June, 1 2018 - Your BUSINESS' IT SECURITY SANITY CHECK PART I OF III
During the last 12-18 months, the world has seen an exceptional and exponential change in the Information Security threat landscape. Persistent and directed attacks on business data assets continue to rise at rates never seen before. The use of social-engineering and spear-phishing as tactical means of compromising critical business assets affects companies large and small alike. Threat actors do not discriminate and seek opportunities everywhere; whether it is to exploit data for financial gain or utilize resources to launch additional attacks.
While the threats are ever increasing and everyone is a target, the basic best practices to secure your business data assets have largely remained the same. That is, threat actors still use the same easy methods to exploit vulnerabilities that have been using for decades. For example, three of the top methods of exploit include email phishing, weak passwords, and software vulnerabilities. In the past, Java and Flash vulnerabilities topped the list of exploited applications by criminals. But today, approximately 70% out of the top application vulnerability exploits are in Microsoft Office software. This is an example as to why it is critical to keep your applications up to date, which is often an overlooked matter in security.
Because the threats and best methods have in large part remained the same, I advise you to review and improve your fundamental security controls on a regular basis. It is critical to enhance the controls in place to deal with more sophisticated and morphed attacks we are seeing today.
Therefore we are offering you this Sanity Check series of IT Security fundamentals to organizations. We are doing so in a three part series, to help break it up a bit into bite size chunks of security considerations to update your standards, policies, controls and procedures.
So in Part I of III in this article series, here are 6 ways we suggest you address critical and fundamental security in your organization today:
1. Review your security controls and practices with your CISO, CISM, DPO, CTO or CIO. Ensure you strengthen standards and policies and implement new controls and procedures for your IT Team to enforce.
2. Implement multi-factor authentication across all of your network access points, applications and credentials. Multi-factor authentication is one of the most cost-effective, easiest to implement security controls and threat mitigators to protect your business assets. As compared to the exceptionally sophisticated ways to ensure your security, this is one of the most basic and fundamental security controls organizations should be standardized on today.
3. Provide Security Awareness Training to your staff. Educating users helps them be your eyes and ears and practice good IT hygiene. Studies have shown that, inevitably, users do fall for phishing and social-engineered attacks, whether provided training or not. However, training has value in users gaining understanding, incident mitigation, incident response and providing IT Security professionals relevant information to provide better and faster incident prevention and response.
4. Refresh and fortify your existing security controls. Upgrade your networking, authentication, dns, firewalls, endpoint security software, patch your systems, and upgrade your applications to the latest release. So many of the basic security measures that can protect your organization have not changed, but often complacence sets in and that is dangerous. Further still, many of the basics are often overlooked while looking at complex solutions for simple problems. So continue to review, improve and update your security controls and security posture to maintain good security standards.
5. Passwords. Well frankly passwords are just not enough in today’s world, regardless how complex. Even still, they are necessary, so make sure they have some basic complex and uniqueness, and do not reuse the same password in multiple applications or web services. Studies have shown that something relatively short yet unique and difficult to guess is still very good. Combine that with properly architected and implemented multi-factor authentication systems, and your access controls will be above average and meet some of today’s basic authentication security standards. Data shows that 5-10 billion stolen passwords are available in databases on the dark web for hackers to use to launch attacks. So, make sure you have unique passwords for each service or application to improve security and do not reuse passwords you have used in the past. Ensure they are minimum 8 characters and contain numbers, upper case and lower case letters.
6. Ensure you have effective Data Protection and recovery systems - Your data needs to be backed up and quickly recoverable, securely and reliably. The city of Atlanta was just attacked a couple of months ago, and they did not have a proper data protection system in place. To this day, they still have not fully recovered from a crypto virus that attacked their network and destroyed the majority of their critical data and operations. Many compromises in the past 12-18 months have included massive data destruction, so now more than every, proper systems recovery capabilities are absolutely essential.
Starting with these 6 basic principles will get your organization on the right track. Work with APM Systems’ to review and implement these basic principles or do them on your own. We have many more recommendations we will share in Part II and III of this IT Security Sanity Check. But whatever you do, do not bury your head in the sand, hoping there is nothing threatening your business data and operations. It take work to stay ahead of bad guys.
Stay forever Vigilant, Yours truly
APM Featured Security Partners of the Month Series:
At APM we rely on dozens of Security vendors and manufacturers to fulfill the services we provide to our customers on a daily basis. Every month we select feature a select Security Partner to help educate our audience on principles and key technologies to help organizations make better decisions to implement stronger security controls to protect their organizations' data assets. Our latest featured Partners include:
Partner of the Month - Thycotic Security