The Case for Strong Foundational Practices

RemediationInformation SecurityInformation Security HardeningInformation Security Best PracticesFoundational Information Security
Written By Michael Born

Innovation and Managing Risk

If you have followed along with technology innovation over the past year, it should be clear that Artificial Intelligence (AI) and Large Language Models (LLM) continually capture headlines. Some press on the topic is what some would consider good in terms of highlighting the technological advancements AI organizations achieve with each release of their respective models. On the other hand, the remaining articles paint a more grim picture, revealing glaring information security flaws that challenge data privacy, confidentiality, integrity, and at times availability. Regardless of the type of articles one prefers to read, there is a very important trend to capture from all of this. Change is not only coming, it’s already here and placing additional pressure on organizations to adapt quickly. Organizations implementing AI in their daily workflow, whether intentional or not (e.g. employees doing so without the organization’s consent), absolutely must tackle foundational information security practices and implement them well before the risk from not doing so becomes too much for the organization to absorb.

Over the course of our careers, we’ve seen numerous organizations try to innovate using newer technology, while simultaneously lacking in foundational information security practices and each time, following a penetration assessment, we discovered risk the organization didn’t even consider or know they had. The move from on-premise infrastructure to cloud-native services highlighted this too over the past several years. User identity became the new perimeter, and arguably the primary attack path, yet organizations were slow to implement stronger password guidance and phish-resistant Multi-Factor Authentication (MFA) as industry best practices matured. Organizations believed cloud service providers absorbed most of the risk and at times, didn’t fully understand the Shared Responsibility Model in terms of risk responsibility until it was too late. Business leaders with whom we’ve engaged were stunned to learn just how much a data breach truly costs an organization and still believed cybersecurity insurance policies would cover the costs. Meanwhile, cybersecurity insurance providers have matured their own requirements over the years and most now require evidence that the organization at least tried to implement foundational information security practices before issuing payments.

So, as to not give the appearance of doom and gloom, we wanted to take a moment to highlight some of the foundational information security practices that really help reduce risk at an organization. The biggest challenge to the following list has rarely been due to a lack of tool, product, or security technology and more due to the need for organizations to adjust their approach to risk management. Many times, simply helping users adjust their workflow or habits helps tremendously and this is a challenge that a product or tool just cannot solve by itself. Likewise, helping business leaders and technology leaders shift their perspective of information security practices from being a “cost center” to “this is a necessary part of managing business risk”, goes a long way towards reducing risk to an acceptable level. We will order these in order of importance based on what we have observed at organizations over the course of our careers. This list is designed to be as succinct and condensed as possible. How each organization implements the following items will be different and heavily based on current practices. Regardless, whatever an organization implements, we recommend implementation aligns with the intent of each foundational practice. Where applicable, we will do our best to provide additional context pertaining implementation.

Attack Path 1 - User Identity

Security controls around user identity are often a touchy topic with most organizations because the challenges with implementing best practices often falls on altering user behavior which no amount of technology will fully address. So, with that in mind, we encourage organizations to make it as easy as possible for users to employ good password hygiene and the best way we’ve found to do that is to take the chore of generating credentials out of the hands of the users as much as possible. Technologies such as password managers, passkeys, or FIDO2 compliant hardware tokens can help, but end-user training is absolutely required to ensure successful adoption and implementation. The list below includes some foundational practices and recommendations for organizations to implement. Where applicable, additional cost estimates are provided and we recommend implementing these items as a group of controls because of the synergistic nature of each individual part of the control. Ultimately, the goal is to achieve defense-in-dept at a micro and macro level.

