By Aaron Hnatiw, Senior Security Researcher at Security Compass
It’s more important now than ever to run a business securely, but with threats becoming more common and complex every day and countermeasures always shifting, it can be difficult to know how to start building an effective information security practice. In order to help, we at Security Compass’s advisory unit distilled the most critical measures into ten security principles that every business should follow. While not an exhaustive list, these represent the most important bases to cover when building a security program and assessing the basic health and comprehensiveness of an existing program.
We encourage you to read this list with a mind to identifying which practices could be improved in your business, and to contact us for a free consultation on how to implement these security principles across your business.
Do you know what is happening in your network as it’s happening? In the event of a security incident, are you able to trace the intrusion to its source? With proper logging, you should be notified when undesired events occur, like hard drive failure, power failure, and data exfiltration, and you should be able to trace back an attack or event to its source.
- Assess your environment first, to understand the critical components that need to be monitored, and configure alerts if something goes wrong on one of these systems/assets. Alert only on these, otherwise you will become inundated with alerts, and they simply become unactioned noise.
- Archive all logs for historical and incident response reasons.
- Depending on how busy or large your environment is, you might want to consider logging above informational level to avoid running out of space.
- Keep log names and error codes uniform when performing application logging.
Are your applications and operating systems up to date? Is the updating process automated? By keeping your operating systems and applications up to date, you can reduce around 99% of technical attacks against your network, short of zero-days, which are rare and expensive if purchased.
- Patch both the operating systems and the applications on your systems.
- Have a base image that the computers boot from and keep these images up to date.
- Automate patching.
- Reduce your risk surface by reducing the number of applications in use.
Are there any deterrents to on-site physical attacks, or are your doors wide open? Is your server room safe from a rogue USB device? With the right physical safeguards, you can prevent easy theft of data or business interruptions from an unsophisticated attack.
- Install proper locks on all doors in the building, with features like RFID, security pins, magnetic and mechanical coding, and other extra electronic measures.
- Even better: combine physical locks with other access control measures, such as individual badges, biometric readers, or pin pads.
- Put bars or other physical preventative measures on windows. If this is not possible, install alarms on all windows, especially those on the bottom 2 floors.
- Where possible, augment regular physical security controls using Crime Prevention Through Environmental Design (CPTED) principles.
- Install closed-circuit security cameras facing all access points into the building, as well as along all walls where a window is present.
- Use at least two security guards: at the minimum, one who will monitor camera feeds, and another who will do rounds of the building.
- Doors should have secure hinges that are oriented toward the interior of the building, so that attackers cannot just remove the door hinge to get through the door.
- Ensure that your server rooms and other critical assets are behind an additional layer of security.
Enact a Comprehensive Security Policy
Do your employees know what they may and may not do on your network? Some regulations and compliance standards require this, like PCI-DSS, HIPAA, and the Gramm-Leach-Bliley ACT (GLBA). But a security policy also helps protect the company in case of litigation, as when an employee is fired for browsing inappropriate websites on their work computer or accuses the company of wrongful termination. More broadly, the security policy is also used to align corporate security objectives with high-level business objectives.
- Enact an organizational policy. Examples of issue-specific policies include: acceptable use policy, risk management policy, vulnerability management policy, data protection policy, access control policy, business continuity policy, log aggregation and auditing policy, personnel security policy, physical security policy, secure application development policy, change control policy, email policy, and incident response policy.
- Starts with senior management: determine what needs to be protected, and to what extent.
- Management must understand the regulations, laws, and liability issues it is responsible for complying with regarding security.
- Security policies must indicate what is expected of employees, and what the consequences of noncompliance will be.
- Policy should be easily understood, and used as a reference point for all employees and management.
- Policy should be reviewed on a regular basis and modified as a company changes (merger, new ownership, new business model, etc.), with each iteration dated and under version control — a practice that can also help with compliance and litigation.
- Everyone who is governed by the policy must have easy access to it.
- Follow the compliance standards that are required for your business (PCI-DSS, HIPAA, SOX, etc.). These should provide detailed requirements on implementing security in your organization, which would be a great place to start.
