1. Consolidate, Monitor, and Defend Internet Gateways

Your Internet gateways are checkpoints that are installed at the edge of your network. Gateways monitor all incoming and outgoing traffic to protect your organization. Your organization should also monitor its Domain Name System (DNS) server. Your organization is responsible for monitoring all incoming and outgoing traffic at these gateways, even if you are using cloud services. To simplify this task, reduce the number of external connections to your network. You should establish a baseline of normal traffic patterns first, which enables you to detect and react to changes in these patterns.

2. Patch Operating Systems and Applications

Updates and patches do not just fix bugs or improve usability or performance; they address known security vulnerabilities. Implement a patch management policy for operating systems and third party applications to reduce your organization's exposure to publicly known vulnerabilities. When a vendor issues a security patch, you should follow your patch management process to apply the patch as soon as possible. You can use an automatic patch management system to apply patches in a timely manner. Use supported, up-to-date, and tested versions of operating systems and applications. Using unsupported operating systems or applications, for which updates are not provided, increases your risk of exposure to exploitation because there is no mechanism available to mitigate vulnerabilities.

3. Enforce the Management of Administrative Privileges

Apply the principle of the least privilege to ensure that users only have the access and the privileges they need to carry out their job functions. You should limit the number of administrative or privileged users for operating systems and applications. Create different levels of administrative accounts so that, if an administrative account is compromised, the level of exposure is limited. To prevent exposure from phishing attacks or malware, administrators should perform administrative functions on dedicated workstations that do not have Internet or open email access, or that have Internet and email disabled from administrative accounts. We highly recommend that you use multifactor authentication (MFA), wherever possible, for all users and applications.

4 Harden Operating Systems and Applications

Your organization should be aware of all the applications that are used. Default configurations and misconfigurations can leave your networks, systems, and devices vulnerable. To prevent compromises of Internet connected assets and infrastructures, your organization should disable all non-essential ports and services and remove all unnecessary accounts. You should also have enterprise level auditing and an anti-malware solution as part of your secure configuration.

5. Segment and Separate Information

Your organization should have an inventory of its essential business information that is classified and categorized based on its level of sensitivity or impact on privacy. Your networks should be zoned by segmenting and grouping infrastructure services that have the same information protection requirements, and you should also continuously monitor and enforce controls to maintain zone protection and integrity. If your organization is using cloud or managed services, you should ensure that your data is separated from other tenants' data.

6. Provide Tailored Training

You can lower your organization's level of risk by training employees on cybersecurity issues and their roles and responsibilities in protecting networks, systems, and IT assets. Your organization should initiate awareness and training activities to address cyber threats, vulnerabilities, and policy requirements. You should frequently review your IT security awareness programs and activities, and you should also ensure that they are accessible to all users who have access to organizational systems.

7. Protect Information at the Enterprise Level

Your organization's information is valuable to your continued operation, but it is also a valuable target to threat actors. When deploying mobile devices in your organization, you should consider the risks and benefits of various deployment models. If your organization chooses to allow employees to use their personal devices for business, you should implement a strict control policy and review technologies and legal requirements for segregating business and personal information. Your organization is always legally responsible and accountable for protecting its data. Review the applicable laws of the geographic location where the data will reside and the possible impacts to privacy.

8. Apply Protection at the Host Level

You should deploy a host-based intrusion prevention system (HIPS) to protect your organization's systems against both known and unknown malicious attacks, such as viruses and malware. You should also monitor HIPS alerts and logging information to identify indications of intrusions. When using cloud services, you still need to apply protection at the host level, and we recommend that you use the specific tool sets provided by your selected CSP and any possible third-party tools.

9. Isolate Web-Facing Applications

Your organization should use virtualization to create an environment where web-facing applications can run in isolation (i.e. in a sandbox). By isolating these applications, malware, for example, is confined to your virtualized environment and cannot spread and infect the host or enterprise, or at least minimizes the attack surface.

10. Implement Application Allow Lists

An allow list specifies applications and application components (e.g. executable programs, software libraries, configuration files) approved to run on organizational systems. All other applications and application components should be denied by default. By implementing application allow lists, you can prevent malicious applications from being downloaded and infecting your organization, servers and systems. You can define your allow list by using file and folder attributes (e.g. file path, file name, file size, digital signature or publisher, or cryptographic hash).