Organization Preparations

Overview

There are several ongoing preparations that an organization can take to improve their overall approach to information security. These include:

• Developing a baseline security posture
• Classifying information
• Implementing change tracking and auditing
• Monitoring and reporting

Baseline security posture

A baseline security posture represents an organization’s desired or expected security configuration. Unfortunately, many organizations haven’t achieved their stated baseline security posture. For example, organizational policy might dictate that information systems be kept patched with any security update released by a vendor 30 or more days ago, but many systems within the organization may not have been updated due to lack of resources.

An organization’s baseline security posture should be measurable where possible and appropriate. For example, Microsoft provides the Security Compliance Toolkit which can be run against Windows based systems to assess which controls and settings comply with recommended baselines and which controls and settings may need to be modified to reach a compliant state.

More information: You can find out more about the Security Compliance Toolkit at: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10

An organization’s baseline security posture should also include policies around the use of administrative accounts, privileged access workstations, as well as technologies such as privileged access management and just enough administration. For example, it is far more difficult for an attacker to compromise a DNS server if the only way that the DNS server can be managed is through a JEA endpoint accessible only to privileged access workstations, which is available to a user only after a successful privileged access management request, than if the DNS server can be managed from any domain joined workstation in the organization at any point in time.

An organization’s security posture should also involve policies and configurations that restrict lateral movement. This would include deploying code integrity policies on servers to restrict the execution of unauthorized code and scripts, segmenting networks so that sensitive servers are only accessible to authorized hosts, ensuring that common local accounts and passwords aren’t used, and that software patches and updates are applied in a timely manner.

The challenge is to balance the organization’s need to perform work tasks with a minimum of inconvenient steps with the need for security. For example, whether it is necessary for users to enter a BitLocker PIN each time they start their workstation or whether that requirement only makes sense on privileged access workstations used by the administrators of information systems.

The baseline security posture is a work in progress. An organization should always be looking to improve its baseline security posture and should regularly engage external penetration testers to run red team exercises to assess the current security configuration for vulnerabilities.