Businesses need to be more secure than ever. Threats become more common and complex every day, and countermeasures continually evolve, making it difficult to know how to jumpstart a solid information security program.
To help, we have distilled the most critical measures into eight security principles that every business should follow.
Do you know what happens in your network as it is happening? In the event of a security incident, are you able to trace the intrusion to its source? With proper logging, you will be notified when undesired events occur. Whether there is a hard drive failure, power failure, or data exfiltration, logs allow you to trace an attack or event to its source.
- Understand the critical components that need to be monitored and configure corresponding alerts.
- Archive all logs for historical and incident response reasons.
- Consider logging above the informational level to avoid running out of space.
- Keep log names and error codes uniform when performing application logging.
2. Patch management
Are your applications and operating systems up to date? Is the updating process automated? By keeping your operating systems and applications up to date, you can reduce about 99 percent of technical attacks against your network, short of zero days, which are rare and expensive if purchased.
- Automate patching for the operating systems and applications on your systems.
- Have a base image that computers boot from, and keep the images up to date.
- Reduce your risk surface by reducing the number of applications in use.
3. Physical security
Are there any deterrents to on-site physical attacks, or are your doors wide open? Is your server room safe from a rogue USB device? With the right physical safeguards, you can prevent easy theft of data or business interruptions from an unsophisticated attack.
- Combine door locks with other access control measures (badges, biometric readers, pin pads) and physical deterrents or alarms on windows.
- Where possible, augment regular physical security controls using Crime Prevention Through Environmental Design (CPTED) principles.
- Install closed-circuit security cameras facing all access points into the building, including windows.
- Doors should have secure hinges oriented toward the interior of the building.
- Protect server rooms and other critical assets behind an additional layer of security.
4. Security culture
Do your employees understand and support your security and privacy policies? The attitudes and behaviors of everyone in your organization shape your security culture. And a positive culture of security is fundamental to the protection of your applications and systems, and the data they store.
- Provide security training for new hires and for all employees at regular intervals.
- Ensure policies are reasonable and accessible.
- Periodically test the effectiveness of policies and training with internal phishing campaigns and other audits.
- Ensure systems and policies are up to date as regulations develop and change.
5. Principle of Least Privilege
Limiting account privileges as much as possible within your company’s operations requirements prevents unauthorized users from accessing sensitive information. According to the 2021 Data Breach Investigations Report (DBIR), 92 percent of all breaches were the result of privilege misuse.
- Administrator-level accounts should be used sparingly.
- Files and folders should have their permissions set to allow access to required users only.
- Services and databases should use accounts tailored to allow only the minimum privilege level needed.
- A list of users and their privileges should be tracked and maintained.
6. Network segregation
Do you have separate corporate and guest networks? Are your production servers on the same network as all your employees? It is crucial to keep your sensitive systems safely separated from other higher-risk systems.
- Use a different network for guests and corporate users.
- Use a network switch with access control lists (ACL) and VLANs or similar technology to logically separate traffic from different systems.
- Enforce network access control (NAC) settings on all ethernet ports and wireless routers, and allow only approved MAC addresses to connect to the network.
- Create and maintain network diagrams.
7. Off-site backups
Are your critical assets backed up and stored away from your corporate building? How frequently are your automated backups created? In order to protect your company’s data in the event of a disaster - natural or otherwise - it is important to back up data frequently and keep it in a protected space.
- Test your backups regularly and attempt a restore at least once per month.
- Back up your business-critical data daily, and all other operational data at least once per week (determine based on your risk tolerance and threat models).
- Backups should be sent offsite and remain disconnected when not actively backing data up to prevent the spread of ransomware.
8. Client-side security controls
Do you have up-to-date antivirus on all employee computers? Have you implemented host imaging software to regularly restore systems back to a known good state? The most high-risk technical components in an organization are employees’ devices, so it is important to make it as easy as possible for employees to use their own devices securely.
- Antivirus software on all employee computers and servers should automatically update every day.
- Use a known secure image for all employee computers.
- Ensure a firewall is configured and running on all employee computers.
- Disable PowerShell in Windows environments if it is not being used for daily end-user operations.
- Employ full-disk encryption on all employee devices.
While not an exhaustive list, these principles represent the most important bases to cover when you build a security program or assess the basic health and comprehensiveness of your existing program.