This is an excellent Peerlyst post, written by Claus Houmann to help smaller firms make an affordable start on security. He has given us permission to reproduce it here. It is entirely free to use and will be updated, so ensure you check the original to see if newer versions have been released. His aspiration is to create a Wiki to enable quick searches.
Claus is an extremely experienced senior security manager and this advice has been peer reviewed by other experts in the trade.
I’m sure you will agree that this is a superb resource to be offered free of charge. To show your appreciation please do visit Peerlyst and upvote it. We need more people like Claus who volunteer practical advice rather than soundbites and FUD. Especially vital for smaller businesses, who we know want to operate securely, but struggle to decide how to start and how much is enough.
As well as advice offered here you may want to visit IASME (the link takes you to their news and articles page with lots of relevant information for SMEs). They also focus squarely on smaller firms.
Minimum Viable Security – Version 1.0
Intended Audience: Small and Medium Businesses or SMB’s (are also called SME’s in Europe).
Type A: This MVS Security Concept is meant to apply only to Type A SMB’s= SMB’s with plans to own physical server infrastructure.
Type B: SMB: ENISA has addressed this for cloud based enterprises in http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/security-for-sme. For hybrids between “Type A” and “Type B” SMB’s, you will need to pick and choose from this document and the ENISA document.
Why Minimum Viable Security?
The idea for the concept “Minimum Viable Security” (MVS) is based on the minimum viable product strategy that startups often revolve around. MVS is not only a technical concept. The hope is for this to provide SMB’s a tool to raise their defensive posture to a minimal acceptable level with minimal daily time spent on security and low cost. In other words to minimize Infosec debt for minimal effort to maintain & cost.
The goal of MVS is to make the concept most useful to really small companies and then let the usefulness slowly taper off as organization size increases. Some SMB’s will be able and desire to do more than this of course. MVS is meant to set the lowest acceptable bar. Every company can and ideally should do this.
MVS is needed because:
Simply because small organizations cannot afford to even try to do security properly.
In other words:
Small organizations are typically burdened by:
- Criticality of/dependence on IT that is not very robust and lacks automation/standardization
- Small IT staff sizes if any (Can be fully Managed Services)
- None to almost no security allocations in staff / budget
- No time to do security
- No tools nor skills to do threat detection nor even to tell false positives from real
- No way to have someone capable of secure coding
- More or less constant IT firefighting (Incident Management)
- No time to do research on tools, tactics, procedures
- Significant technical debt but mostly oblivious to this
- Little executive attention
- Executives understand little of the complexity IT/Security is dealing with
Of course there are also a long list of strengths that SMB’s enjoy such as high flexibility and adaptability, but for the sake of this concept, these matter less than the weaknesses.
How to apply the concept of MVS:
The strategy is to focus on threat prevention where possible, automation and as-a-service where possible at cost and to use managed services for functions that have high skill level requirements. Use of free tools/open source tools where this can give benefits is also included. Use free POC’s for any purchase. Pay consultants for fine tuning when required.
Threat Prevention, Detection and Remediation:
- Malwarebytes for business incl. MBAE+MBAM or alternatively AV+EMET with max security settings, profiles per type of job function and high risk applications only active in Trusted/Internal zones
- Security Operations Centre (SOC)-as-a-service, local provider
- NGFW with IPS, AV. I’d recommend only Fortinet or McAfee (Stonegate) here. FW Management centre must be on a separate server, get the vendor to set it up as a POC
- Central log collection, use Splunk or Open Source Graylog, put everything in there. Figure out what to do with it later
- Spam mail gateway. No spoofed internal senders allowed, no HELO rejected and so on. It must be automatically updated live so consider a managed service
- Incoming VPN connections can also deliver malware/attacks, trust no incoming connection
- Do not automatically trust traffic between network segments.
8. Use local firewalls on all workstations/laptops.
Threat surface reduction:
- Firewall configured to deny as default in, deny as default out on low ports
- Use a low cost vulnerability scanning solution, for example the CyberToolBelt “Service Scan” functionality. Use it weekly on all public facing IP’s
- Consider removing high risk Internet facing applications/products/plug-ins/extensions entirely
- Use ad-blockers for all browsers in use.
Basic IT/Security Hygiene:
- Network segmentation with DMZ if relevant
- Network diagrams must exist that show interconnections and dependencies.
