While these products and services can help reduce your risk of a cyber incident, they are only a small piece of your overall security program. There is no silver bullet that can keep hackers at bay. To do this, you need to employ a Defense in Depth security program. While this sounds like a daunting and expensive task, it can actually be done very inexpensively and with a few simple steps.
Risk Assessment - "If You Can't Measure It, You Can't Improve It." - Peter Drucker
The first step is to have a security risk assessment performed. This informs you where your information security risks are, what controls you have in place, and what control gaps/weaknesses you need to shore up.
Polices, Plans & Procedures - "Those that fail to plan, plan to fail." - Alan Lakein
- Information Security Policy - This should cover, at a minimum, access control/user management, anti-virus, patching, password management, data classification and handling, use of encryption, remote access, change/configuration management, software acquisition/licensing, logging, and use policy.
- Incident Response Plan - You need to have this before you have an incident. Don't worry about trying to identify every single type of incident to deal with, just get it down to high level impact, ex. network outage, server outage, application outage, security breach, malware infection, etc. Have written procedures on how our staff should respond to each of these types of incidents.
- Business Continuity Plan - If there is an electrical outage, fire, or natural disaster you need to have a plan of action on how and where you will resume your business. Also have all your employees, contractors, and vendor contact information in the plan. Keep the plan in multiple locations, including a hard copy at your home. If there is no power, your cloud or PC may not not be accessible. Do not get hung up on the type of disaster, focus on the fact that your office in not accessible, and the plan needs to answer the question "What do I do now to stay in business?". Do a paper walk-through with your management team at least twice a year and update contact info.
Anti-Malware (Anti-Virus, End Point Control, Patching)
Having anti-virus and end point protection is not optional. Make sure they are actively running, updated daily, scans are daily (off hours), and that only an Admin can disable or change the settings. Also, no user on your business network should have Local Admin, and the IT guys should have an Admin account for doing things that require Admin access, and a non-Admin (normal user) account to surf the web and check e-mail. Malware is most dangerous if it can execute using Admin privileges, and whoever clicks on it,,,executes it. Patching needs to be done timely on operating systems, database management systems (MS SQL, MySQL, Oracle), and application software (Apache, Adobe, Office, etc.)
PC & Server Hardened Standard Image
Your PCs and servers require certain services to operate. Over time, as you add software, more and more services are activated, and usually set to run at startup (when most do not need to). Besides slowing down the machine and providing a poor user experience (takes forever to start up and to shutdown), having unnecessary services running is increasing the attack surface for a hacker or malware. You should have a standard image for your organizations PCs and servers in which you deactivate all non-essential services (daemons if in the Unix/Linux world). Also, remove all no-essential user accounts. Most operating systems and applications come with Test or Guest accounts. Either remove them or disable them. If you have to keep any default accounts, then change the passwords and make them complex (10-14 characters, alpha-numeric, caps, and special symbols). this is called hardening. Once you have a hardened image, copy it, and that is what every machine in your organization gets as a baseline. And as you are not letting your users have Local Admin, they will not be able to install software which will ensure that only approved, malware free, and licensed software is running on your network.
Network Security
You should have multiple layers of firewalls/routers/switches. Keep these patched timely too, and all default accounts and passwords need to be changed. You should have some type of Intrusion Detection or reporting system in place to sift through the firewall logs and report the critical alerts so you know if you are under attack, and can follow your Incident Response Plan as noted above to prevent or stop an attack.
Security Awareness Training
While listed last in this post, it is by far the most important low cost security measure you can do. Cyber Criminals have figured out that it requires a lot of skill and hard work to hack your network. It is much easier to trick your employees into giving them a userid and password, your customer/employee data, or wiring money out of you business bank account. Your awareness program is not a once a year video or PowerPoint slide deck. It needs to be ongoing and use a number of mechanisms to stay at the top of mind of your employees. Monthly security tip e-mails, security posters in the break room, mock phishing exercises, having a security expert come in quarterly for live or web based training, having your IT or security team do monthly brown-bag lunch presentations will have a big impact on your employees' security awareness.
To sum it up, there is no silver bullet, and information security is not a menu to choose from. You have to do all of these things, and more to have a defense in depth security architecture. You need to put up enough barriers to frustrate them which will encourage them to leave your organization alone and go hack someone else...(hopefully your competitors who don't take my advice).
No comments:
Post a Comment