Frequently, organizations have a general idea where they are with regards to their security posture. And often, they know where they’d like to be, but they don’t know how to get there.
I find that more often than not, organizations are looking for a silver bullet, an appliance with blinking lights that they can drop into their network and feel secure. But the reality is that it doesn’t exist – it really boils down to being good at the basics.
So, I present my list of information security basic quick wins that will help you get your organization on its way to better infosec hygiene:
1. Segment your network
If you don’t already do this, you really should be segmenting your network. You might get resistance. It will slow down change management. But, you will do yourself (and your organization) a favour.
Think of your organization as a submarine. Having a flat network is like having no watertight hatch doors between the various pods. If water gets in somewhere, it gets in everywhere. Segmenting your network allows you to create logical or physical barriers within, so that the bad guys have to work harder to move around the network, and the good guys are limited to only those areas they need access to.
- Implement 802.1Q to separate the various parts of your network logically into VLANS
- Limit access between segments by implementing VLAN ACLs on your switches or routing your traffic through a firewall (hairpin routing)
2. Patch your software and hardware
This one is really a no-brainer. Keeping your systems up-to-date may not protect you from a zero-day exploit, but it will make sure you’re not the lowest hanging fruit. Sites like exploit-db publish exploits and vulnerable software, and make it real easy to hack a system that’s not running the latest software or firmware.
- Stay up to date on Windows and Linux patches and update your systems regularly.
- Patch your software as well (web, email, PDF software, etc).
- Update firmware on your network devices.
3. Implement Two-factor authentication (2FA) where possible
Another no-brainer. Passwords alone are a weak form of authenticating a user, particularly with the advent of ‘cloud’ applications which can be accessed from anywhere.
Sure, multi-factor authentication can be bypassed by attacks on the endpoint (Man in the Middle or client-side malware), but the attacker will have to work that much harder if they steal your password.
- Gmail has 2FA built-in. It’s just a checkbox away.
- Implement 2FA for your VPN (ideally any service where information can be accessed remotely)
4. Implement SPF, DKIM, DMARC for your email
We all have a shared responsibility to improve internet and email hygiene. You should be doing your part to improve your little corner of the digital world. If you’re not, you should be looking for a new job. Preferably not administering mail.
SPF records help the recipients of email from your domain verify that the mail is coming from a permitted mail server. It’s a quick addition to your domain’s DNS zone file.
DKIM adds reputation to domains, so that mail from a domain can be filtered and whitelisted. It allows a recipient to verify that the domain in the signature handled the message. It’s important to understand that DKIM will not verify the origin of the message, and some have criticized it for this.
DMARC attempts to bundle SPF and DKIM into a single standard.
5. Don’t look at the perimeter. Look from inside out.
Don’t rely on perimeter security as your only line of defence any more. Assume you’ve been breached, and focus on detection instead of prevention. Breach detection is a topic in and of itself, and is beyond the scope of this one post. I’ll write about it another day.
Given all the recent high profile breaches we’ve been hearing about, it’s not as stigmatic having a breach. The rules of the game have changed. It’s now more about how you handle it. Have a plan for what to do once you’re breached, get sign off from management. Make it part of your DR plan. Know your critical assets and know how you want to keep them safe, and what to do if the bad guys or girls get in.
6. Educate your users
Much easier said than done, but this one goes a long way in helping keep your environment safe.
- Don’t check facebook on your cash registers. Why do your cash registers have access to facebook anyway?
- Stop visiting random websites. Stop clicking random links in your email.
- Wifi in public spaces can be dangerous. Basically, be mindful of what you’re doing online.