February 28, 2022 •Jason Dell
In times of global unrest, where there is a potential for nation-state attacks, it is a very good idea to review your security strategy. Below are a few things to review to mitigate these types of attacks. This is not a complete list by any means, but it covers some of the basics:
Perimeter Firewalls
It is highly recommended to review your firewall logs before making any of these configuration changes. Consider making changes incrementally, and always have a method of “undoing” any configuration change that ends up being disruptive. Give NSI a call if you need a hand with these configurations.
- Block by Geolocation: Consider blocking inbound and outbound connections to regions/countries that are not necessary for your production applications. It is admittedly easier to block inbound connections using broad strokes but carefully consider any cloud applications you may have before blocking outbound connections.
- Security Intelligence: Next-generation firewalls have a Security Intelligence component that may need to be configured, as it is sometimes not enabled by default. You should be able to block threats by Network and by URL. Look through the list of pre-defined threat categories and add them to the block list. You should be able to easily identify the threatening categories (e.g., Attackers, Malicious, Malware, etc.).
- Block High-Risk Applications and URLs: Consider blocking applications and URLs that are categorized as high-risk. Be on the lookout for exceptions that you may use for legitimate purposes.
- Proxy avoidance: In the above and elsewhere, consider blocking Open_proxy, anonymizer, proxy avoidance, etc. These technologies are often meant to provide privacy but can often circumvent security controls and provide back-doors to otherwise forbidden destinations.
- DNS Policy: Consider configuring the DNS policy to block malicious DNS lists. Again, these should be easy to identify (DNS Attackers, DNS Exploitkit, DNS Malicious, etc.)
- Intrusion Prevention: Consider configuring your IPS policy to update itself frequently (I recommend daily). Doing so will help to mitigate exploits to vulnerable applications, operating systems, or IoT.
Secure Web Gateway, Secure Internet Gateway, DNS Protection
Hardening your perimeter firewalls does not protect your remote users that access cloud applications or cloud infrastructure directly. As stated above, review your logs before making changes, consider making changes incrementally, and have a method of backing out your changes quickly.
- Security Settings: Consider blocking dynamically updated malicious categories. This can often be seen as the first line of defense and is a very powerful tool for mitigating threats.
- Content Settings: Consider blocking categories that pertain to security risks e.g., Filter Avoidance, Personal VPN.
- Proxy: Consider enabling proxy/Intelligent Proxy if possible.
- SSL Decryption: Consider enabling full or partial SSL decryption where it is possible to trust the presented certificate.
Multi-Factor Authentication
- Consider implementing multi-factor authentication wherever possible. Even users with a skilled eye are susceptible to complex phishing attacks, and credentials may be able to be obtained through other nefarious methods.
Antimalware
- Basic advice but have a reputable antimalware solution deployed to all supported endpoints and configured to best practices.
Email Security
- Is the security included with your email provider sufficient? Email is the #1 method of contracting ransomware. Consider implementing a reputable third-party email security solution.
Again, this is not a complete list. Review all your security controls, look for security gaps, evaluate the efficacy of your security controls. To contact Network Solutions, Inc for assistance or for additional information visit https://www.nsi1.com/schedule-consultation.
www.nsi1.com | 888.247.0900