How to increase my companys IT security? Of course there are many, many, many topics, processes, systems, parameters, awareness and a lot more to implement, adjust, train, improve or get rid of. Following the different available frameworks like MITREs Att&ck, the recommendations from NIST or BSI etc will get you there. However they require a lot of time and some companys want to implement some 'quick wins', before they do they adopt a whole framework (which they should).
So some of those 'quick wins' are:
- Implement Multi-Factor-Auth or 2FA. Trying to balance security with comfort will let you win your users, for example by implementing MFA or 2FA using PushTokens.
- Raising awareness by regularly sending internal phishing mails will make them learn and understand, not to open or click on everything.
- Implementing zero trust or microsegmentation will make lateral movement hard.
- Regularly scanning your whole environment for vulnerabilities and configurations issues with regular patching and improving hardening will dramatically reduce your attack surface.
- Restrict administrative permissions, regularly checking if they are still necessary, implementing JIT and securing your directory services using special jump servers with MFA/2FA will help further. Also don't use Microsofts AD Built-in default groups because very often the have to many unnecessary permissions
Some more are described in an article from Microsoft security blog. I personally don't agree on all of them, but it is a possible approach:
Keeping in mind the point of view from an attacker might help:
(Picture from Microsoft security blog)
No comments:
Post a Comment