- Firewall logging enabled for all outbound traffic, inbound rejections also
- Use Change Management on critical services unless you’re literally just 1 IT staff
- Find logging settings on all systems and increase sizes and cycling routines to start saving the log files you need to keep
- Back up all critical systems, make sure backups are stored offsite. Automate this. Test now and again that you can restore. Use a managed service or SaaS if of advantage to you. Can be done cheaper in house, however.
- Passwords – enforce 11 char minimum domain passwords minimum with complexity enforced as well
- Monitor availability of critical systems with alerting active
- Monitor those pesky drives that can run out of space
- Aim for a fully virtualized server infrastructure
- 2FA for any kind of remote logon, vendors included. Make sure to research any 2FA technologies well before making the choice.
- For any web facing services, implement crypto to protect data in transit as per @bettercrypto guides.
- Laptops must have full disk encryption active
- For Windows environments use WSUS
- Set workstations and laptop to patch Windows automatically on schedules
- Push patches to servers and patch+reboot outside business hours/in low peaks or do it in functional overlapping pairs if possible
- Outsource management of any non-standard web facing system or use something-as-a-service
- For high risk applications/products/plug-ins/extensions use auto-update functionality where available.
- Access Control with logging for offices and data centres
- “Hardened” perimeter access point such as doors and windows.
- IT Strategy
- Information Security Policy
- Have a CMDB, preferably a self-populating one (SNMP community string tool, no default community strings!
- Encryption keys, API keys, certificates, generic/shared/service account passwords, files, databases are critical pieces of your long term survival. Secure them using one or more relevant encryption solutions.
- Protect Intellectual Property which is critical for your long term survival. Use a managed service if necessary.
Training, Skills and Certifications:
- 2 weeks of formal training per employee per year is a great idea. Add to that relevant conferences but try to stay geographically close to data centre/office locations for a rapid return in case of emergencies. Get all IT staff interested in and educated about security. For financial reasons you could bring trainers in-house and training employees in groups, but note also that you should, to the extent possible, train employees widely in all the critical technologies your enterprise depends on
- Focus on critical services and systems only. If you don’t know it and can’t manage it, use managed services
- Stay up to date on every type of system/service within your domain to the extent possible. Get an IT mentor / security mentor or networking groups for peers or use Twitter
- Use IT / Security functions for internal security awareness training for all employees, or use a managed service for this if of advantage to you.
Hiring and Firing:
- Hire passionate individuals who are already educating themselves in their own time. Without a passion for IT and Infosec, they’ll never be able to keep up* 2. Enforce a strict no unauthorized changes policy on systems subject to change control from day 1
- Let IT and Security staff know that messing up is ok, just don’t try to hide it, learn from it and grow from there
- Empower your people to do their jobs, trust but verify when relevant
- Do background checks, check references and make sure to match personalities to company culture. Verify skill sets with practical tests
- Not everyone can be a senior. Have replacements (junior/trainees) ready if possible.
- Fire for incompetence and unwillingness to learn. Fire for screwing team spirit, but don’t fire for screwing up
- Avoid giving one user all powers if possible. Doing so may lead to a very dramatic outcome in case of a conflict.
- Try to avoid in house code development of any size above minor. Obviously this doesn’t apply to startups that do code as an essential part of the business case. If you do develop code in-house, do so as securely as possible using secure coding practices, penetration testing and other controls as relevant
- Do not recode basic security functions. Use existing tools or libraries.
Advanced level progression:
So having read until here, you’ll probably already have disagreed with me 10 times and be thinking “this is no real security” and you’ll be right. I’ll be adding more advanced items later.Examples: * Device and file system encryption * Implement threat intelligence to understand new threats that may impact your critical assets. You can subscribe to mailing lists or specific services * PCAP server to record all traffic with storage 2-5 days
Still to-do/What’s missing?
Honestly, probably a lot. I’ll update this whenever enough new material/comments have been collected to warrant a “version update”.Also for most of the above “checklist items” which many of you will hate, there has to be a “How to do this item” procedure to explain in more detail how to do this correctly.
The advanced section of MVS will also need to get slowly filled out, but the maximum size of the advanced section approaches the maximum size of the security in large corporations, so that’d be an entire WIKI in itself.