Basic Cyber Hygiene Prevents 98% of Attacks

Originally published by Microsoft.

In today’s digital age, companies are increasingly reliant on technology and online systems to conduct their business. As a result, meeting the minimum standards for cyber hygiene is essential for protecting against cyber threats, minimizing risk, and ensuring the ongoing viability of the business.

Basic security hygiene still protects against 98% of attacks.[1]

The minimum standards every organization should adopt are:

• Require phishing-resistant multifactor authentication (MFA)
• Apply Zero Trust principles
• Use modern anti-malware
• Keep systems up to date
• Protect data

1. Require phishing-resistant multifactor authentication (MFA)

Want to reduce attacks on your accounts? Turn on MFA. Multifactor authentication, as its name suggests, requires two or more factors of verification. Compromising more than one authentication factor presents a significant challenge for attackers because knowing (or cracking) a password won’t be enough to gain access to a system. With MFA enabled, you can prevent 99.9% of attacks on your accounts.[2]

Making MFA much, much easier

Multifactor authentication—while extra steps are part of the name, you should try to choose an MFA option with the least amount of friction (like using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys) for your employees.

Avoid making MFA onerous.

Choose MFA when extra authentication can help protect sensitive data and critical systems rather than applying it to every single interaction.

MFA does not have to be challenging for the end user. Use conditional access policies, which allow for triggering two-step verification based on risk detections, as well as pass-through authentication and single sign on (SSO). This way end users don’t have to endure multiple sign-on sequences to access non-critical file shares or calendars on the corporate network when their devices are current with the latest software updates. Users also won’t have 90-day password resets, either, which will significantly improve their experience.

Common phishing attacks

In a phishing attack, criminals use social engineering tactics to trick users into providing access credentials or revealing sensitive information. Common phishing attacks include:

Additional resources

If you’d like to learn more about the topic of password and identity, please take a look at the resources below.

• The CISO series: Secure your privileged administrative accounts with a phased roadmap blog post by Microsoft’s Mark Simos
• Shifting tactics fuel surge in business email compromise—Cyber Signals Issue 4: The Confidence Game

2. Applying Zero Trust principles

Zero Trust is the cornerstone of any resilience plan limiting the impact on an organization. A Zero Trust model is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction; asserts least-privilege access; and relies on intelligence, advance detection, and real-time response to threats.

When you adopt a Zero Trust approach, it becomes possible to:

• Support remote and hybrid work
• Help prevent or reduce business damage from a breach
• Identify and help protect sensitive business data and identities
• Build confidence in your security posture and programs across your leadership team, employees, partners, stakeholders, and customers

The Zero Trust principles are:

Assume breach

Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly. This means constantly monitoring the environment for possible attack.

Explicitly verify

Ensure users and devices are in a good state before allowing access to resources. Protect assets against attacker control by explicitly validating the fact that all trust and security decisions use relevant available information and telemetry.

Use least privilege access

Limit access of a potentially compromised asset with just-in-time and just-enough-access (JIT/JEA) and risk-based polices like adaptive access control. You should only allow the privilege that is needed for access to a resource and no more.

Zero Trust security layers

There’s such a thing as too much security

Too much security—that is, security that feels overly restrictive to the everyday user—can lead to the same outcome as not having enough security in the first place—more risk.

Strict security processes can make it hard for people to do their job. Worse, they can inspire people to find creative shadow-IT–style workarounds, motivating them to bypass security entirely—sometimes by using their own devices, email, and storage—and using systems that (ironically) are lower security and present a higher risk to the business.

Additional resources

If you’d like to learn more about the topic of Zero Trust, please take a look at the resources below.

• Why Zero Trust
• The 5 reasons to adopt a Zero Trust security strategy for your business blog post by Microsoft’s Vasu Jakkal
• The Zero Trust security posture evaluation

3. Using modern anti-malware

Use extended detection and response anti-malware. Implement software to detect and automatically block attacks and provide insights to the security operations.

