For some businesses, security is usually not the first priority; at best it might be an afterthought and at worst, it’s a neglected chore. Proactive security must not interfere with business processes, but must work in line with processes to mitigate risks and manage vulnerabilities.
A wonderful article by Wendy Nather expands on the issue of security in the “IT hierarchy of needs.” We’ll examine the steps businesses can take to harden their security posture, while keeping options open for growth and expansion:
Decrease the risk of a compromise by taking inventory of all machines, including mobile devices. Choose a discovery/audit tool and implement a process for on-boarding new devices, while maintaining a record of existing assets.
Build a list of all approved applications deployed across the enterprise and create a plan to rapidly apply security updates. Use tools that will track installed software; continuously monitor for unauthorized software installs and develop a plan to remove unwanted software.
Identify the minimum-required services and settings needed on a base system, or network appliance, and build those images using vendor recommended best-practices. Use a System Configuration solution to securely manage images. Research known OS or software exploits and mitigate any weaknesses in the image caused by misconfiguration. Develop a protocol for continuously updating the base configuration with software and OS patches.
Find a vulnerability scanning tool that matches the needs of your enterprise. Perform regular scans of all devices, including network appliances. Set a time frame that requires risks are mitigated, based on severity. Keep anti-malware software updated across the enterprise. Leverage the Common Vulnerabilities and Exposures (CVE) database as a guide to understanding the severity of a bug; several sites host the CVE, including CVEDetails.
Risk Profiling via Security Controls
In his post on prioritizing critical security controls, Tripwire CTO Dwayne Melancon shared a valuable slide detailing the Top 20 Critical Controls as they can be generally applied to any size enterprise. The graphic provides a great overview of how security controls can be standardized to fit within any organization.
Hold mandatory staff computer safety courses
Educate users on the common email social engineering tricks used by hackers. Teach them how to spot when a website form is being sent encrypted versus unencrypted, especially when entering private information or payment data into a web form.
Control Internet Access
Use a content gateway to restrict and monitor Internet access. A content gateway not only stops access to known bad sites but can also be configured to block high network bandwidth traffic, such as streaming video and Internet radio.
Secure the Network
Install an Intrusion Prevention System for proactive real-time monitoring of network traffic. IPS’s scan network activity and can be configured in-line to block malicious traffic.
Invest in a Data Loss Prevention solution
These can either be network- or endpoint-based, and they work by detecting and blocking breaches of sensitive data. Correctly configured, a DLP prevents unauthorized attempts to transmit protected company data.
By following these best-practices, you can help keep your business safe, while remaining competitive and prepared for future growth.
About the Author: Brian M. Thomas (@InfoSec_Brian) is a passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.