Ensuring the protection of your clients and organization's assets is simple.
You just need to follow these 12 security habits:
The average company faces threats from malware, human adversaries, corporate hackers, hacktivists, governments (foreign and domestic), even trusted insiders. In order to be truly secure, we are asked to install hundreds of patches each year to operating systems, applications, hardware, firmware, computers, tablets, mobile devices, and phones - yet we can still be hacked and have our most valuable data locked up and held for ransom.
Great companies realize that most security threats are noise that doesn’t matter. They understand that at any given time a few basic threats make up most of their risk, so they focus on those threats. Take the time to identify your company’s top threats, rank those threats, and concentrate the bulk of your efforts on the threats at the top of the list.
Most companies don’t do this. Instead, they juggle dozens to hundreds of security projects continuously, with most languishing unfinished or fulfilled only against the most minor of threats.
Which is most likely to be hacked… a device via SNMP or an unpatched server?
Establish an accurate inventory of your organization’s systems, software, data, and devices. Most companies have little clue as to what is really running in their environments.
How can you even begin to secure what you don’t know? Ask yourself how well your team understands all the programs and processes that are running when company PCs first start up. In a world where every additional program presents another attack surface for hackers, is all that stuff needed? How many copies of which programs do you have in your environment and what versions are they? How many mission-critical programs form the backbone of your company, and what dependencies do they have?
The best companies have strict control over what runs where. You cannot begin that process without an extensive, accurate map of your current IT inventory.
An unneeded program is an unneeded risk.
The most secure companies pore over their IT inventory, removing what they don’t need, then reduce the risk of what’s left. This applies not only to every bit of software and hardware, but to data as well.
Eliminate unneeded data first, then secure the rest.
Intentional deletion is the strongest data security strategy. Make every new data collector define how long their data needs to be kept. Put an expiration date on it. When the time comes, check with the owner to see whether it can be deleted. Then secure the rest.
The best security shops stay up on the latest versions of hardware and software. Yes, every big corporation has old hardware and software hanging around, but most of their inventory is composed of the latest versions or the latest previous version (called N-1 in the industry). This goes not only for hardware and OSes, but for applications and tool sets as well.
Procurement costs include not only purchase price and maintenance but future updated versions. The owners of those assets are responsible for keeping them updated. You might think, “Why update for update’s sake?” But that’s old, insecure thinking. The latest software and hardware comes with the latest security features built-in, often turned on by default. The biggest threat to the last version was most likely fixed for the current version, leaving older versions that much juicier for hackers looking to make use of known exploits.
It's so common as to seem cliché: Patch all critical vulnerabilities within a week of the vendor’s patch release. Yet most companies have thousands of unpatched critical vulnerabilities. Remember Equifax?
If your company takes longer than a week to patch, it’s at increased risk of compromise -- not only because you’ve left the door open, but because your most secure competitors will have already locked theirs. Officially, you should test patches before applying, but testing is hard and wastes time.
To be truly secure, apply your patches and apply them quickly. If you need to, wait a few days to see whether any glitches are reported. But after a short wait, apply, apply, apply. Critics may claim that applying patches “too fast” will lead to operational issues. Yet, the most successfully secure companies tell me they don’t see a lot of issues due to patching. Many say they’ve never had a downtime event due to a patch in their institutional memory.
Personal advice: Test before releasing as a patch may have a huge negative impact in production.
Education is paramount.
Unfortunately, most companies view user education as a great place to cut costs, or if they educate, their training is woefully out of date, filled with scenarios that no longer apply or are focused on rare attacks. Good user education focuses on the threats the company is currently facing or is most likely to face.
Education should be led by professionals and MUST involve the employees themselves. Security staff also needs up-to-date security training. This should be done each year either through having the training brought to them or sending them off to attend external training and conferences.
Training should not be limited to the only the stuff you buy but on the most current threats and techniques as well.
The most secure organizations have consistent configurations with little deviation between computers of the same role. Most hackers are more persistent than smart. They simply probe and probe, looking for that one hole in thousands of servers that you forgot to fix.
