Securing SaaS Applications: How to Secure the Cloud

Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas

 

More organisations are adopting a cloud strategy to leverage cloud services and enjoy the associated speed of development and deployment. One of the biggest challenges, however, is creating the balance that provides an appropriate level of governance over the use of cloud applications that still empowers users to leverage these services.

 

We recently highlighted a news article (read it here) about a tool that was able to trawl through Amazon Web servers and access potentially sensitive data hosted by a number of organisations. The tool highlighted flaws in the configuration of servers in the cloud. This is a good example possibly of a rush to deployment that left good cyber security practices behind.


In this blog series, we have discussed the need for a pervasive cloud centric cyber security approach that not just protects the user but also the data.

 

Cloud service providers are responsible for the security of their infrastructure, while organisations that use those services are responsible for user activities on top of that infrastructure. Cloud service providers will build security into their platforms and environment, however, if the data is being accessed by the wrong person or used inappropriately, they will not be aware of that. Additionally, they do not know what applications an organisation has approved or disallowed. 

 

The cloud centric security approach, therefore, needs to have extensive visibility of who is accessing applications and data and how they are using it. The security approach must have the ability to identify malicious infrastructure and protect sensitive data from it. Compromised accounts need to be identified as well as potential malicious insiders. The emerging security tool that addresses this security concern is the cloud access security broker (CASB).

 

A cloud access security broker helps organisations address a range of cloud security vulnerabilities by providing visibility into the applications in use, profiling them from a risk perspective, and enforcing policies especially around data loss prevention (DLP) and user activity.

 

A good CASB implementation will also provide for the retrospective discovery of sensitive data and malware in cloud applications. The CASB should also integrate with network based entities to give visibility into real time data, threats in motion, as well as preview historical use of cloud applications.

 

In our next episode, we will take a deeper look at CASB and how they can work more effectively with other security tools to secure the cloud.

Free eBook: A View of the Cybercrime Threat Landscape

 

$2,235,018 per year

The average amount SMBs spent in the aftermath of a
cyber attack or data breach due to damage or theft of IT
assets and disruption to normal operations.

The amount is staggering, and enough to jeopardize the viability of
many companies. Yet the business benefits that come with the internet,
Cloud computing and other applications are impossible to forego
and remain competitive.

That’s why business owners and executives are asking one question:

  • Is our internet safe?

If your service provider can’t demonstrate how it is making you
company less likely to become a victim of cybercrime, then it is time
to consider alternatives.

In this eBook, we’ll outline what companies are up against
today, and how Cisco Umbrella can help bring you peace of mind.

Download the eBook here!

What Next?

 

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it? 

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what have you got to lose? 

Click here to start your trial! 

See how easy Umbrella is to installwatch this video 

Want a Quick Win? Secure your DNS

 

Ransomware is currently the number one form of cyber attack due to its profitability and simplicity in execution. It is now evolving as a business model where any ‘Joe Bloggs’ can buy ransomware code for a monthly fee – ransomware as a service. Ransomware thrives partly because of bitcoin and the associated anonymity of attackers who get paid via an untraceable cryptocurrency transaction. The stages of a typical ransomware attack include;

 

  • Stage 1 – Infection

Ransomware always starts with some host infection of malware via phishing attacks, or a website hosting malware

 

  • Stage 2 – Command and control setup stage

This handles the key exchange process to encrypt the files on the infected host

 

  • Stage 3 – Extortion stage

Payment of the ransom and then ‘hopefully’ getting the key to decrypt the encrypted files.

 

Ransomware is constantly evolving and not being breached yet is no guarantee that it won’t happen in the future.

 

Many organisations are using hope and anonymity as a risk mitigation strategy against ransomware – assuming they are small and have not been attacked yet. The fact is that the supply chain is now an increasing focus of malware attacks as a means of accessing valuable data through the back door of larger enterprises.

 

 

Anti-Ransomware Best Practices

 

As with every effective security approach you need a policy and a risk assessment of the threats so this is a given before we get into the type of approach and solutions that need to be in place. Please see some of our previous blogs or check out the NCSC website for some invaluable resource.

 

Phishing can be very sophisticated making it hard to tell if a link is bad or not. Effective protection cannot rely solely on end users, it must be engineered into the system with the right protection mechanisms correctly configured.

