ENISA & CERT-EU Recommendations

Cybersecurity Best Practice – Always something to improve

The European Union Agency for Cybersecurity (ENISA) and CERT-EU recently published a set of best practices that are well worth reviewing and assessing how your organisation matches up.

In many ways, nothing is surprising here. Many of the recommendations echo those already included in Cyber Essentials, NIST-800, ISO27001, and many other standards. That doesn’t mean they’re not important, though.

Your organisation may already be subject to those policies and are fully compliant, but that doesn’t mean there isn’t room for improvement. For those of you that aren’t subject to regulatory compliance, the recommendations are an excellent place to start to ensure you’re following best practices to prevent your business from being victim to an attack.

Good foundations are everything in cybersecurity

Over the last decade or so, every business has been investing in its cyber security defences. That’s generally meant buying more and more tools to plug gaps or as the next great defence (until the next new attack comes along anyway). I say “buying more” rather than “improving their defences” as they can be very different.

Buying more or building walls higher and higher doesn’t necessarily translate into better protection. That’s not to say all those tools are wasted – they definitely have important work to do – but they introduce a whole new set of risks. With more tools from more vendors, you’ll need more experts to ensure they’re all managed and maintained correctly. You may even end up with conflicts to resolve (e.g., the traffic your firewall thinks is OK may not be the same as your network sniffer tools).

Perhaps the most significant risk is that every new tool introduces new potential backdoors into your defences.

That’s a pretty radical assertion but consider this: everyone of those tools has one or more administrator accounts. Those powerful accounts allow you to create/change/remove other users, change the configuration, access sensitive data, and much more.

There’s more work to do with more admin accounts in controlling access to the account credentials. Do you know who has access? Who needs access? Does the access get removed when no longer needed? Are the credentials shared and, if so, how? The questions go on and on. Controlling these powerful, privileged accounts is foundational to the rest of your security stack. If you don’t have that control, you don’t have solid foundations for your defences.

Like Cyber Essentials et al., the new recommendations address these challenges, and Privileged Access Management (PAM) is ideally placed to address them.

EBISA and CERT-EU Recommendations

Of the 14 recommendations, many can be addressed with PAM. Let’s take a look:

1. Ensure remote access requires MFA

Almost every organisation relies on partners and suppliers to access their IT systems, ranging from customer databases to telephony systems to air conditioning. Virtual Private Networks (VPNs) are often used for remote access, and they may require MFA for connections, but that’s a very loose control. Once the user is connected, do you have visibility into what they’re doing? What systems do they access? Ensure their workstation complies with your cybersecurity policies?

PAM provides visibility and control over remote access. You can isolate the user and their workstation from your systems, control what systems they access, and monitor their activity in real-time (with recordings). Often vendor access is the initial driver in adopting PAM as it’s such a critical risk factor. This video shows PAM control for vendor access.

2. Ensure passwords are not reused and encourage MFA

Human beings are not good at passwords. Complex, hard to break passwords are difficult to remember. Enforcing policies such as changing passwords regularly make things worse as it’s so easy to fall into simple patterns around birthdays, pet names etc. It’s no wonder passwords are too simple, and bad habits like reusing passwords or saving them in spreadsheets and notebooks still happen.

PAM protects the credentials to access corporate IT systems and automatically generates and rotates secure passwords. Those credentials are never revealed to the admins, so they can’t be abused or stolen. Of course, the users should still adopt best practices such as MFA, but now the risk is limited to that person’s identity, not the systems they access. With the latest release of Osirium PAM, MFA is built-in, so it’s easy to manage, and no additional purchase is needed.

3. Ensure software is up to date

It should be obvious, but the effort to update systems and potential impact on users often means updates get delayed. Here’s an example of using privileged automation to identify which systems need an update to reduce the effort and apply updates more quickly.

4. Tightly control 3rd party access

As mentioned earlier, remote access to IT systems is needed, but it’s also very risky. PAM provides visibility and control over that access. With Osirium PAM, the protection can be taken to another with two options:

  • Protect the applications the 3rd party can use. Osirium’s MAP server lets the remote user access the apps they need(and that have been approved) to be run within a web browser. That ensures the user can’t access systems they shouldn’t; the business knows the approved version of the app is used; and, of course, the sessions can be recorded for auditing.
  • Automate the work they do. Rather than granting access to a server or even to a specific app, the best protection is to wrap the task they’re performing with Automation (included with Osirium PAM). You can then be certain processes are enforced, the work gets done faster, and there’s an end-to-end audit trail.

6. Review data backup strategy

A vital element of any resiliency plan has to be backups. Asa result, it’s no surprise backup management systems are a prime target for ransomware attacks. After all, the harder it is to recover, the more likely a victim will pay the ransomware.

PAM should be used to protect backup management systems (in fact, the National Cyber Security Centre has issued explicit guidance on this).

7. Change default credentials

A cardinal sin in IT should be not changing default password son new devices and services. It’s the first thing an attacker will try. With Osirium PAM, new devices can be “fully managed” so admin accounts are protected before they can be accessed through device retirement.

Get Started

PAM can be fast to deploy and start protecting your systems. If you’d like to learn more, please get in touch.

Related Topics