Be consistent! Do the same thing, the same way, every time. Make sure the installed software is the same. Don’t have 10 ways to connect to the server. If an app or a program is installed, make sure the same version and configuration is installed on every other server of the same class. Establish configuration baselines and rigorous change and configuration control. Admins and users should be taught that nothing gets installed or reconfigured without prior documented approval.
Find the right mix of control and flexibility to avoid committee paralysis. At the end of the day, make sure any change, once ratified, is consistent across computers.
“Least privilege” is a security maxim which means giving the bare minimum permissions to those who need them to do an essential task. Most security domains and access control lists are full of overly open permissions and very little auditing. The access control lists grow to the point of being meaningless, and no one wants to talk about it because it’s become part of the company culture. Access controls, firewalls, trusts -- the most secure companies always deploy least-privilege permissions everywhere.
The best have automated processes that ask the resource’s owner to re-verify permissions and access on a periodic basis. The owner gets an email stating the resource’s name and who has what access, then is asked to confirm current settings. If the owner fails to respond to follow-up emails, the resource is deleted or moved elsewhere with its previous permissions and access control lists removed. Every object in your environment -- network, VLAN, VM, computer, file, folder -- should be treated the same way: least privilege with aggressive auditing.
Hackers always seek control of high-privileged admin accounts. Once they have control over a root, domain, or enterprise admin account, its game over.
Most companies are bad at keeping hackers away from these credentials. In response, highly secure companies are going “zero admin” by doing away with these accounts based on the premise that if the admin team doesn’t have super accounts or doesn’t use them very often, they are far less likely to be stolen, and are easier to detect and stop when they are.
The art of credential hygiene is key.
This means using the least amount of permanent super-admin accounts as possible, with a goal of getting to zero or as near to zero as you can. Permanent super-admin accounts should be highly tracked, audited, and confined to a few predefined areas. Do not use widely available super accounts, especially as service accounts. If someone needs a super credential, try using delegation instead. This allows you to give only enough permissions to the specific objects that person needs to access. In the real world, very few admins require complete access to all objects. Instead, grant rights to modify one object, one attribute, or at most a smaller subset of objects. This “just enough” approach should be married with “just in time” access, with elevated access limited to a single task or a set period of time. Additionally, apply location constraints (for example, domain admins can only be on domain controllers).
Least privilege applies to humans and computers as well, and this means all objects in your environment should have configurations for the role they perform. In a perfect world, they would have access to a particular task only when performing it, and not otherwise. First, you should survey the various tasks necessary for each application, gather commonly performed tasks into as few job roles as possible, and then assign those roles as necessary to user accounts. This will result in every user account and person being assigned only the permissions necessary to perform their allowed tasks. Role-based access control (RBAC) should be applied to each computer, with every computer with the same role being held to the same security configuration. Without specialized software, it’s difficult to practice application-bound RBAC. Operating system and network RBAC-based tasks are easier to accomplish using existing OS tools, but even those can be made easier by using third-party RBAC admin tools.
The vast majority of hacking is actually captured on event logs that no one looks at until after the fact, if ever. The most secure companies monitor aggressively and pervasively for specific anomalies, setting up alerts and responding to them. Good monitoring environments don’t generate too many alerts. In most environments, event logging, when enabled, generates hundreds of thousands to millions of events a day. Not every event is an alert, but an improperly defined environment will generate hundreds to thousands of potential alerts -- so many that they end up becoming noise everyone ignores.
Related post: How Effective is your SIEM Solution?
Some of the biggest hacks of the past few years involved alerts that were ignored. That’s the sign of a poorly designed monitoring environment. The most secure companies create a comparison matrix of all the logging sources they have and what they alert on. They compare this matrix to their threat list, matching tasks of each threat that can be detected by current logs or configurations.
Then they tweak their event logging to close as many gaps as possible. More importantly, when an incident is generated, they respond.
No one performs heart surgery on themselves or attempts to remove an aneurysm at the dining table. This is something that is left up to the experts. In like manner, companies should recognize where their strengths lie and reach out to a trusted and reputable vendor to assist them with their security issues. This is an area where almost all companies are the weakest!
Want to find out more about how your organization can stay safe against cyber attacks 24/7? Get in touch with us to request more information or a free quote.