Due the amount of reports on web sites (etc.) that was hacked in the last few days, I gathered a few tips & tricks for enterprises:
1. Disable all remote connections that using user / pass authentication technology (e.g. OWA, ActiveSync, VPN, RDP, etc.).
Note1: In case that you cant disable OWA, please consider to implement the following steps:
a. Deploy Captcha on the OWA.
b. Disable access of privilege users to OWA.
c. Force password policy & account policy:
Enforce password history to 24
Maximum password age to expire passwords between 60 and 90 days
Minimum password length - 9 characters
Enable - Password must meet complexity requirements
Disable - Store password using reversible encryption
Account lockout threshold – 5 Tries for account lockout & release manually lockout account
Note2: As alternative authentication technology you can use OTP (One Time Password) or biometric authentication technology or PKI (Public Key Infrastructure) authentication technology.
d. Verify that end users password is unique and doesn't use in a public resource/s (e.g. Public emails, public community newsgroups etc.).
2. Disable all the remote tools that using by Webmasters / System Admin for remote management of the enterprise website/s.
Note: Don’t forget to to limit access to the DNS management tools that may provide by a third party service provider.
3. Disallow end users to save enterprise data in a public resource/s (e.g. Public emails, public community newsgroups etc.).
4. Consider to block access from unsafe IP’s to the enterprise resources.
Note: Before apply any restriction its recommended to get approval for this step from the legal department and the enterprise management.
5. Arrange a “Rapid Intervention Team” that can take technical and business decisions in a real time.
Note: Its recommended to created a pre – decisions to common scenarios. For example: How explain customers that enterprise web site / email system is down, etc. Moreover, its recommended to create a short drill to verify that the procedures that was created can work in the D Day.
6. Verify that the IPS (Instruction Prevention System) is updated with the latest attacked signature.
7. Arrange a list of critical contacts (e.g. ISP contact person, Israel Police Lahav 443 Computer Crime department, etc.).
8. Verify that the software & hardware are using the latest patch version.
9. In the enterprise mail relay block file types that may consider unsafe. You can use the following list as start point:
Manage blocked file types in SharePoint 2013
10. Instruct end users to avoid opening unknown emails / SMS.
11. Its recommended to disable macro support in software like: Document editor tools, document reader tools, etc..
12. Consider to add automatic counter mechanism to the enterprise website that allow blocking users that initiate multiple connection in the same time / frequency connections. The automatic counter mechanism can slow down users that create frequency connections (I would like to thank Mr. Nir Izraeli for this tips).
13. Please remember that DDOS (Distributed Denial of Service) can initiate to common company resources (e.g. Website, email system, internet surfing line,etc.).
14. Deploy a strict data validation control in external and internal computer resources (e.g. internal portal, enterprise website, etc.). For further information please review OWASP Data Validation.