2020 - the year of "Anti-Ransomware" - Power House Fix #8

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

Number Eight:  Implement, Constrained Language Mode + Device Guard User Mode Code Integrity [UMCI] into your Power Shell tool belt.

Now that you have standardized on Power Shell 5.1 or higher you can integrate it with Device Guard. Power Shell can and should be configured to detect the presence of a system wide UMCI and enforce UMCI application policies.

Make sure to add your Code Signing Authority to your UMCI policy store so that authorized and approved Power Shell Scripts can run as designed.

These three tools are things you own now, we're just suggesting a new recipe.  Try something new, shake things up!

No solution is 110% fool proof, this one certainly isn't however it is a powerful, easy to maintain capability that will make a large, statistically significant chunk of risk our of your risk register.

Tips on running Power Shell in Constrained Language Mode

Tips on code signing for Power Shell

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #7

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

Number Seven:  Implement, Microsoft's "Local Admin Password Solution or 'LAPS'".

What if you could take the local admin account on all of your Windows Operating System endpoints out of the risk equation?

Sound too good to be true...it's within your reach. 

LAPS, introduced in May of 2015 is part of your Windows ecosystem now, deploy it and reduce your attack surface in a truly meaningful way.

What's not to like?  It's free...it's trouble free...it's easy to use...it's free.

Start a pilot program, reap the benefits and sleep on the weekends!

Implement LAPS like a BOSS!

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #6

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

Number Six:  Implement, N O W, both an enterprise password manager for humans and non-human USERID's plus Multi-Factor Authentication (if you are an O-365 "basic" subscriber, you own MFA now). 

Start with a limited rate deployment plan for high risk groups of users and expand that successful deployment.

These facts are not in dispute - if your business is making money, someone wants to steal it. 

Think your business isn't on someone's radar?  Just ask the folks at Dunkin' Donuts how that "wishful thinking" strategy worked out for them?

Dunkin' Donuts Debacle

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #5

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

Number Five:  Implement the "Privileged Access Workstation [PAW]" methodology in your enterprise.  Stop creating a super highway from your insecure workstation images [zones of low trust] to your Business Critical Software Applications [zones of high trust].

Start the New Year with a massive risk reduction by implementing a PAW pilot program. 

A standardized PAW virtual machine image, and technical controls that ONLY allow access to Zones of High Trust from an authorized PAW VM image minimize the possibility of inadvertent compromise.

For a real good time, mandate multi-factor authentication for log on into the PAW image. 

You already own the VM Ware, the PAW image methodologies are free, if you have a basic Office 365 subscription Multi Factor Authentication are free...what's not to like?

Great hands on guidance 

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #4

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

Number Four: Ensure that you are resetting your Active Directory Kerberos Ticket Granting Ticket Account Password and Certificates Annually. 

Why make it trivial for Mimikatz and Credential Harvesting attacks?

Solid "How to" advise

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #3

Anti-RANSOMWARE powerhouse "New Year's Tasks".

Number Three:  Deploy Multi-Factor Authentication [MFA].

Identify your category one, risk rated software applications that are truly mission critical to your business and integrate them into your MFA planning.  Every application you integrate, reduces risk and reduces your attack surface.

Get REALLY crafty and integrate your MFA with your Enterprise Password Manager for a solid one - two knockout anti-RANSOMWARE punch!

Why Multi-Factor Authentication [AuthN] Matters

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #2

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

Number Two:  Deploy an Enterprise Password Manager [EPM] for your employees to use at work AND at home! 

Ease adoption by allowing employees to use at home.  Use this as a spring board to Power House Task Number Three.

Never worry about elevated privilege, shared, admin, service, daemon account(s) compromise again - EVER!  Have the EPM change passwords for work accounts every four hours and make them absurdly complex and long.  Sleep in, go home on time...  If my ninety-six year old Mother can master this, your employees can!

Some sage advice from the team at the fascinating "Privacy, Security and OSINT" Blog. 

Password Managers - Top Tier Offerings Comparison

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.

 

2020 - the year of "Anti-Ransomware" - Power House Fix #1

 

 

Anti-RANSOMWARE powerhouse "New Year's Tasks". 

 

Number One: Root out all uses of SMBv1 and stop using it - forever.

 

 

Advice from the "Big Dogs" - Read it - Heed it

Copyright © 2020 by"the Secret CISO"

All Rights Reserved.