Do your employees know enough to protect your company from phishing or social engineering attacks? Do your developers know how to write secure code? Developers don’t know what they don’t know, and training them on various security vulnerabilities in applications helps them learn to create more secure products. Proactive protection via training is crucial, especially against attacks like social engineering and phishing.
- Ensure that all employees are trained on your company’s security policy when they are first hired.
- Provide regular training programs (computer-based or in-person) to your developers and employees. For a more customized approach, allocate a training budget to employees, and require that they use the budget on approved training material or courses by the end of every fiscal year. Developers should do this at least once every quarter, and other employees at least once per year.
- Choose a training program that has a certification component to it, as it provides additional educational and career incentive to employees and provides further accreditation to your organization.
Security Compass provides both computer-based and instructor-led training with accompanying certification like CSSLP (Certified Secure Software Lifecycle Professional).
Is your security program effective? Is your security policy actually being enforced? The only way to be certain is through regular audits.
- The following are some common audit methods: internal phishing campaign, penetration test/security vulnerability assessment, red team exercises, and checklist method for DRP (disaster recovery plan) and BCP (business continuity plan).
- During your annual (or more frequent) review of your security policy, use the checklist method to ensure that each component is actually in place in your organization.
Security Compass specializes in verification work through penetration testing, vulnerability assessments, red team assessments, phishing campaigns, and more.
Do you limit the use of administrator accounts? Do you track account privileges and access across your enterprise? Limiting privileges as much as possible within your company’s operations requirements prevents unauthorized users from accessing sensitive information. As one telling example, 96% of critical vulnerabilities affecting Windows operating systems could be mitigated by removing admin rights.
- Employees should not have administrator privileges on their work computers.
- Administrator-level accounts should be used sparingly.
- Files and folders should have their permissions set to allow access to required users only.
- Services should use accounts tailored to allowing only the minimum privilege level needed for that service. Database accounts used in applications apply here as well.
- Users and privileges should be tracked and maintained.
Do you have separate corporate and guest networks? Are your production servers on the same network as all your employees? It’s crucial to keep your sensitive systems safely separated from other higher-risk systems.
- Use a different network for guests and for corporate users. Do this on both wired and wireless networks.
- Use a network switch with access control lists (ACLs) and VLANs or similar technology to logically separate the traffic from different systems.
- Enforce network access control (NAC) settings on all ethernet ports and wireless routers, with a whitelist approach that allows only approved MAC addresses to connect to the network through any ports.
- Create and maintain network diagrams. Ensure that your sensitive systems are visibly separately from all other systems, using different networks.
Regular offsite backups
Are your critical assets backed up and stored away from your corporate building? Are backups automated? How frequently are you backing your data up? In order to protect your company’s data in case of disasters, natural or human (ransomware, human error, malicious hacker, etc.), it is important to backup data frequently and keep it in a protected space.
- Test your backups regularly. Try to restore backups at least once per month. (Things can go very badly if you don’t do this.)
- Backup your business-critical data daily, and all other operational data at least once per week. Determine the frequency based on your risk tolerance and threat models.
- Automate your backups.
- Backups should be sent offsite, and remain disconnected when not actively backing data up. This prevents the disastrous effects of ransomware that spreads to connected drives, whether physically connected or over the network.
Client-side security controls
Do you have up-to-date antivirus on all employee computers? Have you implemented host imaging software to regularly restore systems back to a known good state? The most high-risk technical components in an organization are employees’ devices, so it’s important to make it as easy as possible for employees to use their own devices securely.
- Install antivirus software on all employee laptop and desktop computers, and servers. Automatically update the antivirus software daily, and manage all instances from a central location (allows for easy notification of alerts and on-demand scanning of machines).
- Use a known secure image for all employee computers. Update the software and operating system on the image regularly. Have all employee computers reset to the most up-to-date image on startup; having network drives for storage makes this much more realistic for most businesses, as users will not lose saved data every time they restart their computer.
- Ensure a software firewall is configured and running on all employee computers (this will often come included with antivirus software suites).
- Disable PowerShell in Windows environments if it’s not being used for daily end-user operations.
- Encrypt all employee devices using full-disk encryption.
Aaron Hnatiw is a Senior Security Researcher at Security Compass.