Monitoring insights from threat detection systems is essential to being able to respond to threats in a timely fashion.

Security automation and orchestration best practices

Move as much of the work as possible to your detectors

Select and deploy sensors that automate, correlate, and interlink their findings prior to sending them to an analyst.

Automate alert collection

The security operations analyst should have everything they need to triage and respond to an alert without performing any additional information collection, such as querying systems that may or may not be offline or collecting information from additional sources such as asset management systems or network devices.

Automate alert prioritization

Real time analytics should be leveraged to prioritize events based on threat intelligence feeds, asset information, and attack indicators. Analysts and incident responders should be focused on the highest severity alerts.

Automate tasks and processes

Target common, repetitive, and time-consuming administrative processes first and standardize response procedures. Once the response is standardized, automate the security operations analyst workflow to remove any human intervention where possible so that they can focus on more critical tasks.

Continuous improvement

Monitor the key metrics and tune your sensors and workflows to drive incremental changes.

Help prevent, detect, and respond to threats

Defend against threats across all workloads by leveraging comprehensive prevention, detection, and response capabilities with integrated extended detection and response (XDR) and security information and event management (SIEM) capabilities.

Remote access

Attackers frequently target remote access solutions (RDP, VDI, VPN, etc.) to enter an environment and run ongoing operations to damage internal resources.

To help prevent attackers from getting in, you’ll need to:

• Maintain software and appliance updates
• Enforce Zero Trust user and device validation
• Configure security for third-party VPN solutions
• Publish on-premises web apps

Email and collaboration software

Another common tactic for entering environments is to transfer malicious content with email or file sharing tools and then convince users to run it.

To help prevent attackers from getting in, you’ll need to:

• Implement advanced email security
• Enable attack surface reduction rules to block common attack techniques
• Scan attachments for macro-based threats

Endpoints

Internet-exposed endpoints are a favorite entry vector because they provide attackers access to an organization’s assets.

To help prevent attackers from getting in, you’ll need to:

• Block known threats with attack surface reduction rules that target certain software behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, or performing behaviors that apps don’t usually initiate during normal day-to-day work.
• Maintain your software so that it is updated and supported
• Isolate, disable, or retire insecure systems and protocols
• Block unexpected traffic with host-based firewalls and network defenses

Detection and response

Maintain constant vigilance

Use integrated XDR and SIEM to provide high quality alerts and minimize friction and manual steps during response.

Batten down legacy systems

Older systems lacking security controls like antivirus and endpoint detection and response (EDR) solutions can allow attackers to perform the entire ransomware and exfiltration attack chain from a single system.

If it’s not possible to configure your security tools to the legacy system, then you must isolate the system either physically (through a firewall) or logically (by removing credential overlap with other systems).

Don’t ignore commodity malware

Classic automated ransomware may lack the sophistication of hands-on-keyboard attacks, but that doesn’t make it any less dangerous.

Watch out for adversary disabling security

Monitor your environment for adversary disabling security (often part of an attack chain) like event log clearing—especially the Security Event log and PowerShell Operational logs—and the disabling of security tools and controls (associated with some groups).

Additional resources

If you’d like to learn more about using modern anti-malware, please take a look at the resources below.

• The Security operations self-assessment tool
• The Microsoft’s 4 principles for an effective security operations center blog post by Microsoft’s Jonathan Trull
• The Top 5 best practices to automate security operations blog post by Microsoft’s Jonathan Trull

4. Keeping up to date

Unpatched and out of date systems are a key reason many organizations fall victim to an attack. Ensure all systems are kept up to date including firmware, the operating system, and applications.

