Do you worry about security breaches? It seems you can't go more than a week without hearing of a major retailer or large financial institution dealing with a significant cyber attack. If companies with the biggest IT budgets are not immune, what can smaller companies do?
Make these 5 changes and you'll create a more secure IT environment for your business that protects you from security breaches.
Not as straightforward as you might think
Like death and taxes, it's inevitable that every piece of software will require updates and bug fixes after you start using it. You need to apply these software patches on a regular basis to correct known security vulnerabilities.
But don't software updates happen automatically?
You may think patches are already being applied automatically within your environment. After all, you periodically see those notifications pop up on your screen letting you know when an update is available. You and your employees are dutifully applying those patches.
But in practice, it's amazing how many organizations fall flat when it comes to this basic step and do not patch all software. Sometimes, they are not aware that a particular software program is present within their network.
If your workstations and servers aren't up to date on their patches, update them immediately. Whenever possible, turn on automatic updates. Create a process by which updates are tested and deployed in a regular and controlled manner.
But don't stop with just Windows or your daily yum-cron or apt-get cron jobs. The operating system isn't the only attack surface there is. Adobe Flash, Java, Office, and many other applications are regularly found to have weaknesses. Patch all your applications, not just Microsoft applications but other third party applications within your environment.
Pay particular attention to any machine that is accessible via the Internet.
A vulnerable system will be found quickly and you will be breached.
One word of caution when it comes to business critical application servers — patching does not always go smoothly. Test patches in a development environment before rolling them out to production. And always have a verified known good backup.
Software Patching Best Practices
For software patching, follow these best practices:
- Identify all the systems within your environment that need to be patched.
- Set up automated patching for all Microsoft software.
- Set up automated patching for Adobe and Java, which require updates nearly every month.
- Consistently apply SQL and other enterprise application patches, but only after thoroughly testing them to make sure no legacy systems are broken.
- Make sure you are applying patches on your web server.
- For any new devices that are discovered in the future, investigate to determine any additional patching requirements.
Like problems and germs, some things are best kept to yourself
Each user, including your IT staff, should have their own unique set of login credentials to access any machine they need to. This is also true for your cloud based applications — stop sharing accounts.
There are several reasons for this:
- When multiple users log in with the same account, it makes it difficult to troubleshoot a problem.
- Particularly for administrator accounts, when you're looking through log files, if you can't determine who made changes, efforts to backtrack changes that were made are hindered.
- Compliance standards (such as those for HIPAA) require an audit trail of who did what when.
- Passwords must be changed when any employee that had access to an account leaves.
Proper management and restriction of privileged accounts goes a long way in securing IT assets.
And it begins on the lowly workstation or laptop.
"Anyone can be the target of hackers trying to gain access to systems and information."
— Joe Grzybowski, CEH
Individuals should not have administrator rights to their PCs. By not providing users with local admin rights, you minimize the impact of any malware that makes it through your email filtering, web filtering, and anti-virus defenses.
Frequently, users are granted admin access on their own machines for convenience. Users may be frustrated by needing to go to an IT person for something as innocuous as installing a printer or new font on their workstation.
Account Administration Best Practices
For account administration, follow these best practices:
- Assign each user their own account to log in on the machines they need to access.
- For your applications, each user should have their own account.
- Do not permit individual users to have admin access on their own workstations.
You can't protect what you don't know you have
You need to build and maintain an asset management database. Otherwise, you can't protect what's on your network if you don't know what's there.
An accurate inventory is a good start towards a more secure network, but it's important to know when any new device has been added to your network.
Network monitoring will tell you when a device has been added to your network that you didn't know about.
It's easy to understand how this happens. Someone on your staff may bring up a new machine on the network, maybe even on a temporary basis for a project. Then, six months later, if that machine is not included on your inventory list, it's missing software patches and bug fixes and now poses a security risk.
Once you know what devices are on your network, it is important to keep the list up to date. The list will change over time, so it's important to verify the list on a regular basis.
"Your environment is always changing,
and change introduces risk."
— Sean McCloat, CISSP
Software is equally important as hardware. It's critical that you identify all software running on your network and continue to check for any new instances. If you don't know software is there, you'll be unable to make sure it's updated with the latest patches.
IT Inventory Best Practices
For an accurate inventory of IT assets, follow these best practices:
- Ping each IP address within your subnet. One tool you can use for this is Nmap (https://nmap.org).
- Investigate any formerly unknown devices to determine what they are used for and who is using them.
- On an ongoing basis, scan your network for any new software.
- As you discover legitimate new software running on the network, add it to your patching process, automating patching where possible.
Be prepared for anything.
As the saying goes, a failure to plan is a plan to fail.
By thinking through the scenarios that can disrupt your business operations, you can develop the right procedures to implement in response to such events.
You can suddenly lose access to servers or other machines on your network for a variety of reasons, but whether a server goes down due to hardware failure or malicious activity, the solution is the same — restore from backups. (Learn more in "Preparing for Disasters with Disaster Recovery Services.")
Disaster Recovery Best Practices
Follow these best practices for proper disaster recovery:
- Develop a comprehensive business continuity plan that provides local backup storage as well as long-term off-site storage.
- Determine what is your Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
- Store log files from all network devices, servers, and security appliances. The ability to review these files after an attack will be helpful in preventing future breaches.
- Create a warm standby disaster recovery environment in the cloud. This is instrumental in restoring operations quickly in the event of a ransomware attack.
- If you are hacked, be careful and methodical about how you restore from backups. For example, when restoring a workstation, do not reinstall the operating system from backups. If the cyber attack occurred before the backup took place, you could inadvertently release corrupted files back onto the workstation.
There's no test like external validation.
Once you believe that you have taken the necessary steps to secure your network, it's time to test the waters.
One way to determine if you have taken adequate steps to prevent hackers from accessing your network is to have an outside cybersecurity firm perform penetration testing. Pen testing is the act of intentionally trying to break into the network or access data. The test results will expose any external vulnerabilities and their associated impact, including internet, IP addresses, firewalls, email servers, and web servers.
But all the security tools in the world will be of no use if employees unwittingly let the bad guys in.
"Security is not a set-it-and-forget-it endeavor. It is an ongoing process and culture."
— Joe Grzybowski, CEH
Criminals can convince your users to share login credentials via phishing schemes. The attacker pretends to be someone or something that they are not; once they gain the confidence of the victim, they simply ask them to provide their login information.
One purpose of these attacks is to gain access to your account. From there, the attacker can immediately take your files or hijack your email account to solicit more victims in your contact list. Within your files, they commonly seek confidential information such as account numbers, social security numbers, or more passwords.
Another common method of attack launched via phishing is malware. This is done by enticing a user to open a file or visit a web page. When they do so, the file or page executes a malicious action on that workstation. Frequently, a user is sent an email with a link that may appear to come from someone they trust. When the user clicks the link, the malware is released on that machine.
Security awareness training can help to warn users about what to watch out for. Keep in mind that even the most extensive training programs have limited effectiveness as users can be easily fooled with phishing attacks.
Validation Best Practices
Follow these best practices:
- Commission a round of penetration testing by a third party to verify the security of your network.
- Implement security awareness training for employees with ongoing refresher sessions. Describe safe and unsafe practices, and make sure users understand the reasons behind security policies and procedures. Provide use case examples on common phishing and malware scenarios they may encounter.
Corserva provides managed security services including managed SIEM and managed firewall. Our services are supported 24x7x365 by our own US-staffed security operations centers, and backed by our engineers with certifications including CISSP, CISM, CGEIT, CRISC, CEH, and CompTIA Security+.
Contact us today and we can customize a security solution to fit your needs.