In our recent posts, we covered Controls One, Two, and Three. Here, we are going to discuss Control Four, the importance of a Secure Configuration of Enterprise Assets and Software to Electric Membership Cooperatives (EMCs).
First, the definition of Enterprise Assets under this control are end-user devices (such as laptops, work pads, or mobile phones); network devices; non-computing/IoT devices (such as Wi-Fi access points); and servers. And Enterprise Software is defined as operating systems and application software.
So, why is this control so important for EMCs and organizations of all types and sizes? It is quite simple, without following Control Four’s policies, procedures, and safeguards, your organization could face the worst day in its history and quite frankly, it brings corporate survival into the equation.
For ease of distribution and cost savings, manufacturers and third-party resellers sell equipment in a state that makes installation and deployment easiest. They do this mostly because each network environment is unique, so a blank slate is a good starting point. However, equipment installed with default credentials, could potentially give a threat actor a free pass to the organization’s critical data.
Your Information Technology department and or Managed IT Service Provider must take the time to follow specific configuration instructions and apply security measures to appliances and software being installed on your network. These measures include secure credentials and multi-factor authentication for an added layer of protection. Then, implement continuous workflow management of the assets, to assure software is regularly updated or patched, and perform third-party scheduled vulnerability scans to discover issues that may have been missed.
Imagine a new server is installed and months later, a breach happens, your organization is hit with ransomware. It happens every day. Here at Critical Path Security, we are brought in on Incident Response events that often are the result of poor protection policies, unchanged “default” credentials, or unpatched/out-of-date software. When we provide the forensics analysis and our final report, the board asks how it happened. Often, our findings reveal credentials were left on default “username: admin, password: password” or software was out of date with known vulnerabilities, giving the criminals the ability to breach the system and gain access to critical company data, within just a few minutes.
One event may result in Cyber Insurance Policy premiums skyrocketing to unaffordable levels, and in some cases, complete policy termination, leaving the EMC completely exposed. Following the best practices and safeguards below will provide your organization with a clear path that is methodical, sustainable, trackable, and secured. Most importantly, following these policies and procedures will protect the EMC’s data, ability to serve your customers, and preserve revenue to maintain a healthy business operation.
- Establish and Maintain a Secure Configuration Process (Overarching Process)
- Establish and Maintain a Secure Configuration Process for Network Infrastructure
- Configure Automatic Session Locking on Enterprise Assets
- Implement and Manage a Firewall on Servers
- Implement and Manage a Firewall on End-User Devices
- Securely Manage Enterprise Assets and Software
- Manage Default Accounts on Enterprise Assets and Software
- Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
- Configure Trusted DNS Servers on Enterprise Assets
- Enforce Automatic Device Lockout on Portable End-User Devices
- Enforce Remote Wipe Capability on Portable End-User Devices
- Separate Enterprise Workspaces on Mobile End-Users Devices
If you would like more information about how Critical Path Security can help your organization strengthen its security posture and to schedule your Critical Security Controls review, please contact us at firstname.lastname@example.org.