Introduction
In a previous post, I have outlined steps to take to establish a security program from nothing from a business perspective. In this post I will outline the important technological steps needed to set up this security program. As we all know, security is linked to technology, so why not talk about what should be done in regards to technology! I will cover basic technological security principles that should be implemented in an organization.
Two Factor Authentication
This is one of the best ways to prevent unauthorized access in to your network and company assets/resources. Fortunately, many companies and applications already provide the option to do so and should be enabled on all when given the chance. Two Factor Authentication should be enabled on all types of CRMs, cloud-based storage (even Google Drive), web hosting and content management services/platforms. When running an organization, consider also implementing Two factor authentication for applications that are used remotely, VPN services, and especially company emails.
Setting Up Firewalls
Now a trivial step, organizations must make sure not to forget to actually set up their firewall on the network perimeter. It is important to first determine/document what types of inbound or outbound traffic is necessary for normal business operations. When this is decided on, I suggest blocking all other connections. You could use firewalls to block any other types of remote connections as well, logging those connections and blocking suspicious connection attempts/activity. Today a lot of firewall offerings already have these rules configured in their package. As well, you may be able to leverage an intrusion detection system (IDS). For any production or sensitive environment, organizations should consider implementing an internal firewall on the perimeter of that environment.
Any good firewall will block unnecessary inbound connections and also stop unnecessary outbound connections. With that said, do not forget that you need to actively manage the firewall in the first place. For instance, you should create a formalized process for granting exceptions to the firewall (e.g. traffic that can flow in if approved for a small period of time). When creating these exceptions, consider how that exempted traffic can affect your organization and the network. Lastly, how long and why this traffic needs to be approved.
Setting up VPN for Remote Access
Allowing employees the option to authenticate into the network using secure VPN would add another layer of security. I myself benefit from this option and feel secure working in any area with a decent WiFi signal. In fact, I am writing this post right now through VPN.
Allowing employees the option to authenticate into the network using secure VPN would add another layer of security. I myself benefit from this option and feel secure working in any area with a decent WiFi signal. In fact, I am writing this post right now through VPN.
Logging Systems
All organizations should create a robust logging system that spans across it. Places to start are with audit tables on major products or reports/documentations. As well, make sure applications keep a log of all its activity if possible. This can be configured on the back-end and can serve as the source of truth. As well, fire wall logs can serve as useful information for suspicious activity trying to enter the network. Make sure you retain your logs and go through them frequently to identify any anomalies. In general, logging is important to be able to troubleshoot or damage control any issues in a rapid manner.
Email Security Features
Make use of the quarantine and scanning abilities of email applications is a must. In addition, filtering URLs that appear in the emails and marking “External” in the subject line add an extra layer of awareness and security. The spam folder can seem like annoying but it is very helpful to have. As mentioned, most commercial email platforms have these settings already built and need to just be turned on. For the ones that do not, you can invest in third-party products. Think about, most, if not all your employees will be touching emails. It makes sense to want to protect this asset. A good security program starts with a safe emailing system.
Signature Based Antivirus
With the ever-growing threat landscape, it is important to invest in an antivirus software that works to protect your assets. Depending on your organization, the choice is yours. Make sure you do your research as attacks have become more sophisticated and have rendered some of the older signature-based products useless.
Regular Back Ups
This one seems like a no-brainer for our everyday lives as well. Make sure to back up all important assets in your organization. This means creating a backup management system that helps ensure that any attacks, whether physical or cyber does not doom your company. Having backups can help with ransomware attacks, rendering them as disruptive and not destructive to your everyday company operations.
In terms of servers, having back ups in a different geo-location will go a long way to prevent hurricanes and earthquakes from destroying your digital assets. For instance, if you have your back up servers in a building next door, and both buildings suffer through some sort of flood or earthquake, then you could potentially lose all that data. Be smart and back up your data!
Lastly, I mentioned on top to regularly back up your data. When you identify your assets and the risks involved you can figure out how often you need to back up your data. I suggest regularly doing it as soon as you need to. This does not mean creating a back up server then never backing anything on to it. This means regularly initiating (or automating) back-ups as needed based on your business operational need.
The Law of Least Privilege
This should be straight forward to you all. You should allow give users the access that they need on any application. For example, do not all users admin access, as they probably do not need that access to use the application.
Local Administrative Privileges
For the most part, employees should not carry full administrative rights on their personal machines issued at work. Allowing employees to have full administrative rights allow them to change security configurations, download applications, software and content that may be unsafe and also change critical settings that can ultimately affect the organization. For organizations who’s employees already have elevated permissions and would like to change that, it is recommended to use an effective internal campaign to drive the message through and really articulate the business need for that change.
Segment Administrative Accounts
As good practices, employees who actually need those elevated privileges (administrative privilege) should have a separate account in which they are able to make those changes. To really ensure security, you can segment this by device type where workstation admins only have access to workstations and domain admins have access to admins. Lastly, all users with administrative accounts should use a separate non-privileged account for all non-privileged activity.
As good practices, employees who actually need those elevated privileges (administrative privilege) should have a separate account in which they are able to make those changes. To really ensure security, you can segment this by device type where workstation admins only have access to workstations and domain admins have access to admins. Lastly, all users with administrative accounts should use a separate non-privileged account for all non-privileged activity.
In general think about it for a second. If a hacker gets access to your administrative privileged account, they will be able to do anything in which that account is able to do (able to install and run programs/applications). If they get access to a standard account, they will actually need administrative access to do things such as install and run any viruses an would subsequently be disabled from doing so without that permission.
Default Passwords/Password Management
When a new account is created, or a computer is configured for a new user, that new configuration involves a default password. It is imperative to have all applications, services and software force users to change that default password. Those passwords are truly meant for one time use. In terms or hardware, this is usually not the case. For example, its no secret that router and camera default passwords are not changed (remember the Dyn attack?). Luckily many people do not know how to actually access that information. However, relying on people “not knowing” is a terrible form of security and should be addressed upfront.
Third-Party Support
For smaller organizations or ones that do not handle security internally, contingency plans should be strung up by incident type. Essentially, you would want to identify who to call for help when certain actions happen. As a helpful tip, having a external legal counsel and public relations support on retainer can help as well.
As well, depending on the size of the organization, having someone on support at all hours can be very beneficial. To do so, many companies off-shore call centers. Again, this truly depends on the size of the company and if there is a business need that can justify around the clock supporting hours.