Wed, Nov 3, 2021

10 Essential Cyber Security Controls for Increased Resilience (and Better Cyber Insurance Coverage)

Devon Ackerman

/en/our-team/jeff-macko Jeff Macko is a Director

Jeff Macko

While threat actors continue to vary attack methods, these 10 essential cyber security controls can significantly improve your security posture, therefore making it harder for cyber criminals to compromise your network and increasing your opportunities for cyber insurance coverage. Validated by our seasoned cyber security experts based on frontline expertise and with a thorough review of the expanded questionnaires now requested by most cyber insurance carriers, key takeaways for each of the controls are presented here.

For more details, including hands-on support, get in touch with a Kroll expert today.

10 Essential Cyber Security Controls for Increased Resilience

Multifactor Authentication (MFA)

Passwords alone don’t offer sufficient protection, and with increasing rates of credential compromise attacks, it’s imperative to require additional forms of authentication, ideally via an app.
All users, including senior executives and admins, must adhere to MFA procedures. Creating exceptions to MFA introduces openings for attackers.
MFA should be enabled for every system account with special focus on systems that contain sensitive data such as financial, HR, and other statutory or regulatory protected data.
Audit your implementation. Criminals tend to exploit and develop workarounds such as abuse of legacy system authentication protocols, which are frequently not included in MFA protections.

Virtual Private Network (VPN)

Recently, VPNs have become a much larger focus for exploitation by bad actors whose intrusion vector focus is a potentially vulnerable or exploitable perimeter. It’s important to keep vulnerability scanning technologies as well as blending reactionary and proactive patch management.
Antivirus solutions cannot detect an adversary who connects to the VPN with stolen admin credentials and is granted heightened privileges, operating as a normal user would. Consider frequent reviews of VPN logs for suspicious activity.
All users should log into the VPN with minimum access privileges. Admins can escalate privileges once authenticated. Service accounts should not be allowed to authenticate and connect through VPN.

Remote Desktop Protocol (RDP)

The category of “remote desktop” software solutions has grown tremendously due to the pandemic. Such solutions allow full control of a remote computer, including local network access and storage.
Such extensive access presents a goldmine for attackers, and it’s crucial to keep remote desktop solutions inaccessible via the internet. Instead, make them accessible only via VPN or implement a virtual desktop solution, such as Citrix or VMware.
RDP should not be openly accessible from the internet without 2FA or MFA protections.
Like a variety of remote access solutions, vulnerabilities are constantly uncovered and a robust patch management program is essential.

Endpoint Detection and Response (EDR)

EDR typically relies on a lightweight agent deployed on endpoints such as laptops, servers and workstations, giving systemwide visibility for spotting suspicious behavior.
Unlike antivirus, which relies on signature-based detections to spot malware, EDR is tuned to look for suspicious behaviors like network scanning or lateral network movement.
EDR agents should be deployed as wide as possible in the environment; attackers may enter the network through unmonitored systems.
Until it is adequately fine-tuned, EDR systems may deliver a high level of alerts. An experienced team needs to monitor and validate alerts that could lead to a real incident.

Incident Response Planning

Your incident response plan should always be readily available and not inaccessible if there is an incident.
Make sure all the key stakeholders - departments, teams and people - are identified in the IR plan. Who should be contacted first? Where does PR fit in? Who is the contact from each team involved? What’s HR’s role?
Test the IR plan regularly and update as needed. If there are role or personnel changes, make sure the plan is updated with new contacts.
Time matters in an incident response so make sure law firms, forensic firms, etc. are approved ahead of time.

Infrastructure and Segmentation

Having a layered approach to security is key. Threat actors know about critical vulnerabilities and exploits often weeks before they are known to the public.
Antivirus isn’t enough anymore. A managed detection and response platform (MDR) is needed to catch threats that include polymorphic code, abuse of legitimate tools and credentials, and “Zero Day” attacks.
Patch management for your perimeter devices is critical. Patch management of your 3rd party contracts is no less critical.
Have separate and distinct IT and cybersecurity roles. IT keeps things running. They cannot keep up with the ever-changing threat landscape as well.

Backups

Attackers take advantage of poor recovery capabilities to further their extortion efforts. Assess and test recovery capabilities at least yearly.
Offline backups are critical to recover from ransomware attacks.
Multiple backups are key for dealing with data corruption, data loss and malicious events.
Review data on all devices to determine what needs to be backed up, how often, and the best medium.
Make sure backups are tested and all procedures documented. Restoring data is only half the equation. Knowing what to restore, when to bring it online and how to engage the business is a challenge most companies learn during a crisis.

Access Control

Overly permissive access rights can open an organization to both internal and external compromises. The more access granted, the more leverage a possible attacker has when compromising an employee’s credentials.
“Least Privilege” is crucial. Users should only be granted access to information relevant for their job during the duration required.
Coordinate with IT, Infosec and HR. Quickly remove access permissions for departed users and adjust permissions when employees transferring roles no longer need them.
Managing access rights for IT administrators can be challenging but achievable with the use of privileged-access management solutions, network segmentation, password management and limiting admin level access users.

Security Culture Training

Culture is key – employees need to feel they can raise concerns and report suspicious issues.
Companies should have mandatory annual cyber security training for all staff and test awareness of identifying and reporting suspicious activity, email, and behaviors.
Training employees includes knowing when to retain and delete data. What data is your company required to retain? For how long? Make sure to create and follow a data retention policy so to limit your company’s exposure.
Give employees the right tools and training to be able to recognize external email, phishing email and report suspicious emails directly to the information security team.

Email Hygiene

Train employees to understand how to identify and report phishing emails.
Pursue a multi layered defense, including filtering controls on inbound and outbound messages with attachment sandboxing and URL rewrites.
Visual cues such as tagging the subject line of external communications can be helpful.
Cloud based email solutions can enable organizations to easily and cost effectively implement core security controls such as MFA and reduce the chances of an attacker gaining access to internal private networks through compromised on-premises servers.
Adoption of Bring Your Own Device (BYOD) requires additional written policies and technical controls to manage associated risks when company data is accessed from external devices.

Strengthen your Security

These 10 essential controls, validated by our seasoned cyber experts, can greatly improve your security posture and resilience against a cyber attack when fully implemented. Kroll is here to assist in every step of the journey toward cyber resilience. To reinforce your essential controls, consider a robust managed detection and response solution such as Kroll Responder, which can deliver extensive visibility and immediate response in the event of a compromise. Talk to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk

Kroll Responder

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Kroll Responder

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Incident Response and Litigation Support

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.

Threat Exposure and Validation

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Ransomware Preparedness Assessment

Remote Work Security Assessment

Kroll’s remote work security assessment identifies vulnerabilities of work-from-home employees and networks, and provides guidance on minimizing the risks posed by a decentralized network often complicated by personal devices and unstructured environments

Remote Work Security Assessment

Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?

Incident Response Plan Development