The 100 Words Project Blogs — The Essential Eight
100 Words on Application Whitelisting:
Application Whitelisting is number one on the Australian Signals Directorate “Essential Eight” for good reason. Consider that everything on a computing platform is essentially an “application” so it makes sense to control which ones are allowed to execute. Explicitly allowed applications permit business as usual, safeguarding against malicious code and misuse of productivity tools whether intentional or accidental. Successful implementation begins with an inventory of all applications which define your “Whitelist” and “Blacklist”. We then define rules for general and specific applications to match roles and requirements. Planning is crucial. Testing is critical. Management support and underpinning policies are obligatory.
100 Words on Patching Applications
Patching Applications is often overlooked in the security strategy of organisations. While patching operating systems is a regular task, business focused applications that are relied on daily end up being forgotten. Productivity software on the desktop, critical payroll and HR applications, and even the system firmware and software on network appliances (physical and virtual) must be updated and patched to the current stable versions as part of your patch management strategy. Replace or remove unsupported systems. Acquire updates from vendors when available and consider underpinning support agreements. Compromise of a vulnerable application can quickly escalate to exploiting your entire infrastructure.
100 Words on Restricting Administrator Privileges
Administrator accounts have tremendous power. Beyond server and domain administrators, we must consider service accounts, workstation local administrators, and network appliance administrator accounts. A full, accurate, and current inventory of these accounts, who has access to them, and that they match the roles enabled is critical. Auditing and logging are essential. Avoiding generic administrator accounts is crucial. Implementing control over administrator accounts must have management support but can create a political firestorm. Use groups to assign privileges and audit these delegations regularly. Engage change management before making elevated account changes. Used incorrectly or maliciously, administrator accounts can have catastrophic consequences.
100 Words on Patching Operating Systems
Patching operating systems may be more critical than patching applications. While applications may be the action, the operating system enables the action. We all think of the ubiquitous Windows operating systems but should never overlook Linux, Unix, Mac, mobile platforms, and even IoT and network appliances. Like applications, products are released with imperfections and by various means, the vendors endeavour to resolve those imperfections. Wannacry and Petya are recent examples highlighting the need for a patching strategy. Get informed, get involved, and get protected by making it part of your regular maintenance. Acquire patches, verify their purpose, test, and deploy.
100 Words on Configuring Microsoft Office Macro Settings
Microsoft Office macros represent significant efficiency but also a vulnerability when not managed correctly. The ability to automatically execute tasks and code is a double edged sword when entire systems may be impacted. Verification and testing of macros is mandatory, underpinned by secure distribution, policy, and digital signatures. Rare is the environment without macros where disabling them completely becomes an option. Consider macros beyond the Microsoft space. Do not trust any macros that have not been vetted. Revoke the ability of users to modify the macro policy settings. Train staff on macro safety. Restrict macro privileges. Enable auditing and alerting.
100 Words on Application Hardening
We often install applications with factory settings but never bother hardening them properly. Default passwords, outdated versions, open ports, and insecure services introduce vulnerabilities to your environment. Begin with an inventory of applications, understand how to secure them, and then move forward with configuration changes to improve your security posture. Use vendor and industry best practices when securing your applications but remember to thoroughly test the solution and use change management lest we create unintentional denial of service attacks. Patch applications to the current versions and enable logging and alerting. Use the principal of least privilege when granting application access.
100 Words on Multi-Factor Authentication
Multi Factor Authentication adds another layer of defence that makes the difference between breaches and disaster avoidance. Users may object to the introduced “complexity” but the value to their personal and professional lives must be understood. Organisations should plan the implementation in a phased approach using a prioritised list of defended assets. Whether using mobile apps, biometric, or established solutions such as fobs and smart cards, MFA has evolved from being an option to a necessity, especially in our cloud focused environments. From critical payroll data to personal social media, you must consider using MFA against the present threat landscape.
100 Words on Daily Backups
Backing up critical data has been one of the longest standing but most often overlooked strategies. With a wealth of options to choose from, we have no excuses to not backup our most valuable asset: information. Many media types are available along with cloud options. Enterprise may consider hosted solutions and disaster recovery sites. Planning is essential. Make sure crucial data is included as new systems come online and data stores are moved. Include backups of network devices. Avoid storing corporate data on local computers. Regular testing and annual disaster recovery exercises are obligatory. Remember backing up your personal data.