For this entry in our series of posts on information security we will identify most of the currently available defenses. There are three main components to a good security posture – physical security, software, and people.
Physical security consists of restricting physical access of your hardware (servers, workstations, laptops, disk drives, phones, tablets, printers, etc.) to only those people who should have such access. Think about where your servers are located and who can get to them. Access should be restricted to as few people as practical without hindering operations. Having your primary servers sitting out in the open behind someone’s desk is probably not the best approach. At the very least, servers, along with network modems, attached storage, backup devices, virtual private network (VPN) devices, firewalls, etc., should be located in a well ventilated, locked room or closet with controlled access through keys or access codes.
With so many firms moving to more virtual operations, migrating these devices out of the office to a more secure ‘colocation facility’ (colo) may make more sense. A colo is a facility setup specifically to house thousands of servers and networks, taking advantage of economies of scale to provide significantly improved physical security along with better power and network bandwidth than you might have available at your office. Finally, moving all of your network infrastructure to the cloud is proving to be one of the best ways for small to medium size firms to leverage the security infrastructure of much larger enterprises. Any of the major cloud services (Amazon Web Services, Microsoft Azure, etc.) provide top level physical security as part of an all-inclusive price.
Next, consider who has access to your office in general. Can outsiders just walk in and wander around? Or is access more controlled and visitors escorted? How easy would it be for someone to walk out with a laptop without anyone noticing? How easy would it be for someone to gain access to your office after hours and have plenty of time to look around for passwords written on sticky notes or in desk drawers (more on those issues later…)? What are your organization’s expectations for employees who carry networked devices out to the field or work with them from home? Physical security, in the end, is a bit of a balancing act between controlling access to equipment and constraining operations with little gain.
A variety of software and related technology-based defenses are available as well. Start with the one we all know – every workstation and every laptop should be running one of the top subscription-based antivirus applications currently available (think Norton or McAfee, to name two).
It’s time to move past the idea that free antivirus protection is good enough. It’s been mentioned before and we’ll say it again here – when the product is free, you (or more specifically, your data) are the product. Install the software and set it to automatically update. This provides your first layer of defense.
Your second layer of defense should consist of a firewall at any point where network devices are connected. This includes any office locations, colos, remote locations, working from home, etc. If a firewall is disabled to allow software updates, make sure it is re-enabled when the process is complete.
An enhanced level of protection called endpoint detection and response (EDR) can be added to enhance device-level antivirus security. EDR is a combination of software loaded on each device and monitoring services provided by cybersecurity specialists. The monitoring service utilizes security analytics, extensive databases, and live monitoring to detect and neutralize threats as rapidly as possible. One specific area where EDR is particularly useful is day zero attacks, which are new security threats without in place safeguards. The objective is to reduce the time your organization is exposed to such new threats.
Your third layer of defense when there are remote users, colos, or cloud-based servers or storage should be VPN. VPNs create secure connections to networks and prevent data leakage through sniffers and other data capture approaches. Again, just as with antivirus applications and firewalls, every connection to the corporate network should be through a VPN provided by one of the major vendors on subscription basis with regular updates.
Finally, we need to talk about people. All of your our users have jobs to do, almost none of which are security focused. This means you we need to make sure you we only rely on our users to prevent the most obvious malware, phishing, and other email, text, or data file- based attacks. However, this also means you we must regularly make our users aware of security threats, how to recognize them when they appear, and what to do about suspicious activity. The basics should be well known by now – don’t open emails from unknown users, don’t click on links embedded in emails if you are not 100% sure of their reliability and safety, don’t say yes to random download requests, etc. In particular, be careful of emails you get from what appears to be someone you know but looks ‘off’ in some way – maybe the font is different, or the signature block isn’t the same – trust your instincts and don’t open the attachment or click on the link.
What to do about suspicious activity is another issue. First, alert someone, or everyone. If you have a network administrator, let them know, otherwise send out a warning to everyone in your group or company. If you have implemented EDR, this is one of the features the service offers, so let your EDR provider know – they can validate the activity and either quarantine it or let you know it’s legitimate.
There you have it – layered defenses built on physical security, software and people to adequately protect your information.