 

To start off with you need good anti-spam, anti-phishing and web controls to control the Internet traffic, this could be incorporated into a good endpoint protection solution. Use an email and malware analysis gateway to inspect executables for malware. The gateway should be configured to block files if there is any doubt about it’s authenticity. It is better to stop/delay web downloads so that they can be inspected and properly classified than to run the risk of infection.

 

78% of attacks exploit phishing so it is a good thing to correlate known exploits to the vulnerabilities in your organisation and prioritise patching based on known exploits.

Use network analysis and visibility tools to analyse traffic on the network so you can see what is changing and be alerted to abnormal behaviour.

 

If you do get infected, have effective Backup and DR policies and processes, and ensure that the recovery procedure has been tested and works.

 

DNS Security is the Quick Win

 

92% of cyber attacks make use of DNS at some stage or another through the execution of the attack. DNS is therefore the greatest opportunity to secure your network while having an immediate impact.

 

What if your systems know that a website url a client is trying to access via DNS resolution is a bad site, hosting malware. You could just block it and prevent any interaction with the malware in the first place. This form of protection can be immediate with no impact on client or application performance.

 

A web based infection is usually a 2 step process –  which redirects your web browser to another domain created using an exploit kit which finds a vulnerability in say Flash or Silverlight. The malware will then do a command and control (CnC) call back using DNS resolution to get an encryption key. Until the CnC connection happens there is no damage created.

 

Analysis has shown that most ransomware does a DNS call back, ransomware payment notification also uses DNS. The ability therefore to block a malware connection via DNS security at one or another step of the malware execution process can therefore prove to be the most effective way to implement malware protection.

 

An effective DNS security protection control can have the ability to identify the endpoints attempting the malware connection and therefore feed into the clean-up and mitigation plan.

 

An important service in addition to the above is the ability to query domains and file hashes from a central intelligence platform that has up to the  minute data on the bad domains so that your security incident response team has the ability to conduct intelligent investigations independently of any infections. For instance if you keep doing a DNS query for a site in Russia and you don’t have any business relationship in Russia, that’s something that you should query.

 

Another challenge is the decentralised nature of organisations due to remote working and the increasing importance of branch offices. Mobile devices such as laptops are the primary devices where user changes could compromise security. Around 80% of remote workers disable their VPNs when they browse the web. A DNS based security mechanism can help to maintain the security posture where these remote workers able to still make use of this form of protection even when they disable their VPNs. DNS security can protect any device including IoT, guest devices and roaming clients.

 

Correct implementation of DNS security could make it the first line of defence even before a connection is established by checking the DNS request and blocking bad sites. This will help the IT teams by freeing them up from a large number of alerts that would be generated if the malware had been downloaded.

DNS Security – The Forgotten Lynchpin

 

So it’s all happening in the cloud. Wholesale adoption of cloud services is now a business imperative as the opportunities and benefits of SaaS become ever clearer.

Here are some numbers though that tell us not only what’s happening but also some concerns that we need to have at the forefront of our minds.

  • 82% of mobile workers admit they always turn off their VPN
  • 15% of command and control threats evades web security
  • 60% of attackers penetrate an organisation in minutes and steal data in hours
  • 100 days is the average detection time for an attack
  • 100% of networks interact with malware sites
  • 92% of attacks make use of DNS

Clearly, there is a wide range of threats that organisations need to address in crafting and implementing an effective approach to cyber security. One area that has and is receiving very little attention is the area of DNS.

DNS is the most ubiquitous protocol on the Internet and is deployed in literally every connection that takes place whether surfing a website, watching youtube videos or accessing corporate cloud applications. This ubiquitous use of DNS means that it is also involved in some very undesirable connections to sites like malware sites, known bad sites, command and control centres etc. Other attacks have involved data exfiltration in packets disguised as DNS.

The fact that DNS is involved in around 92% of web attacks strongly suggests that it is an area that is worthy of further efforts in the fight against cyber attacks. DNS is one of those protocols that just works in the background like a utility and as long as resolution is working then no one pays attention to it. DNS is a lynch pin, if it doesn’t work then most applications will stop working and the IT services will grind to a halt. It is vital therefore that DNS gets more prominence and is monitored and secured to ensure continued running of services.

 

Tackling DNS Security 

DNS should be elevated from a connectivity item to a network security component vital to the operation of the organisations IT. DNS monitoring and the implementation of an active security policy that cannot be circumvented by staff can have untold security benefits. Such an approach could be used to block malware and phishing attacks in real time as opposed to after the event. Also, the use of DNS to resolve requests for known malware sites could also prevent attacks before they happen. The DNS controls could hold a regularly updated list of known malware sites and block devices from accessing these sites. Active monitoring could also provide valuable information about whose machine has been compromised and where they are connecting from.

