Below is the fifth post in a security-focused series written by Peak 10 + ViaWest CISO Annalea Ilg. Be sure to check out her earlier posts, “Security Starts at the Top,” “4 Reasons Why You Could Get Hacked,” “Assessing Security Risk at the Intersection of Assets, Threats and Vulnerabilities,” and “Do you know your cybersecurity risk profile?”
One often misunderstood element of improving your security posture centers on controls. Mostly technical or logical in nature, security controls help to reduce risk to the environment and allow vulnerabilities to be addressed in a timely manner, reducing an organization’s overall threat profile.
In the past, managing controls was difficult and time-intensive. Does anyone else remember those days? It was an important task, but it was a chore. We’re in a great position today, relative to where we were three to five years ago. Technology has brought enormous capabilities around automation – whether for deployment, maintenance or the ongoing monitoring of security controls.
The following is a list of security controls that may or may not exist in your organization today. It’s important to consider how using these tools or concepts can improve your environment and protect your data.
Patching is an essential security control, but is often only applied to operating systems. Organizations should ensure they are patching all layers that users interact with, including infrastructure devices, Java, Adobe, etc. Proactive security patching should be conducted at least once a month.
Lifecycle management of legacy technologies is essential. Just as you would replace old wiring or air filters in your home, the same applies to operating systems and applications.
Firewalls are just as important as ever. Avoid using overly permissive firewall rules just to get something out. While it might meet an urgent business need to get a service deployed, it’s not worth the risk. Conduct regular firewall rule reviews internally and externally.
Passwords remain a major pain point for security. Shared administrator accounts or overly permissioned accounts assigned to multiple users need to provide appropriate protection relative to the assets they protect.
Protocols should be secure by default. Avoid FTP or TELNET transmission protocols and ensure you’re using secure ones, such as Secure FTP. You also should be redirecting HTTP to HTTPS when dealing with sensitive data.
Web proxies are still an important part of environments. By monitoring behaviors and sites that users are visiting, you can enable proxies to provide security response features. These can prevent the access of known, high-risk sites and serves as a point of control for users engaging in risky behavior.
Antivirus tools are as essential today as years ago. These have evolved from signature-based to behavior-based. They analyze how code is interacting with the operating system to predict viruses, rather than react to them.
Policies and Procedures
Enforcing policies and procedures in the workplace is vital. Risk can be reduced through proper awareness, training and discipline.
Backups are a must-have. There are so many options when it comes to backup and organizations should ensure that all data is backed up. As we see more instances of purely malicious ransomware that leaves no hope of recovery, backup is the only way organizations can ensure business continuity.
Secondary accounts should be set up for all administrators. These super accounts (SUs) are for privileged access only and are used strictly to access restricted information. Regular administrative accounts can field the high-risk daily activities we all perform, such as opening emails and surfing the web.
Penetration testing should be conducted by an outside party to test the environment and review application and infrastructure posture. Is the organization introducing risk? Are the codes not quite secure? This testing should evaluate the entire stack.
Disaster recovery is a plan that all organizations should have in place, from how to restore from backups to the criticality of systems and the order in which they should be restored. You can find more insights about disaster recovery best practices and solutions in our white papers, “Business Continuity and Disaster Recovery: Solutions and Strategies that Can Save Your Business,” or “The Keys to Establishing a Successful Disaster Recovery Plan.”
These are just some of the security protocols your organization should have in place as part of its security posture. Don’t forget to properly dispose of data, encrypt everything, monitor your network patterns and insist on multi-factor authentication for everything. While it might seem somewhat paranoid to perceive everything as a major threat, it’s that kind of thinking that will keep your organization safe and secure.