It’s common to hear people say something along the lines of there’s no such thing as a 100% secure environment, that may well be true but it doesn’t mean we shouldn’t try to build environments that are as secure as reasonably possible. The problem is that there are so many areas of security to focus on and generally too few hours in the week and too few ££s in the budget to cover everything we’d like to.

This is especially true for SMEs who often have smaller teams and limited budgets, trying to do ‘less with more’ is an uphill struggle for a lot of businesses. Getting the basics right can help organisations of any size ensure that the fundamentals are in order, so where should we start?

Understand Your Assets

Understanding what assets are present within the environment is imperative, it’s very difficult to securely manage devices if nobody knows that they exist.

As a general rule, most organisations have a reasonable understanding of which laptops are provisioned as well as commonly used servers but niche devices are often forgotten about and over time can be left in a state that leaves the entire organisation at risk.

Understand Your Software

The same logic applies for software, patching has been a major problem for organisations for decades, the issue has been well addressed by Microsoft’s WSUS as well as various 3rd party patch management products however there are often still significant gaps in many patch policies in many organisations.

In practice most businesses are able to ensure that the operating systems of most devices are updated most of the time. Common software used throughout the organisation is also usually kept in good order, where things typically fall down is with niche systems and software used by specific teams.

One of the key benefits of Penetration Testing is assurance, providing an organisation with a list of vulnerabilities and misconfigurations can be extremely useful but even a report with a relatively low number of results can provide assurance that the team have things under control.

Regular penetration testing can help organisations to understand if assets and software are not being managed correctly and may constitute a threat to the organisation.

Train Users

One of the most common causes of compromise is Social Engineering(1); ensuring that users are aware of common attack techniques like phishing and having a good understanding of what a complex, targeted phishing attack can look like can help provide a secure ‘first line of defence’. One of the most difficult aspects of user training is that it is often seen as a burden, educational videos are another thing to fit into someone’s (already busy) day. Selectively training users who are more likely to be specifically targeted in spear phishing or Whaling type attacks such as directors or gate keepers can bolster the defences of the entire organisation.

Social Engineering doesn’t stop at phishing however, physical security is an important aspect of cyber defence. In the past, many organisations have dismissed physical security but these attitudes seem to be slowly changing(2).

VIP Cyber Security training of users likely to be targeted by social engineering campaigns can be a great option for helping to increase the security of the entire organisation.

Engage With Senior Management

When discussing cyber security services with customers one of the most difficult barriers to overcome is simply the internal battle within an organisation to take security seriously.

In some cases senior management still see cyber security as a ‘nice to have’ rather than a necessity of doing business in the modern world.

It can be difficult to show a clear ROI for cyber security services in general and Penetration Testing in particular however the importance cannot be understated. A US study showed that approximately 60 percent of small firms go out of business within six months of a data breach(3).

Regular penetration testing can often open up additional business opportunities, it is a common requirement for compliance and even as part of a supplier due diligence processes.

1 - https://www.verizon.com/business/en-gb/resources/reports/dbir/2022/summary-of-findings/

2 - https://www.helpnetsecurity.com/2021/07/16/physical-threats-increase/

3 - https://www.sec.gov/news/statement/cybersecurity-challenges-small-midsize-businesses

You may have seen the recent news about a man losing an entire city’s personal data including tax and banking information after a night out, presumably the data loss did not help his headache once he realised what had happened.

Vice:

https://www.vice.com/en/article/wxn88x/japanese-man-lost-usb-drive-entire-city

BBC:

https://www.bbc.co.uk/news/world-asia-61921222

This is far from a unique incident though, Freedom of Information (FOI) requests are often made to UK Government bodies with telling results, devices go missing all the time.

National Archives:

https://www.nationalarchives.gov.uk/about/freedom-of-information/information-requests/lost-and-stolen-devices/

National Archives: https://webarchive.nationalarchives.gov.uk/ukgwa/20200914010503/https:/www.nationalarchives.gov.uk/about/freedom-of-information/information-requests/number-of-lost-laptops-mobile-phones-and-tablets/

If devices are being regularly lost and stolen from public sector entities, it is almost certain that the same is happening across the private sector. This is a major concern for several reasons, many organisations do not have a robust data loss prevention strategy meaning that a lost laptop or USB stick could lead to a significant data loss and even fines and reputational damage.

Clearly this is a problem that affects almost any organisation, thankfully there are a number of steps that can be taken to assist in securing devices and data to help ensure that, if physical devices get lost or stolen the data contained therein is kept safe and away from prying eyes.

Disallow USB Storage Devices

An important aspect of limiting risk is simply to remove features that are not necessary for the business, especially if they could pose a risk of data theft.

Removing support for USB storage devices is a simple and effective way to significantly lower the risk of data being lost or stolen.

The increased adoption of cloud-based file sharing also helps to ensure that removable media is less necessary than it was a few years ago meaning the impact to most businesses of removing access to USB sticks would be minimal.

There is an added bonus to preventing the use of USB storage too, ‘USB Drop Attacks’ are an effective social engineering technique whereby an attacker adds a malicious payload to USB sticks and drops them around the target organisation’s location in order to hopefully coerce a legitimate user to plug the device in (perhaps by adding a label like “Salary Info 2022”).

Preventing users from using USB storage devices neatly side-steps this risk (on corporate devices at least) since any malicious USB stick cannot be used.

USB Storage Encryption

Assuming it’s not possible to completely eradicate the use of removable USB storage in your organisation, at the very least it is imperative to ensure that any corporate data is encrypted using a strong encryption algorithm and, just as importantly, a strong password (read more about creating strong passwords here).

Microsoft’s Bitlocker provides an easy and effective way of encrypting removable USB media as well as FDE (Full Disk Encryption) on laptops.

One thing to note is that it will take a while for the disk to encrypt, do not remove the device during the process or any data risks being lost permanently; it is generally considered to be a good idea to back-up any data prior to implementing the encryption anyway.

Laptop Full Disk Encryption

Using FDE on all corporate devices is a must, again Bitlocker can be used for this in the same way as above or from Group Policy in a corporate environment.

The relevant GPO configuration can be found here:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Ensuring that all corporate devices are using strong encryption with good credentials could prevent sensitive data from ending up in the wrong hands if a corporate device were to go missing.

Device Hardening

As we have already discussed, ensuring that data is encrypted is absolutely essential but what if a device is powered on and decrypted when it goes missing?

In a situation like this the security of the operating system and the user’s credentials are the last line of defence.

By default, operating systems are rarely configured in their most secure state in order to allow for legacy integrations and to help keep the user experience as smooth as possible; ensuring that all corporate devices are hardened against attack helps to make sure that data is kept secure.

Backups

In addition to the threat of sensitive data being leaked there is an additional problem of simply losing access to any data stored on a lost/stolen device.

Ensuring that regular back-ups are taken or switching to a cloud-based working environment can help to ensure that, even if a device gets lost or stolen, access to any valuable data held on the device is not lost and the business can continue to operate as normal.

User Education

This is likely the most obvious but also often the most overlooked aspect of all, ensuring that staff take good care of corporate devices is key. Human factors play a major role in the vast majority of cyber security compromises and breaches. Providing training to staff members to help ensure that they understand the risks of taking corporate devices or data into a public setting can help to ensure that corporate data is kept safe.

How can we help?

A stolen laptop assessment or laptop build review can help organisations build a better understanding of the risks that may be present within their current environment.