Protecting User Identities - Relatively Low Cost, High Gain

  • Minimum Password Length

    • 15-characters for general users

    • 16-characters (or more) for administrators

  • Maximum Password Length Allowance

    • 128-characters (or more if supported)

  • Multi-Factor Authentication

    • Enforce for all users

    • Prioritize phish resistant authenticators

      • FIDO2 compliant authenticators

        • Physical USB security tokens (per-user cost)

          • Ensure backup option implemented in case of lost/damaged device

          • Biometric versions available

        • Biometrics capable

        • Passkeys

          • Hardware via laptop/desktop Trusted Platform Module (TPM)

          • Hardware via USB security token device (limited storage capabilities)

          • Ensure backup option in case of lost/damaged device

          • Mobile authenticator app protected by biometrics authentication and MDM security policies

    • Back up authenticator option

      • One-Time Passcodes generated by a trusted mobile authenticator app protected by biometrics authentication and MDM security policies

    • Authenticators to avoid (clear text, non-phish resistant, considered weak authenticators)

      • One-Time Passcodes (OTP) delivered via Simple Message System (SMS) / Text Message

      • One-Time Passcodes (OTP) delivered via Email

      • One-Time Passcodes (OTP) delivered via Public switched telephone network

  • Password complexity/composition requirements

    • Implement ONLY if required for regulatory compliance (e.g. PCI DSS, HIPAA, NYDFS, etc.)

  • Password / Credential manager (per user cost/licensing)

    • Offline password manager is preferred

      • Ensure viable vault backup and recovery

      • Often does not synchronize across devices

    • Online password manager is OK with the following considerations

      • Desktop version only (avoid browser extension due to browser attack vectors if feasible)

      • Ensure vendor supports private storage options (no shared storage across their clients)

      • Ensure vendor cannot access credential vault(s), or vault backups, and cannot decrypt vault(s)

        • Ensure the organization has recovery procedures in place

  • Breached or weak password pattern detection and prevention

    • Cloud-based Identity Services support utilizing a deny list by default

    • On-premise Identity Services (e.g. Active Directory) may require 3rd party integration

    • Helps defend against credential stuffing and password reuse

  • End user training

    • How to fully utilize a credential/password manager

      • Train users on how to have the credential manager generate the LONGEST credential accepted by the authentication service (remove the need for them to remember every credential)

      • Train users on how to use phish-resistant MFA option(s) to verify identity to credential/password manager (take the password generation for accessing the protected credential vault out of the user’s hands - great candidate for hardware passkeys)

    • How to fully utilize phish-resistant MFA option(s)

    • Anti-phishing/social engineering training (ensure it actually works and measure success metrics)

Some of the greatest attack vectors we see on engagements come from misconfigured identity services (e.g. on-premise Active Directory / cloud-based IAM). Hardening these services often yields the greatest results in terms of managing risk associated with attacks against user identities.

Attack Path 2 - Authorization and Access Management

Much like user identity and credential protections, user access and authorization controls go hand in hand with protecting organization resources and assets. Yet, the principle of least privilege practice escapes many organizations as the business grows, systems and infrastructure increase in complexity, and the number of employees and job roles increases. However, getting this practice right early can help set an organization up for success in the long-run and goes a long way to reducing or eliminating risk in terms of minimizing business impact in the event of a breach. Like identity protection, the following list was designed as a group to be implemented together to achieve maximum protection and risk reduction.

Administrator Users

  • Separate accounts

    • Low level user account used for every day work-related activities

      • Follows the identity protection guidance for all employees above

    • 2nd account provisioned with no, or minimal, licenses

      • Provisioned with just the minimal administrator privileges necessary

      • Follows identity protection guidance above for administrator users

        • Longer password minimum

        • Phish-resistant MFA

      • Every activity is logged and user must prove identity/authorization for each task

      • Used only for administrative tasks (must not be used as a service account)

General Guidelines - All users

  • Separate duties

    • Request

    • Approve

    • Implement

    • Audit

  • Minimal permissions

    • Do general users really need Local Administrator access on their systems?

    • Is it really necessary for general users to grant guest users access to the organization file share?

    • Does every administrator really require Domain Administrator/Global Administrator permissions?

