Employees have been working remotely for the past two years due to the pandemic crisis, and some firms have announced a permanent WFH option. Working from anywhere boosts productivity and flexibility. IT experts, on the other hand, who must set up the infrastructure to support remote work, face a more difficult scenario. Cyber attackers have noticed that companies are more susceptible than ever before, and they are increasing their attacks.
Also Read: Threat Hunting with Windows Event IDs 4625 & 4624
Implement the following recommended practices to enhance risk management even more:
- Minimize the unused accounts by deleting or disabling them
- Check all permissions and, in particular, remote access permissions, and eliminate those that are excessive or unneeded
- Examine your password length and complexity criteria, with an emphasis on establishing passwords that are easy to remember but difficult to guess.
- To prevent attackers from gaining access to your internal network by guessing a user’s password, implement an account lockout policy. However, don’t set the number of failed attempts before lockout so low that it causes annoyance and lost productivity for legitimate users, who will almost certainly make a mistake.
- Reducing the number of privileged accounts is a good idea. Rethink your delegation model for Active Directory
- Confirm that NTFS permissions and permissions to shared resources such as SharePoint, SharePoint Online, OneDrive for Business, and Teams comply to the principle of least privilege.
Also Read: Threat Hunting using Proxy Logs – Soc Incident Response Procedure
- Unused network services should be turned off or uninstalled
- Make improvements to your Group Policy
- For access control across your infrastructure, use Active Directory and Azure AD groups. Review your groups and group membership on a regular basis to ensure that no one has too many permissions.
- Logins to cloud and on-premise resources, as well as VPN logons, should all be monitored.
- Monitor user activity in cloud solutions that serve remote workers, such as SharePoint Online, OneDrive for Business, and Teams, especially activity around sensitive data.
- Monitor the changes in group membership or permissions that could indicate privilege escalation. Also, keep an eye on unusual activity around your network ports and VPN connections, particularly port scans and failed login attempts, which could indicate a password-spray or brute-force attack
- Document your policies and distribute them to everyone who accesses your IT environment
To make your remote setup as secure as possible, follow these steps:
- If you’re not able to use managed devices, provide an information security guide to all employees that highlights the security precautions that are required and recommended for remote workers.
- Regularly conduct security awareness training for your employees
- Use managed devices whenever possible
Also Read: How DKIM SPF & DMARC Work to Prevent Email Spoofing and Phishing
- For each machine that connects to your network, make the following changes:
- Encryption can be enabled with BitLocker for Windows and FileVault for macOS.
- Install antivirus software as well as a firewall.
- Maintain the most recent versions of all operating systems and other software, as well as all critical updates.
- Enforce a strong password policy, turn off auto-login, and turn on auto-lock.
- Turn on “find my device” and “remote lock/wipe” features.
- To secure VPN accounts and cloud services from illegal access, employ two-factor authentication whenever possible.
- Use a Virtual Private Network (VPN) to secure access to the corporate network to ensure network security. SSH is suggested for application security because your remote users may use public Wi-Fi networks.
- To prevent unwanted access, disable “everyone” and “anonymous” rights whenever possible.
- Establish a strict security policy for any third-party workers on your network.
- When setting up remote connections, avoid using the default port numbers.
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
- Use the Remote Desktop Protocol as little as possible (RDP). If you must use RDP,
- Make sure it is not exposed to the internet. Everything should be done via a secure connection.
- Direct RDP connections should be avoided. RDP sessions should be forced through Remote Desktop Gateway if users want desktop access (ideally, in a DMZ).
- RDP access should be limited to a whitelist of users and servers.