12 Actions to Improve Security Readiness
Security is a huge issue for all companies. Based on various research, organizations are spending billions of dollars on digital security globally every year and the costs due to attacks are $8m+ per breach for mid-large sized enterprise companies in the U.S., on average. So how do you guard the kingdom?
There are several effective actions that can be taken. Here are the top 12 actions that all companies should take to improve their security readiness:
1. Server & Endpoint Maintenance
Patch management is vital to remediating identified vulnerabilities and should be done on a monthly cycle for normal updates, immediately for critical updates. Endpoints, such as servers and PCs, that can’t be patched should be protected with additional security controls or removed from the corporate network. IT departments should replace end of life systems whenever possible and test patches before applying them to production systems.
2. Firewall Management
Properly configured firewalls provide the first and most important layer of defense for your enterprise. Follow the “minimum necessary” rule by limiting inbound and outbound traffic to the smallest number protocols and destinations. Incorporate change management for all firewall rules, check firewall rules regularly to ensure that they are still needed, remove unused or overlapping firewalls and eliminate or minimize “any-to-any” rules. IT departments should scan for open ports and should only open specific ports for specific purposes, such as outbound, http, https, dns, ftp and sftp.
3. Network Management
Understand what is connected to your network and what security they have or don’t have (think IoT devices). All devices connected to the network must have the enterprise security deployed by your IT department to have the lowest possible risk. Keep your networks segmented and limit the number of administrator accounts. All companies should update SNMP to the most secure version supported by their devices and change SNMP community strings to enhance router/switch security. Encourage use of TACACS or similar technology to authenticate all access to routers and switches and change the default administrator accounts.
4. Active Directory (AD) Account Roles & Access Rights
Regulating what systems and shared folders users have access to limits their potential to infect system wide infrastructure. Minimize the number of administrative or enhanced access accounts and remove access rights as people change roles. Review access rights, especially for enhanced user access, at least on an annual basis. Change the Admin account names as “Administrator” is one of the most common hits.
5. Data Backups
Stratify your data so that you understand and protect your most critical data first. Effective backups must be full or synthetic full backups, with as many incremental backups as necessary to hit your RPO. Your critical backups must be segmented from the rest of your network in a meaningful way, otherwise it too may get corrupted. Some of the common practices besides offline backups, are:
- Keep an offline copy of the backup using a VPN connection.
- Use immutable backup storage.
- Set the Backup Drive as Read-Only (Write Protected).
- Use Anti-Malware Apps, such an app might be able to detect a ransomware attack in progress and stop it before it can do extensive damage.
- Use secure-copy mechanism that’s offered from certain vendors (Pure Storage). It creates snapshots of protected backup data and backup metadata by creating Ransomware prof snapshots that can’t be eradicated, modified, or encrypted, even with admin credentials.
6. AV or NextGen AV Software
Ensure that antivirus/antimalware software is installed and current. Highly recommend installing NextGen AV solutions that include ad-blocker and script-blocker software (ex: Cylance). Once installed, use it to first scan networked devices to identify all legitimate applications, then configure it to block the installation of any additional applications. Finally, you can install software to avoid java and flash applications, whitelisting only the sites you deem appropriate and safe.
7. SIEM Software
SIEM software combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware.
Ensure you have robust intrusion prevention and detection systems to identify traffic anomalies that might suggest a breach. Such logging must be analyzed and acted upon, either with internal security engineers or managed services.
8. Email Security
Implement full content scanning and email filtering to eliminate most phishing and ransomware scans before they can get to staff. Configure your email system to notify of external or out the network emails.
9. Staff Security Training
People are the weakest link in protection against ransomware attacks. Provide annual training and periodic testing of staff to ensure they know what to look for as suspicious activity and test them regularly to encourage diligence. Clicking on a link in an email is one of the most common distribution methods for malware infections, but brute force and RDP attacks are very common as well. Encourage staff to use VPNs when on public wi-fi and deploy multi-factor authentication (ex: Duo Mobile) for remote access, and critical systems.
10. Password Management
Require default passwords to be reset on initial login and then require regular updates at least every 90 days. Consider using a password manager, especially for privileged or administrator accounts, and implement privileged access management solutions for service accounts to avoid having to change them manually. Review domain account lock policies using your group policy object (GPO), potentially including USB access restrictions and require encryption if necessary.
11. Business Continuity and Disaster Recovery Plans & Tests
Business Continuity (BC) and Disaster Recovery (DR) planning is a practice that prepares you to minimize the effects of significant service-impacting events. It involves designing and creating policies and procedures that ensure that essential business functions and processes are available during and after a disaster. Don’t just have a plan for response – including cleaning PC’s, reinstalling data from backups, involvement of insurance and notifying proper authorities – but require testing. Some of the most important aspects of documentation and testing include:
- identifying the most critical systems and the order such systems are restored
- defining recovery point objectives (RPO) and recovery time objectives (RTO)
- identifying network requirements
- identifying who is responsible for which steps in the disaster recovery process, including communication to stakeholders
12. Annual Testing & Vulnerability Scans
Conduct annual penetration testing and regular vulnerabilities scans to identify the most current vulnerabilities of your web applications and IT environments. Ensure all high priority vulnerabilities (i.e.: tips #4 and #5) are remediated and documented. Implement automation to address the higher volume, lower impact vulnerabilities which are usually ignored due to staff resources and priorities.
The Innovative Technology Solutions Advantage
Is your organization’s security readiness where it needs to be to better protect your assets, brand and bottom line? If not, ITS can help. From managing countless end-point devices to handling new applications, regulatory concerns and technology breakdowns, our skilled and scalable resources have you covered.
Ready to improve your security posture? Let’s talk.