5 Configurations That Will Dramatically Mature Your Security Posture, For Free!

Dane Meah
November 28, 2017


At the beginning of this year the Australian Signals Directorate (ASD) updated their Top 4 Mitigation strategies to the “Essential 8”. These Essential 8 strategies are what the ASD identifies as the cyber security baseline for all Australian organisations and are covered as below:

  • Application whitelisting
  • Patch applications
  • Restrict administrative privileges
  • Patch operating systems
  • Disable untrusted Microsoft Office macros
  • User application hardening
  • Multi-factor authentication
  • Daily backup of important data

Meanwhile, there are also many new technologies hitting the market to solve emerging problems for organisations, such as CASB (Cloud Access Security Brokers), EDR (Endpoint Detection & Response) and ATP (Advanced Threat Protection). Whilst these controls and mitigation strategies are crucial for protecting your organisation into the future, they can typically be massive projects to overhaul, especially if your existing setup is not optimal. What is of paramount importance is the little-discussed topic called Configuration.

Over time your environment can fall victim to Configuration Drift. This occurs when your configuration drifts away from best practice either because best practice itself changes (e.g. new product features), your internal environment changes (e.g. shift to cloud infrastructure), or the external environment changes (e.g. more roaming users).

Hindsight is a wonderful thing

After having spent years engaging with customers on security matters, we often find that when a cyber incident has occurred, it was often preventable with some fairly minor tweaks to existing technical control configurations. I often hear about the ‘if only’ scenarios and what could’ve been done differently.

Beware of vendors claiming to offer the silver bullet

Unfortunately, some vendors ride on the coattails of a cyber incident claiming to offer a “silver bullet” (a product or service that will “completely solve” a problem). Be it Ransomware, Phishing or other types of sophisticated attacks. Let me say right here, Silver Bullets do not exist!

Instead, our belief at Infotrust is if you do the basics really really well, this will prevent a significant portion of attacks that you are currently vulnerable to. For many organisations, it doesn’t make sense to ‘boil the ocean’ with an array of highly specialised technical controls that ultimately result in you being overrun with technology that you’re unable to effectively manage, which in turn results in poor utilisation, effectiveness and low/no ROI.

Most organisations have improperly configured security controls

Now please don’t take this statement as me ‘calling your baby ugly’ – this is not the case.

At Infotrust we focus a considerable amount of time and effort proactively reviewing the configuration of our customers and in every case, we find ways to optimise the configuration. Why is this? Change is the one constant in Cyber Security – changes to the threat landscape, changes to the internal environment, changes to infrastructure, changes to business requirements, changes in the way users work or connect, changes in IT staff and changes to the technical controls themselves (especially in auto-updating cloud services). Additionally, over time a business may change their configuration for operational reasons that may not be optimal. For example, an application breaks and the work around may be to disable a feature on the endpoint security or open a port on a firewall – whilst this resolves the application error, the implications can be significant.

The crux of many cyber security incidents is in poor configuration or poor utilisation of existing security controls.

1) Enable HTTPS inspection of web traffic

More than 50% of web traffic is now securely encrypted and this is set to grow as we increase use of websites and cloud applications that require content to be kept private and protected from inspection by unwanted parties. However, for these same reasons, the bad guys love to encrypt their web traffic, but instead to prevent interception by unwanted parties such as Secure Web Gateway Anti-Malware solutions.

Most good Web Gateway providers, such as Blue Coat WSS, Zscaler, Symantec Web to name a few provide native SSL inspection at no additional cost. This ensures that the full content of the web traffic is “man in the middle” decrypted, scanned for malware, then “self-signed” encrypted as the content is delivered to your user. Typically, all that is required is to deploy certificates to your users’ browsers and enable the feature in the cloud portal.

2) Prevent executable downloads from uncategorised websites

Even with the best web security measures in place, you can’t control every website your employees visit. However, you can safeguard your users and organisation from executable downloads from lesser known or trusted sites, which may contain viruses or malware. Whilst applying a block rule of executables across the entire Internet may be overly prohibitive, it can be advantageous to block executables from uncategorised sites.

The quality of the categorisation database varies with each vendor, however, broadly speaking the uncategorised sites tend to be less safe. Therefore, configuring a rule to block executable content types (.exe, .dmg, etc) from the “Uncategorised” category is simple, yet effective.

3) Enable Inbound DMARC validation

DMARC is the new gold standard for email authentication, used by the world’s leading brands to prevent fraudulent use of a company’s domain. DMARC, which stands for Domain-Based Message Authentication, Reporting and Conformance framework, sits over the top of SPF and DKIM authentication protocols to provide a more reliable way for an organisation to achieve high authentication levels with fewer failures than SPF or DKIM alone. However, nearly all Enterprise Secure Email Gateways have DMARC validation turned off by default, as this is a ‘new feature’. Simply log in and turn it on – hey presto!

Bonus points: The more security conscious that are seeking to prevent email fraud against their company would also deploy a DMARC record in their DNS, with the objective to move this to P=Reject, but that’s a conversation for another day. Read more about that here.

4) Configure Roaming User Filtering for Web Browsing

Whilst users are roaming (i.e. connecting to the internet when off the corporate network), there is a compounded elevation of risk that these users will be compromised. These factors are:

  1. Roaming users are more likely to browse riskier sites.
  2. Roaming users’ endpoint security may not be up to date.
  3. Roaming users’ traffic is not subject to the same scrutiny as when they are on the corporate network.

Many web proxy/security solutions provide an option (often at no extra cost) to route traffic through a cloud proxy when your users are connecting from off the corporate.

Whilst philosophically, many organisations do not want to enforce browsing policy for users at home, the risks are too great to just allow unfettered internet access with no security provisions.

5) Block or log outbound emails containing office docs being sent to personal email accounts

The vast majority of data loss incidents are the result of internal users, whether that be accidental or malicious. Not all businesses have the resources to implement enterprise DLP solution, however, using the native functionality of most Secure Email Gateways (e.g. Symantec, Cisco, Trustwave, etc.) policies can be put in place to monitor the outbound traffic of office documents being sent to public mailbox provider accounts such as @gmail @hotmail @bigpond etc.

If you are a B2B organisation, it’s rare that there would be a need to send office files (or other industry specific files types such as AutoCAD, Photoshop, etc) to public mail accounts. If you are a B2C organisation, where emailing public addresses is quite common, you can get more granular with your policy to look for certain types of content such as PCI, PII or key terms such as “Internal only” or choose certain file types that may contain your IP such as those above. Ensure your company has a clear policy in place detailing so it is clear what types of information can be transmitted.

What next?

This list could easily be 20 or 30 bullet points long, but the key is to start somewhere. If the above 5 are not deployed in your environment already, go and deploy these today, or at least start the process.

Infotrust would be happy to assist you with these and also identify other quick wins within your environment. To discuss having a Holistic Cyber Security Gap Analysis, contact us today.