Skip to content ↓ | Skip to navigation ↓

For some businesses, security is usually not the first priority; at best it might be an afterthought and at worst, it’s a neglected chore. Proactive security must not interfere with business processes, but must work in line with processes to mitigate risks and manage vulnerabilities.

A wonderful article by Wendy Nather expands on the issue of security in the “IT hierarchy of needs.” We’ll examine the steps businesses can take to harden their security posture, while keeping options open for growth and expansion:

Asset Discovery

Decrease the risk of a compromise by taking inventory of all machines, including mobile devices. Choose a discovery/audit tool and implement a process for on-boarding new devices, while maintaining a record of existing assets.

Software Auditing

Build a list of all approved applications deployed across the enterprise and create a plan to rapidly apply security updates. Use tools that will track installed software; continuously monitor for unauthorized software installs and develop a plan to remove unwanted software.

Base Configuration

Identify the minimum-required services and settings needed on a base system, or network appliance, and build those images using vendor recommended best-practices. Use a System Configuration solution to securely manage images. Research known OS or software exploits and mitigate any weaknesses in the image caused by misconfiguration. Develop a protocol for continuously updating the base configuration with software and OS patches.

Vulnerability Scans

Find a vulnerability scanning tool that matches the needs of your enterprise. Perform regular scans of all devices, including network appliances. Set a time frame that requires risks are mitigated, based on severity. Keep anti-malware software updated across the enterprise. Leverage the Common Vulnerabilities and Exposures (CVE) database as a guide to understanding the severity of a bug; several sites host the CVE, including CVEDetails.

Risk Profiling via Security Controls

In his post on prioritizing critical security controls, Tripwire CTO Dwayne Melancon shared a valuable slide detailing the Top 20 Critical Controls as they can be generally applied to any size enterprise. The graphic provides a great overview of how security controls can be standardized to fit within any organization.

Hold mandatory staff computer safety courses

Educate users on the common email social engineering tricks used by hackers. Teach them how to spot when a website form is being sent encrypted versus unencrypted, especially when entering private information or payment data into a web form.

Control Internet Access

Use a content gateway to restrict and monitor Internet access. A content gateway not only stops access to known bad sites but can also be configured to block high network bandwidth traffic, such as streaming video and Internet radio.

Secure the Network

Install an Intrusion Prevention System for proactive real-time monitoring of network traffic. IPS’s scan network activity and can be configured in-line to block malicious traffic.

Invest in a Data Loss Prevention solution

These can either be network- or endpoint-based, and they work by detecting and blocking breaches of sensitive data. Correctly configured, a DLP prevents unauthorized attempts to transmit protected company data.

By following these best-practices, you can help keep your business safe, while remaining competitive and prepared for future growth.

 

About the Author: Brian M. Thomas (@InfoSec_Brian) is a passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.

Hacking Point of Sale
  • Armenischen

    Thank you. I added your site tripwire.com to my bookmarks.

  • ياهو ماسنجر

    Very helpful. Thanks and got you in my fav list.

  • marykaichini

    Great tips and if you want to feel successful you need to refer to all of them all the time although it may seem rather difficult. We are doing the same in our company. At first it was unbreably hard, but then we got used to the idea that we have a wonderful IT infrastructure monitoring tool Anturis which monitors everything websites, servers, databases, network etc and we get constant alerts and troubleshoot rather quickly. We relaize that every our action is being monitored and we are rather careful with BYODs for instance.
    It only seems complicated, but when it becomes a habit you just don't notice it at all.

  • Bella

    In my view, security is really crucial for an online business. There are numerous people who are nowadays get trapped into the fake website links, are looted via online payment because of unverified SSL encryption and many other cases. In order to make sure that your payment is processed properly, one needs to have a 128- bit encrypted SSL payment gateway which will ensure that your online business is not hacked and any amount processed during the transaction reaches the true destination (where it belonged). My online business runs safely through allied wallet’s secure and hassle free payment processing system. I don’t have to actually worry about anything else since I followed their system.

  • Lorraine Walsh

    It is important for many businesses to guarantee their online privacy because businesses have secret information that if handed to competitors or leaked in the market, could impose serious losses. Here are some ways by which businesses can ensure their online viability:

    1. Make sure to never use shared domains and computers when dealing with important information.

    2. Always use a good encryption software for encrypting your files and folders and secure your passwords in digital wallets.

    3. Hackers can track your online privacy and therefore, can track your transaction trail. It is very important to deploy some genuine VPN service for instance like Purevpn and Ivacy What vpn does is it hides your IP and all other online activities so they cannot be tracked.