Stratix System’s Top 25 Practices for Basic Cyber Hygiene
Stratix Systems created this list of 25 practices for basic network hygiene to help our clients prioritize where to focus first when establishing best practices for cybersecurity.
Policies and procedures are important, but practices are where it all starts. Once these initial practices are completed, you can then mature the program by aligning to a recognized cyber framework and make sure all of the appropriate documentation is developed.
#1
Practice – Remove local administrator access for all users
Brief Explanation – Local admin access by users is a high risk if user credentials get compromised
#2
Practice – Limit user’s access to only the data/systems needed for their role
Brief Explanation – Make sure there are no shares or privileges for user’s accounts to data that they do not need. “Least privilege access” decreases the ability of an attacker to gain access to all data by compromising a single user’s credentials.
#3
Practice – Do not allow anonymous access to anything
Brief Explanation – Scan your network to enumerate all shares. Add permissions to any with anonymous access and remove any default logons from devices (i.e. admin/admin).
#4
Practice – Use secondary accounts for all admin access
Brief Explanation – When admins use these accounts for daily use the admin accounts are exposed to increased risk of credential theft. Keep the usage at a minimum.
#5
Practice – Use long, non-string passwords for all admin and service accounts
Brief Explanation – Administrator accounts and service accounts are primary targets of threat actors. Make them difficult with a password management tool to maintain the complex passwords.
#6
Practice – Terminate sessions after a period of inactivity
Brief Explanation – Session stealing is a common practice. Don’t expose these sessions any longer than necessary.
#7
Practice – Only allow remote access through encrypted channels – Use Multi-Factor Authentication (MFA)
Brief Explanation – Remote access is a huge threat vector and requires additional technical controls.
#8
Practice – Do not expose RDP to the internet
Brief Explanation – RDP weaknesses and vulnerabilities are well known and easy to exploit.
#9
Practice – Use some form of wired network access controls
Brief Explanation – Basic MAC address filtering adds an extra layer of security by checking the device address against an approved list.
#10
Practice – Separate the Guest wireless from Production
Brief Explanation – Guests should never be allowed on the production network.
#11
Practice – Use WPA-2 enterprise with authentication for production wireless access
Brief Explanation – A passphrase is not enough as the wireless usually extends beyond the walls.
#12
Practice – Stop using USB storage except where absolutely required.
Brief Explanation – USB storage is a method used to infect malware and increases risk of data leaks.
#13
Practice – Ensure that systems stay patched
Brief Explanation – All applications and devices such as firewalls, not just Windows patches.
#14
Practice – Use a modern antivirus
Brief Explanation – Next-gen AV can respond to behavioral threats, not just a database of known virus signatures.
#15
Practice – Review everything that you are allowing through the firewall on the internet.
Brief Explanation – Networks can allow things on the internet via the firewall that open the networks to threats. Make sure you know what is allowed and why, and make sure the firewall is patched regularly.
#16
Practice – Provide security awareness training for all users
Brief Explanation – Users often can be a weak point. We need to make sure they understand the risks, the latest threat tactics, and what to do if they receive a suspicious request.
#17
Practice – Preserve critical logs
Brief Explanation – Logs should be shipped off critical servers and devices and preserved in case they are needed for incident investigation.
#18
Practice – Implement spam filtering
Brief Explanation – Email is a major threat vector. Spam filters can flag and block suspicious messages.
#19
Practice – Implement physical security for critical systems
Brief Explanation – All critical and sensitive, servers and network equipment should have limited physical access. Visitors should always be escorted.
#20
Practice – Password hygiene
Brief Explanation – Train users to not save passwords in clear-text files. Use at least 12-character complex passwords and force scheduled changes.
#21
Practice – Multi-Factor Authentication
Brief Explanation – Use MFA for any access coming from the internet, including VPN, webmail, and cloud services.
#22
Practice – Destroy any data device before disposing
Brief Explanation – Shred hard drives, destroy removable media, and render the data unrecoverable.
#23
Practice – Remove user access to anything and everything after terminations.
Brief Explanation – A process should be in place to remove access when people leave the organization or 3rd party vendor that has system access.
#24
Practice – Plan for worst case scenarios
Brief Explanation – Make sure you know what to do if there is an incident such as ransomware, or business email compromise. Have resources in place before you need them to speed up response.
#25
Practice – Scan for vulnerabilities
Brief Explanation – Scan all internal and external devices on your network as often as possible to detect and remediate known vulnerabilities.