Source: Tertiary Education Commission
1: Patch your software and systems
Exploiting vulnerable software is a common, and often easy, way for attackers to get into a business environment. Attackers have networks of computers (bots) scanning the internet to identify vulnerable software and automatically exploit it.
When a critical vulnerability is discovered, vendors will release updates (commonly known as “patches”) to fix it. Applying these fixes as soon as possible will reduce your risk of the software being exploited and help protect your IT environment.
To ensure devices are updated appropriately, organisations should implement a monthly updating or “patching” cycle and install updates whenever prompted to do so, even outside of the scheduled monthly cycle.
Implement a monthly updating or “patching” cycle
Update the operating system for servers and workstations (e.g, Windows, MacOS, Linux).
Update productivity and office applications (e.g Adobe, Microsoft Office).
Install updates within 14 days of release – the sooner the better.
Install critical security updates within 7 days of release (again, the sooner the better).
Allow web browsers to update automatically (This is the default behaviour for most browsers, such as Microsoft Edge, Google Chrome, and Firefox).
2: Use strong passwords and consider a password manager
Passwords are used for everything. They are the most common way of authenticating to a system, and we rely on them to protect sensitive information about ourselves and others. It is, however, quite common for passwords to become known to attackers through various means, with the most common causes being password re-use or using easy to remember (and easy to guess) passwords.
Use strong & unique passwords or passphrases for every login.
Store passwords in a secure location (Password Manager).
Change default passwords.
A weak password can be cracked and stolen extremely easily by a determined hacker. This article from NetSec News describes just how quickly it can happen: How Long Does It Take a Hacker to Brute Force a Password in 2023 – NetSec.News
Implement a password manager for internal business use where passwords for the following types of accounts must be stored:
Service Accounts
Emergency (Break glass) Accounts
Company Social Media Accounts
Company Bank Accounts & Financial Services
CERT NZ has some very good advice for creating strong passwords on its website.
3: Require Multi-Factor Authentication (MFA) for all user and administrative accounts
Even the most indecipherable password can be cracked by a determined hacker or exposed in a privacy breach. And if an attacker successfully infiltrates an employee or admin account, they might be able to compromise your entire organisation network. Therefore MFA requires users to have more than one form of identification to access IT systems.
Implement MFA for all systems that users to have access to:
Externally accessible systems & applications
Remote Network Access (VPN, RDS etc)
Administrative Access
Social Media
Financial Systems
These are our strong recommendations:
Use an application-based MFA (such as Microsoft Authenticator) or a hardware-based token (Yubikey, Smart-Cards etc).
Where possible, avoid using SMS-based MFA as this is outdated and less secure (However SMS-based MFA is better than no MFA).
Investigate device-based policies, such as allowing logins from compliant devices and requiring MFA for non-compliant or personal devices.
Check out CERT NZ’s Two Steps Too Easy programme.
4: Enable and retain logging for Security Events
Security events affecting systems can cause major disruptions to your business. They include a variety of incidents that range from phishing to full Ddos attacks. All such events for servers and cloud platforms should be logged in a dedicated platform.
It is important to ensure these logs/registers are retained for a minimum of three months. It is also a good idea to store these logs centrally.
Without logs it is difficult (or even impossible) to determine when incidents happen, or to establish the full scope of what has happened, meaning it is also harder to fully recover and work to prevent the same incident from happening again.
There is excellent advice on configuring and setting up centralised logs on the CERT NZ website.
5: Manage the asset lifecycle
Understanding your environment’s assets (what you have in the organisation to run your systems) is a key step in securing it. You cannot protect what you do not know about. Inventories of assets help to inform the risk profile of a business by clarifying the breadth of hardware and software that is in use, and their versions. It also helps to identify assets that are no longer under warranty or no longer supported for security and feature updates.
Create and maintain a hardware inventory, keeping track of information such as:
The asset name
Its owner and current user
Its status (in use, spare, decommissioned)
The date of purchase
The warranty expiry date
Create and maintain a software inventory, keeping track of information such as:
Software programme names, the version in use, and their publishers
Their business purpose
Links to the provider’s website, Appstore or installer location
Document and maintain your asset lifecyle including:
The acquisition and setup of new assets
Distribution of assets to staff
Maintenance of assets
Secure decommissioning of assets
There is a wide variety of software available to help with asset lifecycle management, but a simple spreadsheet can be a good start
6: Implement and test backups
Backing up your systems entails making an up-to-date copy of the data that has been created and saved. With a backed up copy stored safely you are able to quickly restore your information in the event that it is lost or damaged, whether or not the loss is the result of a cyber attack or some other issue.
It is important to backup stored information separately from its storage within computer systems in the organisation. However, it is equally important to ensure the right information is backed up. Organisations should implement processes for backups and recovery, and test them to ensure the data can be restored if and when necessary.
Implement processes for backups and recovery
Ensure correct information is being backed up.
Test to ensure systems and information can be restored in the expected timeframe.
Keep a copy of the backups stored off-site, separate from the organisation’s day-to-day work systems.
7: Implement application control
Application control helps to protect devices against malware and ransomware attacks by restricting what software is allowed to run on a device. Allowing only pre-approved applications to run is one of the most effective means of protecting against malware.
Organisations should have firm restrictions on what applications can be installed on devices.
Build a baseline of required applications.
Establish a process to enable requests for new applications.
Use application control functionality (many device-management solutions have application control built in).
8: Deploy and maintain Endpoint Protection Software
Endpoint protection protects devices from malicious software and activity. Older “Anti-Malware” or “Anti-Virus” software will often only protect from malicious software, while newer EDR (Endpoint Detection and Response) services go beyond that and look at the behaviour and activity on a device to also prevent malicious use of legitimate software.
Endpoint protection software offers a centralised management system that allows security administrators to monitor vulnerabilities across all “endpoints” in the system – computers, mobile devices, servers and other connected devices. This monitoring enables them to investigate issues and protect the system.
An example of endpoint protection software is Windows Defender, which is buit into all Windows devices. However, even with Windows Defender, it is important to use a centrally-controlled solution.
There are different solutions available, and most can protect Windows, Mac, and Linux systems.