10 Steps Towards the Path of Better Security for Your Business
Information security is hard. So hard, in fact, that many choose to ignore it as an intractable problem, and choose to ignore it wherever possible. They use the same password everywhere, carry sensitive data around on unencrypted laptops which they then leave on public transportation, run old applications on old operating systems, and a plethora of other such security issues.
In an alarmingly-large number of data breaches, attackers do not resort to zero-day attacks or secret blackhat hacker techniques, but often virtually stroll into their target (pun intended) environments. Let’s take a look at a few things we can do to make our environment stronger from an information security perspective:
1. Control Access to Data
Any access to sensitive data should be tightly controlled. This is likely where the crown jewels of our organization are: the customer data, credit card numbers, sales contacts, important metrics, colonel's original recipe, secret plans, etc… These are also the things that attackers are after, and we should protect them. These are also the things that will result in our organization’s name ending up on the news, followed closely by the word ‘breach’ if we do not.
This sensitive data should only be accessible to employees that absolutely need to as a part of their job in the moment they need it. Additionally, administrative access should be restricted. If we lock this away from the entire rest of company, but allow all of our jr. assistant system administrators access to it, we really haven’t done much.
2. Backup your Data
Back. Up. Your. Data. Once, you’ve backed it up, try restoring the backups to make sure that you’ve actually backed it up, not just stored a bad copy. This is so very critical. There are any number of situations that will move us from oops to business-ending critical over the difference between having a good backup and not having one. A great example of this is the recent uptick in ransomware attacks.
If an attacker manages to lock up our most sensitive of data, we have a problem. In the case of a valid backup existing, we have a somewhat smaller problem; if not, we have a Problem.
3. Dispose of Data Securely
When we are done with data of a sensitive nature, we need to dispose of it securely. In the case of physical media, such as paper, this generally means shredding it. In the case of hard drives, USB drives, and other such media, this, oddly enough, also means shredding it, just with a much hardier shredder (often from a data destruction service).
No sensitive data should ever go intact into a trash can, recycle bin, etc… One often missed case is that of equipment being recycled. Whenever we sell off or recycle old computer equipment that has been used to handle sensitive data, any storage media should be removed from it and destroyed. Yes, even the lowly copy machine is subject to this.
4. Use Encryption
Any system that handles sensitive data should have its storage encrypted. In the cloud, in a server room, under your desk — all of them. While this may seem like overkill, the security gained in doing so will make our lives much easier.
It used to be the case that encrypting storage media was hard. The encryption software made the system run slowly, it was hard to maintain the application and associated encryption keys, and was generally a lot of trouble. This is no longer the case. Almost all operating system vendors ship encryption tools with their software, these tools are very solid, and have almost no noticeable impact to the systems when they are running. Running encryption on a compromised or stolen system may mean the difference between having to issue a breach notification to customers or not needing to do so at all.
5. Keep Systems Up-to-Date
Keeping our systems up-to-date is one of the most basic parts of practicing good security hygiene. A huge percentage of the vulnerabilities exploited by attackers and malware are against flaws that have already been patched. We should be keeping up on application and operating system patches at all times, especially in the case of security patches. This alone will exempt us from a mind-boggling number of potential attacks and security problems.
6. Use Antivirus and Malware Protection
Another area that should be self-evident is the need to run antivirus and malware tools on our systems. Just as with patching, a very large number of malware attacks are being conducted by attackers using old tools. The vendors that produce antivirus software have signatures that can detect them and stop them in their tracks. In order for this to happen, however, we have to be running the tools and we have to be updating the signatures for them at least every day.
7. Use Multifactor Authentication
Using Multi Factor Authentication (MFA) to protect access to sensitive data is a huge security step, and often a very simple one (Don’t know what MFA is? Read here). In the case of our internal use, most operating systems support MFA for user logins in some fashion. Additionally there are many third-party products that will do so. In the case of a user’s credentials for a sensitive system being compromised, the lack of the other authentication factors on the part of the attacker will still keep them from being able to get in.
We also shouldn’t limit the use of MFA to our own systems. Anywhere that we handle sensitive data in third party systems such as banks, payroll, or employee data, we should make use of MFA where it is supported by our vendors and partners.
While this makes our interactions with these systems very slightly more cumbersome, it makes life much more difficult for attackers.
8. Segment your Network
When we have a set of sensitive systems, such as those that process payment cards or patient data, or hold our customer’s Personally Identifiable Information (PII), these systems should not be lumped in with everything else on the network, but should be in their own separate part of the network. This is referred to as segmentation.
When we segment sensitive systems off from everything else, this gives us the opportunity to put additional protections in place to control access to them. We might put in an additional firewall or perhaps an Access Control List (ACL) that restricts access to the segmented area down to certain systems.
This also gives us the opportunity to put monitoring in place, because we have made what is called a ‘choke point’ in the network. Because our sensitive systems are off in their own portion of the network, any traffic to or from them has to flow through a particular path, thus allowing us to keep an eye on what is going in or out. If we see traffic that we do not expect, we can take action.
9. Physical Security
The physical security of our systems is, some might argue, paramount. If an attacker can walk in the door and physically stand in front of one of our systems, many of the other points that we have discussed here become moot. At this point, we have largely lost control of the system.
This is a particularly important realization in the case of cloud services — our data in the ‘cloud’ is sitting on a system (or systems) somewhere, on a hard drive. Not only do we need to take care to protect the physical security of our own systems, but also make sure that we make good decisions about who we partner with, and that we are aware of how they practice security as well.
10. Strive for the Security Mindset
Bruce Schneier, a well known figure in the Information Security industry, wrote an article some time back discussing the security mindset. In it, he postulates that “the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems.”
In a similar vein is the a discussion by Jen Andre on the modern approach to security. She posits the important points to be: adoption of the mindset that the company has already been compromised, honesty about survivability in the face of breached or incidents, the ability to rapidly adapt to the new and unknown, and a focus on hiring the right people rather than just buying tools.
This kind of thinking is crucial for anyone concerned with security for business or themselves. I encourage you all to read these and work toward this mindset as a goal.
While this is by no means an exhaustive list, it is a bit of a start for those setting off down the road to good security. Any security person worth their salt will poke at this list, suggest items to add or remove, reprioritize the list, and pull it apart in general; this is a good thing. The point of this list is to highlight some of the larger problem areas and to get a discussion going on what the most important pieces are for a given situation.
Security is definitely a journey, I wish you the best of luck on yours.
“Greatness comes not in possessing security, but in withstanding insecurity.” - Jeffrey Fry
For more security deep dives, check out a few of our other articles:
About Jason Andress
Dr. Jason Andress (ISSAP, CISSP, GPEN, CISM) is a seasoned security professional with a depth of experience in both the academic and business worlds. In his present and previous roles, he has provided information security expertise to a variety of companies operating globally. He has taught undergraduate and graduate security courses since 2005 and conducts research in the area of data protection. He has written several books and publications covering topics including data security, network security, penetration testing, and digital forensics.