Are your settings, policies and processes keeping up with the changing threat landscape? Review your network to make sure. Credit: Natali Mis / Getty Images It’s the middle of 2022 and it’s a perfect time to review your plans, goals and risks to your network, especially given the changing threat landscape. Ransomware, for example, has become more human targeted. Ransomware operators are now looking for additional methods and payloads as well as using extortion. Ransomware entry points range from targeting email and phishing lures as well as unpatched vulnerabilities to more targeted attacks.With that in mind, these are the ten tasks you should do for your mid-year security review:1. Review access and credential policies for third partiesAttackers will scan for Remote Desktop Protocol (RDP) access and use brute-force attacks like credential stuffing. They know that people tend to reuse credentials that the attackers obtain from stolen databases to attempt to gain access in your network.I look for ways to better handle credentials or other access approvals for outside consultants as I am most concerned about their processes and security procedures. When dealing with outside consultants, write into your contracts the security protection you want them to use. Whether it’s including them in your multi-factor authentication (MFA) plans or at a bare minimum opening the access and firewall rules to restrict access to specific networks, you should have a procedure that you include in your service-level agreements and contracts as to how consultants handle access and credentials. User credentials should never be passed from the firm to the consultant in a manner that would expose them unnecessarily. Storing these credentials should be done in a fashion consistent with the policies and procedures of the hiring company. Review and audit these processes accordingly. 2. Review security scan resultsReview the results of scheduled scans and ensure that they are being done on assets that truly showcase the external risk of the firm. I recently had a company perform an external scan on resources on my network. When I reviewed the results of the automated scan, I realized that they scanned a series of computers that didn’t reflect the external edge of my network. The report, while interesting, was not a true evaluation of the external risk to my network. So, when hiring any pen-testing or external scanning firm, ensure that the review and deliverables they provide to you reflect the actual edge of your network. Automatic scans are worthless if they are not providing you with actionable information.3. Review cloud resources and permissionsIf you are moving computing assets to the cloud, don’t merely set up a mirror of what you have on-premises. Review how resources are set up, what permissions are set, and who should have rights to what assets. Then go back to your on-premises deployments and review what security baselines or NIST guidelines can provide additional hardening for your internal network. 4. Deploy attack surface reduction rulesIf you have not deployed attack surface reduction rules to your workstations and servers to help block suspicious activity, make this your goal for the second half of 2022. You may need to test and review for impact, but start with this first set of rules and enable as many as you can:Block all Office applications from creating child processes.Block executable content from email client and webmail.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.Block execution of potentially obfuscated scripts.Block JavaScript or VBScript from launching downloaded executable content.Block Office applications from creating executable content.Block Office applications from injecting code into other processes.Block Office communication application from creating child processes.Block untrusted and unsigned processes that run from USB.Block persistence through WMI event subscription (Persistence).Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Privilege escalation).Block process creations originating from PSExec and WMI commands (Lateral movement).5. Review network security settings and policiesReview how your network is set up. For too long we have set up networks with less restrictive permissions and even to the point of disabling firewalls inside the network. Review how you set up workstations and move to where your workstation firewalls are set to specific protocols.Review password security and policies and consider adding Azure AD Identity Protection to your existing Active Directory to better identify weak passwords in your network. Ensure you review options for MFA with Windows Hello or other third-party MFA solutions.6. Review workstation deployment processesReview your process for deploying and installing workstations and ensure that you don’t use the same local administrative passwords when deploying workstations. Review your options for managing local administrator password solutions that randomize and encrypt the local administrator password.7. Review backup policiesReview what processes you use to back up and protect important files. Review backup processes to have multiple backups, two on different storage types, and at least one backup offsite and consider using OneDrive cloud storage for additional backup to protect your files.8. Use email filteringUse email filtering and scanning to ensure that your email is reviewed before entering your workstations. Links included in email should be scanned upon clicking and should be removed from your inboxes should those links be later found to be malicious. 9. Review patching policyWhen handling patching, review what issues you’ve had historically in your network. If your edge devices have not had issues with patching, you may wish to streamline and time your updates for edge devices faster than devices that have had issues with updating. Review what side effects you have had and what mitigation you needed to take to recover from any issues. Review if there are alternative software or other workarounds that can be implemented to minimize patching side effects.10. Review ransomware detection capabilities of antivirus and endpoint protection solutionsEnsure that your antivirus and endpoint detection solution can identify the typical symptoms of a ransomware attack. From situations where file backups are suddenly deleted, to Cobalt Strike activity in your network, or other suspicious activities, your solutions should alert you to when attackers are starting to set the items in place for ransomware. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe