Five Eyes Alliance - How to apply best practices to protect your systems: by using JumpCloud?
A month ago, the Five Eyes Alliance issued a Joint Cybersecurity Advisory . In their own summary the wrote:
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.
This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues.
This advisory was coauthored by the cybersecurity authorities of the United States,Canada,New Zealand, the Netherlands,and the United Kingdom.
The advisory highlights the following best practices to protect your systems:
As you can read in the PDF on page 2, there's more elaboration on how weak or the lack of configurations are usually exploited by the bad guys. Certainly, the 'how they do it' is a 'must know' to better understand what mitigative steps need to be applied following best practices - leading to: "So, how I gonna do it?"
The best practices mentioned above can turn into fairly exhaustive tasks, especially when you're dealing with resource-constraints of any kind. Either you don't have enough manpower to address all of this at once or in a relatively short timeframe or you're not having all the bells and whistles (tools and solutions) in place to address these mitigations. Often, even if you have the manpower, your stack isn't working that well together as it was offered and promised to you (yes, we all do buy lemons once in a while).
How to apply best practices to protect your systems: by using JumpCloud??
One platform I'm using and recommending all the time, especially if you don't wanna juggle with a bunch of lemons and you're a fan of unified and simplified approaches is: JumpCloud
The majority of the proposed mitigations can be be addressed by using JumpCloud. Let's have a closer look at the mitigations recommended.
Applying the following practices can help organizations strengthen their network defenses against common exploited weak security controls and practices.
Control Access
Adopt a zero-trust security model
Zerotrust architecture enables granular privilege access management and can allow users to be assigned only the rights required to perform their assigned tasks.
First, there's no single product or solution available which allows you to adopt a zero trust model. Zero Trust is rather a strategy (mindset) with 2 words and a journey which never ends. But yes, JumpCloud offers you a good foundational path to start building your Zero Trust security architecture.
To begin with this, you can get a very good sense about here in this infographic .
Limit the ability of a local administrator account
By default, the vast majority of your users shall not have administrative privileges on their workstations. JumpCloud can handle this once the users are managed on the devices via the agent. When you assign a user to a device, you decide:
It's also recommended to manage access to computers from the network: For example - on a Mac - you can use a policy to enable the firewall, block all incoming connections and to enable stealth mode.
As mentioned in the advisory, for (highly) privileged user sessions it's the best approach to use dedicated, hardened and isolated administrative workstations.
Control who has access to your data and services
Ensure that access to data and services is specifically tailored to each user, with each employee having their own user account.?
and
Give employees access only to the resources needed to perform their tasks.
This is role-based-access control (RBAC) based on the principle of least privilege.
JumpCloud offers you - as a Cloud-based directory - ample of options to get this rolling. Once you have determined which users in which roles are getting which level of access to particular applications and services, you can get started. Wether your applications use SAML or LDAP or you're having services tapping on RADIUS (like your VPN), users and groups combined with conditional access policies will do the job for you. To limit the burden of managing groups, these can also be based on attributes : memberships of groups will depend on the department, the employee type, the job title, a cost center, and/or the location of employees. Conditional policies can further fine-grain access based on the device in use (managed or unmanaged), the location (country in this case) and/or a specific IP-address. The latter can be - for example - the egress of your VPN-concentrator. If you do so, you can ensure that an application is only accessed from a known (managed) device in a particular country and an active VPN-connection.
Ensure there are processes in place for the entry, exit, and internal movement of employees. Delete unused accounts, and immediately remove access to data and systems from accounts of exiting employees who no longer require access. Deactivate service accounts, and activate them only when maintenance is performed.
Another recommendation found in the advisory is to have processes in place for the entry, exit, and internal movement of employees - also called the User Lifecycle and the management of such (ULM).
The entry often starts with ensuring that users are only created when all boxes are ticked, means that your HR department is telling you to create a user ( I know, this is a very simplified summary). A platform like JumpCloud has already tons of options to create users starting with the simple manual creation over a bulk import via CSV up to a variety of other options to source from: Google Workspace, AAD, AD, BambooHR, bob, Namely, Personio, Workday, Okta and lastly - highly flexible - via API or SCIM.
During the employment, there can also be transitions. People get promoted or they change roles/departments over time. If your groups are based on attributes (as mentioned above) such transitions become much more easier - you may not have to touch all related groups at all - in the best case you will just update some attributes on the user itself.
Off-boarding, most importantly removing (or blocking) access first is super crucial. JumpCloud can schedule the suspension of users once you know the exit date and time. If you're using the platform more broadly, this will apply to many vectors, not limited to SAML-based applications or just the wifi-network, it will also apply to the account on the device, to connected databases (via LDAP for example) or your Google Workspace or Office365.
Harden conditional access policies. Review and optimize VPN and access control rules to manage how users connect to the network and cloud services.
Conditional Access (CA) is a fundamental piece of a Zero Trust Strategy and JumpCloud - as of today - can help you to apply CA on several angles already. The first angle here are Device Certificates which are only deployed to managed (and known-good - because you're also applying policies, manage software and keep them patched) devices.
Deploying certificates to devices can be extremely cumbersome and tedious, but much less so with JumpCloud: an easy-to-toggle configuration deploys Device Certificates to your managed devices without further interaction wether it's Windows, macOS or Linux.
