The diverse and open nature of the Internet makes it important for businesses to focus on the security of their networks. As companies move business functions to the public network and rely more on remote access, they need to take precautions to ensure that corporate data cannot be compromised. You must also verify that business data is not accessible to unauthorized users.
The traditional problem, before the internet, was securing business assets from physical threats like buglers, and the threat was fairly low because the people with physical access to your office was a fairly low number when compared to the population of the planet. Now anyone with an internet connection can attack your corporate assets, from almost anywhere in the world. Your threat profile has now grown exponentially.
If you haven’t already done so, you should develop an Information Security program to protect your corporate assets.
- Define the Perimeter – When you look at your network digram, you should draw a circle around those systems and devices you choose to protect from unauthorized access. This circle will probably include everything, but you might not include systems managed by trusted vendors, or temporary systems you might be using in a test environment. You must also accept that protecting the included systems will cost you money, and you might make a decision to exclude systems because the risk to those systems or devices doesn’t justify the expense. What you have now is your “in-scope systems”, and these are the systems that must be properly configured, monitored, patched, etc.
- Properly Configured – Create documentation around how to properly configure each in-scope system, and verify each system has been configured to match that documentation. This includes newly installed systems or replacement devices. You must also put controls in place to verify these systems have the correct version of software installed. This must include service packs, patches, hot fixes, etc. You may also need to work with cloud and vendor supported systems to make sure they consistently meet your standards as well. This includes how to properly configure the network settings, installing anti-virus or anti-malware software, configuring the operating system, etc.
- Minimize Access – Each user or system account should only have the minimal access required to operate correctly. There should be a security process for approving any requests for elevated privileges, and those requests should be rarely and infrequently approved. While it will vary depending on your environment and the size of your technology team, you want very few people to have complete control on these critical in-scope systems. Your users should never have access to systems, devices, file shares, etc. when that access isn’t absolutely required. If fewer people have access to critical information or systems, the risk of unauthorized access is significantly diminished.
- Change Management – All proposed systems and device changes, including requests for elevated user permissions, should be formally documented and there should be an approval process to review each requested change. There must also be a separation of duties between the person requesting the change and the person making the change. This prevents unauthorized changes from sneaking around the the approval process. You must also have a manager reviewing all actual changes at the end of the week or month and matching them back to the changes submitted through the formal approval process. This will help catch those changes made but not formally approved.
- Periodic Reviews – Your team needs to be performing quarterly vulnerability scans. There are multiple tools to help overworked IT technicians complete this task, but what we are recommending is scanning all in-scope systems and devices and matching them against a long list of known security issues. These periodic scans will alert your team to systems that have missing patches or are subject to a known vulnerability that must be addressed to prevent a potential security threat from leading to an attack. This also includes reviewing that circle you put around your in-scope systems. Maybe it is time to move that line to exclude more systems, or to include some additional systems or new devices as your business changes. You should also schedule periodic reviews of who has authenticated access to your network. This includes standard users accounts, employees with remote access, automated system accounts, or remote vendor accounts. This will give you an opportunity to disable or delete terminated employee accounts, remove vendor accounts that no longer need access, etc. All policies and procedures will also require periodic review to make sure they stay accurate and relevant.
- Security Training – Every employee plays a part in your overall network security. In the physical security world, it doesn’t make sense to lock the front door but leave all the windows open. It also doesn’t make sense to secure the network and allow your users to tape their network passwords to their monitor or keyboard. Users must be educated about how to secure their passwords, how to select a strong network password, how to secure their mobile devices, etc. There should be initial training for any new employee, and every employee should get a refresher course at least once each calendar year.
- Monitor Vendor Alerts – Most vendors have the ability to alert you if they discover a vulnerability for their product. You should sign-up for these alerts and monitor the emails on a daily basis. If there is an email alert about a vulnerability to an in-scope system you need to have procedures around assigning a priority to the alert, how you will score the risk in your environment, and a timeline for taking action on the alerts.
- Stay in Control – You must have technical controls in place (firewalls, VPN, ACLs, IPS, etc.) to protect your in-scope systems, but you must also look at non-technical physical controls (door locks, safes, video cameras, fire suppression systems, battery backups, etc.) to protect those same in-scope systems. Make sure you limit physical access to critical systems, and implement any physical controls you need in your environment to protect your systems and business data.
- Policies and Procedures – You must document your expectations and verify constant compliance. This includes threats from insider attacks. Make sure you write policies that says what must be done and the penalty for non-compliance, and then write the procedures around how people are to complete technical tasks so that your compliance expectations are met. You must also make sure people are following your policies and procedures while understanding that there are consequences to non-compliance.
- Monitor Logs – Someone on your team needs to be monitoring and reviewing the logs from your in-scope systems. This process can be time-consuming and difficult without some additional software to collect and automate that process, but that will depend on your environment and the quantity of in-scope systems. There are multiple solutions available from third-party vendors to simplify this process. The logs from your in-scope systems can be used to track system changes, discover system vulnerabilities, track potential internal or external attacks, list unauthorized access attempts, investigate malware infections, etc.
These steps do not address what you should do to react to an attack or suspected network breach. These listed steps could reduce the risk of a successful attack, but you also need to think about how you must react to an attack or breach and begin planning and documenting your response.