Back To Basics: 10 Security Best Practices

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/operations/back-to-basics-10-security-best-practices/a/d-id/1322053

"We need the latest security technology in order to protect our network
against sophisticated attacks."

That’s a quote I’ve heard all too often, but those shiny new toys are not
always the best use of your money – or your security staff’s time.

Despite the media hype, the biggest threats to your enterprise data assets
are actually from the same old threats that we were worried about last
year, five years ago, and in many cases even a decade ago. Only a handful
of attacks truly use sophisticated “Mission Impossible” techniques, so the
shiny new tools may do more harm than good at protecting your organization.

First, precious IT time is needed to learn, deploy, and adapt these new
tools to your environment – time that could be better spent maximizing the
benefits of your existing tools. Second, these new tools will likely
overload staff with even more alerts and anomalies, and your already
overwhelmed staff may not have the skills or the time to analyze,
prioritize, and address them.

So before investing in new tools, here are 10 security best practices to
help protect your organization with the techniques and technologies you
likely already have in place. These best practices should be common
knowledge, but unfortunately they are hardly common practice.

#1. Patch. Despite the hype, most attacks exploit known vulnerabilities.
Make sure you are investing adequate time in patching your systems. It’s
not glamorous, but it is extremely effective.

#2. Limit. Like making too many master keys to a building, you shouldn’t
give admin rights to too many individuals. Make sure that anyone with
privileged rights to the enterprise infrastructure and the security policy
is truly trusted and keep an eye on them. What is true for people also
holds true for network traffic. Make sure you do not have any overly
permissive firewall rules (E.g. ANY/ANY) that allow traffic without any
business justification.

#3. Check. Data theft by insiders can be costly, or even calamitous. So
while you’re looking at network policies, verify the outbound access you
allow employees to have while on your network. Lock down everything that’s
not needed. For example, if your company doesn’t use Dropbox or Google
Drive, lock them out.

#4. Segment. Network segmentation remains an important strategy to contain
attacks by limiting the lateral movement of attackers. Understand where
your critical data is stored, and use firewalls to limit traffic to and
from those network segments.

#5. Automate. Your attackers are using automated tools to scan ports and
identify misconfigured devices, so how on earth do you stand a chance if
you attempt to do this work manually? Automating mundane security tasks
such as analyzing firewall changes and device configurations not only
mitigates manual errors, it also frees up precious time to focus on more
strategic security initiatives.

#6. Visualize. You can’t secure what you can’t see. With the complexity of
today’s networks and applications, it’s very difficult to understand the
impact of a security policy change (such as adding a firewall rule) on
business applications. This complexity coupled with a lack of visibility
can have serious implications on security. So make sure you have complete,
up-to-date visibility of your enterprise network and active monitoring of
system configurations.

#7. Document.  Make sure to document your security policies in a knowledge
database so that network admins, security staff, and even application teams
understand exactly what is going on – and why. This is particularly
important when setting up rules to support new applications, because when
an application is decommissioned or moved, you’ll want to reverse that
rule. But you won’t be able to do so if you don’t know about it.

#8. Align. Security teams are not always in alignment with other teams such
as operations, and this misalignment can be even greater with the business
side of the house. Make sure security is integrated into operations and
business processes as early as possible. Failure to do so will perpetuate
the situation where security is “bolted on” as an afterthought, and is
perceived is an inhibitor to the business rather than an enabler.

#9. Educate. Security awareness should be part of your business’ DNA, and
practiced both top-down and bottom-up. This is where an ounce of prevention
is worth a pound of cure: Have a well-organized, well-understood,
well-maintained, and well-monitored security policy for both insiders and
outsiders, and make sure they undergo periodic training.

#10. Measure Make sure you define metrics that are meaningful and can help
you assess your security posture over time. With increased attention (and
often increased budget) from the Board comes increased responsibility to
demonstrate accountability.

As security practitioners, our job is to minimize business risk. We’ll get
the most impact, and do the most to keep our organizations, users, and
customers safe, by focusing on the fundamentals. Getting back to basics is
the best way to cover your security bases.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!