Best practices

• Ensure devices are robust by applying patches, changing default passwords, and default SSH ports.
• Reduce the attack surface by eliminating unnecessary internet connections and open ports, restricting remote access by blocking ports, denying remote access, and using VPN services.
• Use an internet-of-things and operational technology (IoT/OT)-aware network detection and response (NDR) solution and a security information and event management (SIEM)/security orchestration and response (SOAR) solution to monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar hosts.
• Segment networks to limit an attacker’s ability to move laterally and compromise assets after initial intrusion. IoT devices and OT networks should be isolated from corporate IT networks through firewalls.
• Ensure ICS protocols are not exposed directly to the internet.
• Gain deeper visibility into IoT/OT devices on your network and prioritize them by risk to the enterprise if they are compromised.
• Use firmware scanning tools to understand potential security weaknesses and work with vendors to identify how to mitigate the risks for high-risk devices.
• Positively influence the security of IoT/OT devices by requiring the adoption of secure development lifecycle best practices by your vendors.
• Avoid transferring files that contain system definitions through unsecure channels or to nonessential personnel.
• When transferring such files is unavoidable, be sure to monitor activity on the network and ensure assets are secure.
• Protect engineering stations by monitoring with EDR solutions.
• Proactively conduct incident response for OT networks.

Additional resources

If you’d like to learn more, please take a look at the resources below.

• The 7 ways to harden your environment against compromise blog post by Microsoft’s Alan Johnstone and Patrick Strijkers
• The Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats blog post by Microsoft’s Mark Simos and Sarah Armstrong-Smith

5. Protecting data

Knowing your important data, where it is located and whether the right systems are implemented is crucial to implementing the appropriate protection.

Data security challenges include:

• Reducing and managing the risk of user errors
• Manual user classification is impractical at scale
• Data must be protected outside of the network
• Compliance and security require a complete strategy
• Meeting increasingly stringent compliance requirements

5 pillars of a defense-in-depth approach to data security

Today’s hybrid workspaces require data to be accessed from multiple devices, apps, and services from around the world. With so many platforms and access points, you must have strong protections against data theft and leakage. For today’s environment, a defense-in-depth approach offers the best protection to fortify your data security. There are five components to this strategy, all of which can be enacted in whatever order suits your organization’s unique needs and possible regulatory requirements.

1. Identify the data landscape

Before you can protect your sensitive data, you need to discover where it lives and how it’s accessed. That requires complete visibility into your entire data estate, whether on-premises, hybrid, or multicloud.

2. Protect sensitive data

Along with creating a holistic map, you’ll need to protect your data—both at rest and in transit. That’s where accurately labeling and classifying your data comes into play, so you can gain insights into how it’s being accessed, stored, and shared. Accurately tracking data will help prevent it from falling prey to leaks and breaches.

3. Manage risks

Even when your data is mapped and labeled appropriately, you’ll need to take into account user context around the data and activities that may result in potential data security incidents, and that includes internal threats. The best approach to addressing insider risk brings together the right people, processes, training, and tools.

4. Prevent data loss

Don’t forget about the unauthorized use of data—that’s loss, too. An effective data loss protection solution needs to balance protection and productivity. It’s critical to ensure the proper access controls are in place and policies are set to help prevent actions like improperly saving, storing, or printing sensitive data.

5. Govern the data lifecycle

As data governance shifts toward business teams becoming stewards of their own data, it’s important that organizations create a unified approach across the enterprise. This kind of proactive lifecycle management leads to better data security and helps ensure that data is responsibly democratized for the user, where it can drive business value.

Additional resources

If you’d like to learn more about protecting data, please take a look at the resources below.

• The 3 strategies for building an information protection program blog post by the Microsoft Security Team
• The 3 strategies to launch an effective data governance plan blog post by Microsoft’s Erica Toelle and Anna Chiang

Conclusion

Although threat actors continue to evolve and grow more sophisticated, a truism of cybersecurity bears repeating: Basic cyber security hygiene—enabling MFA, applying Zero Trust principles, keeping up to date, using modern anti-malware, and protecting data—prevents 98% of attacks.

For help protecting against cyber threats, minimizing risk, and ensuring the ongoing viability of your organization, meeting the minimum standards for cyber security hygiene is essential.

[1] 2022 Microsoft Digital Defense Report

[2] One simple action you can take to prevent 99.9 percent of attacks on your accounts