In particular, "routinely run training" might reduce the probability of a breach due to social engineering, but it probably won't.
You also didn't really cover client machine security, which is how compromises often happen. Your awesome security isn't worth much if the admin's machine is compromised.
Your employees need to use computers to do their job. As part of that, they will need to browse the web, which they will do with one of the major browsers. This browser has unknown 0-day vulnerabilities. Whatever security measures you implement must not disrupt business.
They may also need to plug in USB drives. These can come with malware. Whatever security measures you implement must not disrupt business.
They may also need to open documents, possibly with macros. Whatever security measures you implement must not disrupt business.
Your "basic rules" will at best prevent the - still extremely common - social engineering based attacks, but they still won't reliably keep an attacker out of your network. The attacker will compromise a random person, find some company-wide writeable shared network drive (that you didn't even know about) where a team shares their executables, replace one of those, compromise more machines, escalate to domain admin credentials through one of the many ways that exist, then use your own fleet management system to push their backdoor to your entire fleet.
For good security, you need for example:
- an overview of what assets (computers etc.) you actually have
- a decent way to manage these assets
- monitoring so you can hopefully detect when (not if) a compromise happens
- many layers of defense in depth that slow down attackers and limit what they can do once they've compromised one part of your company
- technical barriers to prevent social engineering attacks (binary whitelisting, strong multi-factor authentication)
- protection against insider risks
- physical security
and that's just a few things that popped into my head, the actual list would probably not fit whatever post length limits HN has. And of course all of this needs to be implemented with the limited budget the company is willing to give you, without disrupting the business, etc.
Thanks for the great response! Very informative. I assumed I was way simplifying the problem. It seems like what works for my small remote only startup is not even close to what you need for a large in-person org running who-knows-what software.
In particular, "routinely run training" might reduce the probability of a breach due to social engineering, but it probably won't.
You also didn't really cover client machine security, which is how compromises often happen. Your awesome security isn't worth much if the admin's machine is compromised.
Your employees need to use computers to do their job. As part of that, they will need to browse the web, which they will do with one of the major browsers. This browser has unknown 0-day vulnerabilities. Whatever security measures you implement must not disrupt business.
They may also need to plug in USB drives. These can come with malware. Whatever security measures you implement must not disrupt business.
They may also need to open documents, possibly with macros. Whatever security measures you implement must not disrupt business.
Your "basic rules" will at best prevent the - still extremely common - social engineering based attacks, but they still won't reliably keep an attacker out of your network. The attacker will compromise a random person, find some company-wide writeable shared network drive (that you didn't even know about) where a team shares their executables, replace one of those, compromise more machines, escalate to domain admin credentials through one of the many ways that exist, then use your own fleet management system to push their backdoor to your entire fleet.
For good security, you need for example:
- an overview of what assets (computers etc.) you actually have
- a decent way to manage these assets
- monitoring so you can hopefully detect when (not if) a compromise happens
- many layers of defense in depth that slow down attackers and limit what they can do once they've compromised one part of your company
- technical barriers to prevent social engineering attacks (binary whitelisting, strong multi-factor authentication)
- protection against insider risks
- physical security
and that's just a few things that popped into my head, the actual list would probably not fit whatever post length limits HN has. And of course all of this needs to be implemented with the limited budget the company is willing to give you, without disrupting the business, etc.