Cyber-attacks. We’re all hearing about them, we read about them daily and many of us have experienced them. Every day, they become a starker reality for all businesses and organizations – no matter the industry or size.
Ensuring the protection of your clients and organization’s assets is simple. You just need to follow these Security Habits
- Focus On The Right Threats
Take the time to identify your company’s top threats, rank those threats, and concentrate the bulk of your efforts on the threats at the top of the list. Most companies don’t do this. Instead, they juggle dozens to hundreds of security projects continuously, with most languishing unfinished or fulfilled only against the most minor of threats. Which is most likely to be hacked… a device via SNMP or an unpatched server?
- Know What You Have
Establish an accurate inventory of your organization’s systems, software, data, and devices. Ask yourself how well your team understands all the programs and processes that are running when company PCs first start up. In a world where every additional program presents another attack surface for hackers, is all that stuff needed?
How many copies of which programs do you have in your environment and what versions are they?
How many mission-critical programs form the backbone of your company, and what dependencies do they have?
You cannot begin that process without an extensive, accurate map of your current IT inventory.
- Run The Latest Versions
The best security shops stay up on the latest versions of hardware and software. Yes, every big corporation has old hardware and software hanging around, but most of their inventory is composed of the latest versions or the latest previous version
You might think, “Why update for update’s sake?” But that’s old, insecure thinking. The latest software and hardware comes with the latest security features built-in, often turned on by default. The biggest threat to the last version was most likely fixed for the current version, leaving older versions that much juicier for hackers looking to make use of known exploits.
- Patch Quickly!
Patch all critical vulnerabilities within a week of the vendor’s patch release. Yet most companies have thousands of unpatched critical vulnerabilities. If your company takes longer than a week to patch, it’s at increased risk of compromise — not only because you’ve left the door open, but because your most secure competitors will have already locked theirs.
To be truly secure, apply your patches and apply them quickly. If you need to, wait a few days to see whether any glitches are reported. But after a short wait, apply, apply, apply. Critics may claim that applying patches “too fast” will lead to operational issues. Yet, the most successfully secure companies tell me they don’t see a lot of issues due to patching. Many say they’ve never had a downtime event due to a patch in their institutional memory.
Personal advice: Test before releasing as a patch may have a huge negative impact in production.
- Educate Your Users!
Education is paramount. Unfortunately, most companies view user education as a great place to cut costs, or if they educate, their training is woefully out of date, filled with scenarios that no longer apply or are focused on rare attacks.
Good user education focuses on the threats the company is currently facing or is most likely to face. Security staff also needs up-to-date security training. This should be done each year either through having the training brought to them or sending them off to attend external training and conferences.
- Use Least-Privilege Access Control
“Least privilege” is a security maxim which means giving the bare minimum permissions to those who need them to do an essential task.
Most security domains and access control lists are full of overly open permissions and very little auditing. The access control lists grow to the point of being meaningless, and no one wants to talk about it because it’s become part of the company culture. Access controls, firewalls, trusts — the most secure companies always deploy least-privilege permissions everywhere. The best have automated processes that ask the resource’s owner to re-verify permissions and access on a periodic basis.
- Minimize The Use Of Admin
Hackers always seek control of high-privileged admin accounts. Once they have control over a root, domain, or enterprise admin account, its game over. Most companies are bad at keeping hackers away from these credentials.
In response, highly secure companies are going “zero admin” by doing away with these accounts based on the premise that if the admin team doesn’t have super accounts or doesn’t use them very often, they are far less likely to be stolen, and are easier to detect and stop when they are. Here, the art of credential hygiene is key. This means using the least amount of permanent super-admin accounts as possible, with a goal of getting to zero or as near to zero as you can. Permanent super-admin accounts should be highly tracked, audited, and confined to a few predefined areas
- Implement Smart Monitoring Practices And Timely Response
The vast majority of hacking is actually captured on event logs that no one looks at until after the fact, if ever. The most secure companies monitor aggressively and pervasively for specific anomalies, setting up alerts and responding to them. In most environments, event logging, when enabled, generates hundreds of thousands to millions of events a day. Not every event is an alert, but an improperly defined environment will generate hundreds to thousands of potential alerts — so many that they end up becoming noise everyone ignores.