Information classification is a cornerstone of security. If employees are unable to easily determine the sensitivity of information, it is difficult for them to take appropriate security precautions. This, in turn, directly impacts the effectiveness of policy controls and awareness training. Most private sector organizations should use a simple, three-level classification scheme: One for public information, one for the majority of corporate information, and a final classification for sensitive information to which special handling precautions apply.
Security awareness training remains one of the best investments in cybersecurity. Many frauds and security breaches can be prevented by alert employees who understand the threats their organization is facing, and take personal responsibility for safeguarding company assets. In addition to in-house training, two great options are Securing The Human program from SANS and The Security Awareness Company. Both of these organizations offer training geared to a variety of technical and non-technical audiences. It is essential to maintain a record of employees who have completed training. Larger organizations should consider learning management systems that can remind employees of assigned training and provide reports to management.
Patch management is essential to maintaining a strong security posture. While emergency patching is occasionally required to address critical vulnerabilities, many organizations struggle with routine operating system and application patches. It makes sense to test patches prior to application on critical production servers. However, faster processes should be considered for end-user laptops and desktops. In general, these systems have a higher risk of exploitation by malware, and in most environments it is relatively safe to automatically apply patches using vendor-provided functionalities. Once patches are issued, criminals and hostile governments rapidly reverse engineer them to aid in the development of exploits. An organizational goal should be to minimize the window between patch issuance and application.
Scheduled credentialed vulnerability scans provide insight into patching status as well as detecting other potential security issues. A good practice is to deploy a product capable of daily and weekly scheduled scans, with automatic reports sent to the relevant operations personnel as a representative of the security team.
Businesses leveraging cloud computing services must pay careful attention to security configurations. In traditional on-premise deployments, servers are by default connected behind firewalls, and existing processes decrease the likelihood of exposing a server directly to the Internet. In sharp contrast, flexible cloud environments such as Amazon Web Services make it easy to intentionally or accidentally expose unnecessary services to the Internet. One effective strategy is to use VPCs, routing, and ACLs to decrease the likelihood of inadvertent exposures. It is also good practice to regularly review security-relevant configurations manually or programmatically via the provider’s API. Proxies should be used to mediate access between cloud-based servers and the Internet, including for outbound HTTP for software, updates, and patches.
Many organizations continue to ignore the benefits of strong network zoning. Inexpensive physical and virtual routers and firewalls can be used to effectively reduce the potential for lateral attack movement. Organizations that allow unfiltered communication between user endpoints and servers must recognize they are significantly deviating from best practices. PCs, tablets, phones, and IoT devices are a common launch point for attacks and any reasonable defence in depth implementation has controls in place to mitigate the associated risks. Systems that process sensitive information, including Point of Sale devices, require additional layers of isolation.
Poor control of privileged credentials, and the use of root and Windows Administrator credentials from PCs used for day-to-day email and web access creates significant risk. Ransomware is profitable and attacks will increase in sophistication. One malware infection on a Domain Administrator’s PC can cost many times the investment in a second isolated PC dedicated to administrative tasks and the use of jump servers in sensitive environments.
Disaster Recovery and Business Continuity Plans, and backup processes to support them, are required to mitigate several common threat scenarios. These plans require regular review, testing, and updates.
Finally, most organizations struggle to reconcile the expanding cybersecurity landscape with decreasing budgets. An underutilized tool to help prioritize security initiatives is a good enterprise risk assessment. An experienced security practitioner can help quickly identify risks, evaluate their relative severity, and suggest practical prioritized security controls. Make improving security your New Year’s resolution.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…