Infra and Corporate Security Guidelines?

[allrightyeo]

hello, so I have a customer which has little security policies implemented. and it has landed in my lap to take a look into it. the environment has no vpn for external access, the exchange authentication has simple password policy without two-factor. some attacks have been done to O365 cloud and some accounts were hacked. it is known that internal address directory has been leaked.

i was about to suggest them to use physical token generator (similar to whats used by baking authentication), as well use of vpn for all external connections (outside internal vlans). and the use of certificates for authentication wherever it is possible to implement. but then i remembered about some IT security specialized consultancies that offer full analysis of the current breaches in an organization. my suggestions, then, seem to be too basic and not to cover the overall needs of such organization.

the customer had some resistances to change like "i am a manager, i dont want to use complicated passwords or two-factor auth." and so on.

please, can you help me with hints? where can i find a guideline for the minimum secure landscape to have in an organization? and how to evolve to a more advanced and secure scenario?

of course i would love to dive in deep text and learn about, but as well i need something more objective as a starting point.

thank you

[Down_n_Out]

First off, reading your intro, I'd make sure to cover yourself from any liability the lack of security as well as the lack of apparent cooperation from the company so they can't hold you responsible for any breaches or problems.

That being said, I'd look into MSB (Minimum Security Baseline), there's quite some examples out there, like this one for example [0]

Besides that SANS has a very good reading room [1] where you can find a lot more information, as well as on individual items as on general ones.

The most difficult part will definitely be to change the way of working and thinking of the management of this company. Maybe show them an example of a company that was attacked using ransomware, they were down for a month, lost millions. I will try to find the example I'm thinking of, but there's plenty to be found out there.

[0] http://www.rn.psu.edu/wp-content/uploads/sites/4349/2016/01/... [1] https://www.sans.org/reading-room/

[allrightyeo]

Excellent material man, that will help me a lot for a kick start. Thank you very much,

[verdverm]

The biggest thing will be changing their thinking. See The Challenger Sale. If they don't want to do security properly, then they will lose trust with their customers and go out of business. Economic Darwinism.