    • Does that file share folder containing sensitive data really need to be accessed by everyone?

    • Do general users really need to be able to authenticate to organization resources from outside the country/state/city?

    • Does that service [for vendor product] really need Domain Administrator/Global Administrator permissions?

  • Network access controls

    • Do general users (and their systems) really need to access administrative services or systems?

    • Do general users (and their systems) really need to allow all incoming connections?

    • Does the administrator network really need to allow all outbound connections, services, and protocols?

    • Do general users (and their systems) really need to access resources in other countries?

    • Do general users (and their systems) really need to access all services and protocols on Internet resources (e.g. Telnet, SSH, SMB, CIFS, Remote Desktop, etc.)?

    • Does the organization really need default services running on every system across the environment?

    • Are multicast name resolution protocols really necessary on the network in case DNS fails?

Service Accounts

  • Minimize service account privileges

  • Enable built-in service account protections where available

  • Avoid using highly privileged user accounts for services

Generally speaking, applying the principle of least privilege for user accounts, service accounts, and network access can result in minimizing the impact from an initial compromise. During our penetration assessments, we often see that a compromise of a low-level user allows our team to increase the foothold and expand the initial attack through misconfigured access and authorization controls. This can mean the difference between obtaining limited data access or a full domain compromise. Something as simple as preventing normal users from having local administrator permissions for their general-use account, or preventing them from having more permissions than they really need on other assets can thwart attempts to expand an initial foothold. As an added layer of defense on top of foundational identity security controls, hardened access and authorization controls, even at a basic level, make a significant difference.

Attack Path 3 - Technical Debt

Of the three primary attack paths that we see on penetration assessments, and that are additionally threatened by adversaries that employ AI into the attack chain, technical debt appears to be a difficult challenge for some organizations to solve. These are systems that have reached, or exceeded, their life span and support cycles. There are specific industries where this appears to be a more significant challenge than others as there are minimal viable products available that fulfill specific requirements at these organizations. Additionally, the number of vendors that make these products appear to be limited. This means that organizations generally either face the dilemma of keeping the unsupported versions of these products in use, or migrate to the newer versions, which often come with a shift from on-premise to cloud-services and introduce additional risk and data privacy considerations. Either way, technical debt opens the doors for organizations to maintain more risk than they realistically can absorb. Here are some pathways to minimize the attack surface associated with technical debt.

Additional Protection Measures - Upgrade or Replacement Not Feasible

  • Network isolation

    • Completely isolated network

    • Minimal egress and ingress traffic allowance (source/destination IP filtering)

    • Special access requirements for administrator users (e.g. via hardened jump host)

    • Consider virtualization or containerization to minimize long-term costs if supported

    • Monitor ingress and egress traffic, and system service interaction

    • Implement host-based firewalls in addition to network security controls

Conclusion

We want to communicate clearly that this list is non-exhaustive, but implementing these foundational practices, and continuing to adapt to changing industry best practices, will go a long way in reducing organizational risk. Furthermore, the above items will help any organization prepare for integrating AI into their operations while simultaneously helping the business recognize and address the risk of doing so. Like any new and innovative technology, early adoption often coincides with higher risk as the technology itself hasn’t fully matured or addressed all of the threats against it just yet. Maturing an organization’s foundational information security practices will help set a strong foundation for innovating and incorporating new technological advancements that enhance business outcomes. We firmly believe that managing risk is possible provided the organization has implemented mature foundational information security practices.

If your organization is considering implementing, or is already in the midst of implementing, AI tools or technologies into operational practices, we would love to help your team assess the organization’s alignment with foundational information security practices. Often times penetration testing is a good place to start for an organization that wants assistance identifying or confirming known or unknown attack vectors and associated business risk. This is where we thrive and, more often than not, reveal valuable insights into business risk associated with the organization’s current technology stack, processes, and overall information security program maturity.

Michael Born