With or without the use of Device Certificates, other conditions for accessing resource can be the location (based on countries) or specific IP-addresses (or a list of IP's).
CA Policies can be used in conjunction with: SSO Applications, LDAP and the User Console itself.
领英推荐
Reverting back to VPN's: Make use of CA Policies to harden the access. Especially privileged access to your 'crown jewels' shall be heavily secured and logged accordingly.
Verify that all machines, including cloud-based virtual machine instances do not have open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall
JumpCloud doesn't provide you insights on open ports at the moment, but System Insights can tell you which Windows hosts are running Remote Desktop Services. This is also queryable in bulk via RESTful API and PowerShell .
Implement Credential Hardening
Implement MFA
In particular, apply MFA on all VPN connections, external-facing services, and privileged accounts. Require phishing-resistant MFA (such as security keys or PIV cards) for critical services. Where MFA is not implemented, enforce a strong password policy alongside other attribute-based information, such as device information, time of access, user history, and geolocation data.
In general, we can say here: Enable MFA wherever possible. There will be trade-offs - like always when it comes to a firmer approach on cybersecurity - but it's doable and there's a lot of education and training required besides having all the technical measures in place.
JumpCloud Protect offers you push-based and TOTP-based service at no additional cost to enable MFA for SSO-based applications, RADIUS and on the device-level across OS's (Windows, Mac and Linux). LDAP is following soon.
Strong passwords can be enforced via global policy including Minimum Length, Complexity, Originality, Aging, and Lockout conditions. Note: compromised or weak passwords are currently not detected (at the time of publishing this article).
Change or disable vendor-supplied default usernames and passwords. Enforce the use of strong passwords.
Where possible, beyond changing default usernames/passwords, certain devices and appliances also allow to authenticate via LDAP or SAML. It's recommended to implement such protocols wherever possible and restrict access via 'root' as much as possible to the bare minimum and only in the case of break-glass-scenarios.
Set up monitoring to detect the use of compromised credentials on your systems. Implement controls to prevent the use of compromised or weak passwords on your network.
Directory Insights gives a central entry point for logging, covering events from the following services: Directory, SAML, RADIUS, MacOS/Windows/Linux, LDAP, MDM.
While JumpCloud currently doesn't detect the use of compromised credentials by itself, events can be exported, filtered, segmented and then ingested into a SIEM of your choice. An initial landing zone for the logs can be a S3 bucket .
Establish Centralized Log Management
Ensure that each application and system generates sufficient log information. Log files play a key role in detecting attacks and dealing with incidents. By implementing robust log collection and retention, organizations are able to have sufficient information to investigate incidents and detect threat actor behavior.?
This goes back to the previous points about Directory and System Insights. Both central services can provide you with deep insights across your fleet of applications, services and devices.
Employ Antivirus Programs
Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the operating system security baseline.
JumpCloud is definitely not an Antivirus, but it's pretty useful when it comes to the deployment of such. How? Commands are your friend here. Commands within JumpCloud can be considered to be a Swiss Army Knife as they can be used to execute scripts on your fleet of machines whether they are based on Windows, macOS or Linux. Commands can be scheduled, triggered via webhooks and they have a customisable Time-to-Live so that you don't miss out devices which may be not be online during the time of execution.
Employ Detection Tools and Search for Vulnerabilities
Implement endpoint and detection response tools.
Just like Antivirus Programs, you can use Commands for deploy your EDR.
The remaining items for mitigation mentioned in this section are out of the wheelhouse of JumpCloud.
Maintain Rigorous Configuration Management Programs
Always operate services exposed on internet-accessible hosts with secure configurations.?
Continuously assess the business and mission need of internet-facing services. Follow best practices for security configurations, especially blocking macros in documents from the internet.
This is a fairly broad definition and less of a specific advice. A note on blocking macros in documents from the internet: Going forward, these will be blocked by default as mentioned here . Custom configurations can either be carried out by using a Custom Policy for Windows or a Command with the respective settings as a payload.
Initiate a Software and Patch Management Program
Implement asset and patch management processes to keep software up to date. Identify and mitigate unsupported, end-of-life, and unpatched software and firmware by performing vulnerability scanning and patching activities.
JumpCloud recently introduced patching for Operating Systems . During a related Webinar it was shared with the attendees that patching will further evolve to cover Apps and Baselines for desired states in future releases.
Recap
By reading through the mitigative steps, you have learned about the application of Best Practices to control access, harden credentials, establish comprehensive logging, deploy AV's and EDR's, apply secure configurations and how start patching your Operating Systems.
If you'e tasked with any of these recommendations, do also consider how your life as an IT Admin and how you can potentially make it easier, do the same (or more) with less.
IT sprawl is a challenge and you might want to think of consolidation, not only for the sake of costs, but also to manage your users, apps, fleet of devices with less solutions/tools. "Overtooling" also decreases your overall efficiency. You need to handle more vendors, train your people on solutions, deal with different support teams in different manners depending on your subscription/terms, manage integrations between solutions ...
Wanna get started? Not familiar with JumpCloud yet? Feel free to sign up for a trial . Worth mentioning that it's free for 10 users and 10 devices including all features.