilities on a regular basis. It sounds daunting but you just need to eat the cake one bite at a time, and you’ll end up with a nice clean plate that will help you sleep at night knowing that your data is protected from attack. Identify your risks, determine if cyber insurance is necessary, gather resources for hardening your devices and apps, and then take the time to test all aspects of your network with each change that you implement. Don’t be afraid to yell Uncle and hire help if you need it!