For some businesses, security is usually
not the first priority; at best it might be an afterthought and at
worst, it’s a neglected chore. Proactive security must not interfere
with business processes, but must work in line with processes to
mitigate risks and manage vulnerabilities.
A wonderful article by Wendy Nather expands on the issue of security in the “IT hierarchy of needs.”
We’ll examine the steps businesses can take to harden their security
posture, while keeping options open for growth and expansion:
Asset Discovery
Decrease the risk of a compromise by taking inventory of all
machines, including mobile devices. Choose a discovery/audit tool and
implement a process for on-boarding new devices, while maintaining a
record of existing assets.
Software Auditing
Build a list of all approved applications deployed across the
enterprise and create a plan to rapidly apply security updates. Use
tools that will track installed software; continuously monitor for
unauthorized software installs and develop a plan to remove unwanted
software.
Base Configuration
Identify the minimum-required services and settings needed on a base
system, or network appliance, and build those images using vendor
recommended best-practices. Use a System Configuration solution to
securely manage images. Research known OS or software exploits and
mitigate any weaknesses in the image caused by misconfiguration. Develop
a protocol for continuously updating the base configuration with
software and OS patches.
Vulnerability Scans
Find a vulnerability scanning tool that matches the needs of your
enterprise. Perform regular scans of all devices, including network
appliances. Set a time frame that requires risks are mitigated, based on
severity. Keep anti-malware software updated across the enterprise.
Leverage the Common Vulnerabilities and Exposures (CVE) database as a
guide to understanding the severity of a bug; several sites host the
CVE, including CVEDetails.
Risk Profiling via Security Controls
In his post on prioritizing critical security controls,
Tripwire CTO Dwayne Melancon shared a valuable slide detailing the Top
20 Critical Controls as they can be generally applied to any size
enterprise. The graphic provides a great overview of how security
controls can be standardized to fit within any organization.
Hold mandatory staff computer safety courses
Educate users on the common email social engineering tricks used by
hackers. Teach them how to spot when a website form is being sent
encrypted versus unencrypted, especially when entering private
information or payment data into a web form.
Control Internet Access
Use a content gateway to restrict and monitor Internet access. A
content gateway not only stops access to known bad sites but can also be
configured to block high network bandwidth traffic, such as streaming
video and Internet radio.
Secure the Network
Install an Intrusion Prevention System for proactive real-time
monitoring of network traffic. IPS’s scan network activity and can be
configured in-line to block malicious traffic.
Invest in a Data Loss Prevention solution
These can either be network- or endpoint-based, and they work by
detecting and blocking breaches of sensitive data. Correctly configured,
a DLP prevents unauthorized attempts to transmit protected company
data.
By following these best-practices, you can help keep your business safe, while remaining competitive and prepared for future growth.
By following these best-practices, you can help keep your business safe, while remaining competitive and prepared for future growth.
0 comments:
Post a Comment