10 security measures to increase the resilience of your IT environment

Top 10 most important IT security measures for your IT environment

1. Always update as soon as possible

Always install critical updates and security patches from vendors as soon as they become available. This applies to operating systems, applications, appliances and all other hardware and software.

In cases of deviation from this principle (when there is a specific reason for not installing updates), these deviations must be isolated. In addition, the reasons for the deviations should be documented and evaluated regularly. You should endeavour to ensure that deviations in this aspect do not exist. So in cases where deviations do exist - plan to phase out the deviating system.

Monitor continuously that all systems receive updates and that these are installed correctly. Set up monitoring to detect anomalies in your system environment.

2. Limit the number of users with privileged access

Limit the number of accounts with privileged access. The general rule should be that no one should have access to more information than necessary to perform their tasks.

In Windows environments, you can limit the use of domain administrator permissions by using GPOs to block and allow access to resources. Then create separate, personal accounts that the administrator can use for their daily work.

Grant access based on minimum privilege and need to know. No one should have higher privileges than necessary for a specific task. This applies not only to Active Directory, but to any directory service or access platform.

3. introduce centralised logging

Aggregate logs into a central location for storage and analysis. Centralising logs from different systems and applications makes it easier to monitor events and detect anomalies and threats. Make sure to log both system and network traffic. This will give you visibility and the ability to investigate potential crimes. This way, you can also build traffic flow baselines from which you can monitor anomalies and detect anomalies (e.g. data exfiltration).

Do the following:

• Centralise security and audit logs from all your servers. Start with domain controllers and key systems, then move on to all servers.
• Set up monitoring and alerts for events like privilege elevation. Do this for both central directories and local groups on servers.
• Centralise login on all network devices. Start with firewalls and other central network components and then continue with all switches, APs and other devices (including printers) in the environment.
• Centralise security and audit logging from all clients.

Then manually verify your most important logs on a regular basis. For example, logs from domain controllers must be checked to verify changes in privileged access.

4. Do not use shared accounts

Shared accounts significantly limit your ability to investigate and troubleshoot. Sharing passwords and accounts makes it impossible to maintain control and ensure compliance. Therefore, you should never use shared accounts to run services, scripts or automated tasks. Instead, use unique accounts for specific tasks, services or scripts, with permissions that match the specified task.

Shared accounts often exist as a "break the glass" feature with full rights in the system. If your organisation has these types of accounts, they should be kept and managed securely with adequate logging of each use. You should be able to determine who has checked out a specific password/account at any given time and ensure that these accounts' passwords are changed after each use.

5. Use unique and secure passwords

Most data breaches today are not through traditional "hacking", but through stolen login credentials. Secure passwords are therefore essential for strong cyber protection. Ensure that your organisation has unique device and account passwords, does not reuse passwords - and implements the use of a password planner. For Windows environments, the Microsoft Local Administrator Password Solution (LAPS) can be used to manage local administrator passwords. Use it throughout the Windows directory, on all servers and all clients.

6. segment

Segment as much as is reasonable and possible - both networks and servers. This is a big job, but one that makes a big difference to your organisation's resilience in the event of an attack. By segmenting, you create the ability to log traffic between segments, and reduce the risk of exposing information or systems more than necessary.

Systems that have nothing to do with each other should be on separate networks. If they communicate, it should be with explicit (not general) rules. Systems with different exposure, such as servers exposed to the internet, should also be placed on separate networks. Similarly, servers used to access environments should be separate and only have access to the target environment. Do not design large shared environments or shared hop servers. Configure one system at a time and use it for its intended purpose.

7. Introduce MFA

Always use Multifactor Authentication (MFA) to grant access. This adds an additional layer of identity verification, further increasing the security of your organisation's user accounts. Make sure your organisation never trusts networks or "locations" by default.

8. Test your Backups

Creating backups of important data is something most people understand the importance of, but have you tested that your backups actually work?

To ensure that your organisation has working backups, you should:

• continually check that systems to be backed up are actually backed up (you should check daily that scheduled backup jobs succeed without significant errors).
• perform recovery tests regularly. Conduct relevant sample recovery tests to ensure your ability to recover the data (some systems may require more frequent recovery tests to meet compliance requirements).
• Implement immutable backup. This gives your organisation added protection against accidental or malicious deletion of data.
• Avoid backup networks. Live by the same rules on the "backup side" as on the "access side" and ensure that logging is set up in the same way as for the rest of your IT environment.

In some cases, an off-line backup is also needed to preserve copies that cannot be accessed in case of a breach. This can be done using e.g. the Air Gap backup solution completely separate from the regular backup network.

9. Harden your systems

Harden your systems by activating only the functions you actually use. Switch off all unused features and services as well as ports, listeners, etc.

Most manufacturers provide clear guidelines on how to secure their products according to best practices. For more information, visit the respective manufacturer's website.

For general hardening guides, visit the Centre for Internet Security (CIS). Link: https://www.cisecurity.org/ . There you will find guides on hardening a variety of products.

10. Increase your knowledge and detection capabilities with the tools you have today

Start by getting to know the systems you have today. Firewalls, for example, often have protective measures that are not used. Switch on relevant features and monitor them continuously. As for client protections, they come in many different flavours. Even if the client protection you have today is not the best protection on the market, you should make sure that it is installed and that it works as intended on all clients. For example, it should not be possible for users to uninstall or stop the protection without your knowledge.

Then upgrade when possible. If your equipment is not up to standard, replace it with something more appropriate. For example, if you have a traditional antivirus, consider upgrading to an EDR or EPP solution.