Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/4/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Back To Basics: 10 Security Best Practices

The most effective strategy for keeping organizations, users and customers safe is to focus on the fundamentals.

"We need the latest security technology in order to protect our network against sophisticated attacks."

That’s a quote I’ve heard all too often, but those shiny new toys are not always the best use of your money – or your security staff’s time.

Despite the media hype, the biggest threats to your enterprise data assets are actually from the same old threats that we were worried about last year, five years ago, and in many cases even a decade ago. Only a handful of attacks truly use sophisticated “Mission Impossible” techniques, so the shiny new tools may do more harm than good at protecting your organization.

First, precious IT time is needed to learn, deploy, and adapt these new tools to your environment – time that could be better spent maximizing the benefits of your existing tools. Second, these new tools will likely overload staff with even more alerts and anomalies, and your already overwhelmed staff may not have the skills or the time to analyze, prioritize, and address them.

So before investing in new tools, here are 10 security best practices to help protect your organization with the techniques and technologies you likely already have in place. These best practices should be common knowledge, but unfortunately they are hardly common practice.

#1. Patch. Despite the hype, most attacks exploit known vulnerabilities. Make sure you are investing adequate time in patching your systems. It’s not glamorous, but it is extremely effective.

#2. Limit. Like making too many master keys to a building, you shouldn’t give admin rights to too many individuals. Make sure that anyone with privileged rights to the enterprise infrastructure and the security policy is truly trusted and keep an eye on them. What is true for people also holds true for network traffic. Make sure you do not have any overly permissive firewall rules (E.g. ANY/ANY) that allow traffic without any business justification.

#3. Check. Data theft by insiders can be costly, or even calamitous. So while you’re looking at network policies, verify the outbound access you allow employees to have while on your network. Lock down everything that’s not needed. For example, if your company doesn’t use Dropbox or Google Drive, lock them out.

#4. Segment. Network segmentation remains an important strategy to contain attacks by limiting the lateral movement of attackers. Understand where your critical data is stored, and use firewalls to limit traffic to and from those network segments.

#5. Automate. Your attackers are using automated tools to scan ports and identify misconfigured devices, so how on earth do you stand a chance if you attempt to do this work manually? Automating mundane security tasks such as analyzing firewall changes and device configurations not only mitigates manual errors, it also frees up precious time to focus on more strategic security initiatives.

#6. Visualize. You can’t secure what you can’t see. With the complexity of today’s networks and applications, it’s very difficult to understand the impact of a security policy change (such as adding a firewall rule) on business applications. This complexity coupled with a lack of visibility can have serious implications on security. So make sure you have complete, up-to-date visibility of your enterprise network and active monitoring of system configurations. 

#7. Document.  Make sure to document your security policies in a knowledge database so that network admins, security staff, and even application teams understand exactly what is going on – and why. This is particularly important when setting up rules to support new applications, because when an application is decommissioned or moved, you’ll want to reverse that rule. But you won’t be able to do so if you don’t know about it.

#8. Align. Security teams are not always in alignment with other teams such as operations, and this misalignment can be even greater with the business side of the house. Make sure security is integrated into operations and business processes as early as possible. Failure to do so will perpetuate the situation where security is “bolted on” as an afterthought, and is perceived is an inhibitor to the business rather than an enabler.

#9. Educate. Security awareness should be part of your business’ DNA, and practiced both top-down and bottom-up. This is where an ounce of prevention is worth a pound of cure: Have a well-organized, well-understood, well-maintained, and well-monitored security policy for both insiders and outsiders, and make sure they undergo periodic training.

#10. Measure Make sure you define metrics that are meaningful and can help you assess your security posture over time. With increased attention (and often increased budget) from the Board comes increased responsibility to demonstrate accountability.

As security practitioners, our job is to minimize business risk. We’ll get the most impact, and do the most to keep our organizations, users, and customers safe, by focusing on the fundamentals. Getting back to basics is the best way to cover your security bases.

 

Originally a software engineer and then a product manager for security products, Nimrod (Nimmy) Reichenberg now heads global strategy for AlgoSec. Nimmy is a frequent speaker at information security events and a regular contributor to industry publications including Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Amriteshsingh
50%
50%
Amriteshsingh,
User Rank: Apprentice
9/7/2015 | 6:22:54 AM
Ten IT admin mistakes that can be expensive on security and productivity fronts
Thanks for sharing this fantastic stuff !

I appreciate the effort you have made.

I would also to share one another informtiave article that covers those common IT admin mistakes that can be expensive on security and productivity fronts. I hope, you will enjoy it :  www.lepide.com/blog/ten-it-admin-mistakes-that-can-be-expensive-on-security-and-productivity-fronts/
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.