DNS monitoring can also provide a baseline of what normal behaviour looks like for your organisation. Anomalous behaviour is, therefore, easier to detect and acted on. A number of high profiles sites such as Tesla, that have been hacked could have been prevented if the DNS records were being monitored and these organisations were then able to detect and block changes to their DNS records.

Visibility of who is connecting to what site is also a great benefit of DNS monitoring. The explosive growth of IoT devices poses significant threats if they are not properly secured. DNS security could play a vital role by enforcing policy e.g. if the CCTV network should be blocked from Internet access, DNS security controls could prevent these devices being used as a backdoor that could be used for malware propagation or data exfiltration.

Failing to monitor and control DNS is a lost opportunity not only to secure your organisation’s network but also to gain visibility into who is doing what.

GDPR: 9 Steps to Implement a Security Mgmt Tool

Download the PDF Version (GDPR Get Prepared SIEM Checklist)

Background

The General Data Privacy Regulation (GDPR) officially known as REGULATION (EU) 2016/679, will come into force on 25thMay of 2018. The regulation covers the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation builds on existing data protection regulations such as the UK Data Protection Act 1998, the Belgian Privacywet, or the German Bundesdatenschutzgesetz (BDSG).

The regulation will affect the vast majority of businesses as most businesses today hold personal data, even if it’s only HR data. A significant change is that it will put data processors under significantly more legal liability if a breach occurs.

Breaches will need to be reported within 72 hours and must include information such as;

  • The nature of the personal data breach including, where possible:
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

 

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place. The following sections of this booklet outlines a checklist to implement a robust security and event management platform that will be a core component of a GDPR compliant security strategy.

 

  1. Implement a Security and Event Management Tool (SIEM)

A SIEM is a fundamental security tool for many organisations.

Implementation of a SIEM helps companies monitor all users and system activity to identify suspicious or malicious behaviour. This is achieved by centralising logs from applications, systems, and the network and correlating the events to alert where unexpected activity is detected.

You can then investigate the cause of the alarm and build up a view of what has occurred by determining if a particular attack method was utilised, looking at related events, source and destination IP address, and other details.

Article 30 of GDPR states that each controller, and where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

You must also take into consideration data stored or processed in cloud environments. If personal data is in the cloud, it is within the scope of GDPR, and therefore it is beneficial for the SIEM tool to maintain a record of activity across your public and private cloud infrastructure as well as on premises.

 

  1. Create a Log of Critical Assets that Store/Process Sensitive Data

GDPR covers all IT systems, network, and devices, including mobile devices, making it essential that you account for all assets across your infrastructure and understand where personal data is held.

It’s important to record all assets and locations that process or store personal data. It’s also worth noting that your company could be exposed to attacks and regulatory fines if employees process or store personal data on unapproved devices.

Without strong governance practices in place, it can be easy to lose track of assets.

It is important to sample your systems, networks, and data stores to determine if personal data is exposed outside your defined data flows and environments.

Keep in mind that this is a process. Records will need to be updated on an ongoing basis as your business and technology changes.

 

  1. Undertake Vulnerability Scanning

To identify where weaknesses exist that could be exploited

New vulnerabilities in systems and applications arise almost daily.

It is essential that your organisation stays on top of these weaknesses with regular vulnerability scanning.

These vulnerabilities may exist in software, system configuration, in business logic or processes. It is essential to consider all aspects of vulnerabilities and where they can exist.

However, simply finding a vulnerability is often not enough.

There are multiple factors that need to be considered such as whether the systems are in accordance with GDPR and what the business-criticality is, whether intrusions have been attempted, and how the vulnerability is being exploited by attackers in the wild.

Effective vulnerability assessment requires continuous scanning and monitoring of critical assets where personal data is stored or processed. It is equally as important to monitor cloud environments in addition to on-premises environments.

 

  1. Conduct Risk Assessments

To identify where weaknesses exist that could be exploited

The use of an information security framework can assist by providing a starting point for organisations to better understand the risks facing the business.

Article 35 of GDPR requires organisations to conduct a data protection impact assessment (DPIA) or similar. Whereas Article 32 of the regulation requires organisations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Existing frameworks such as NIST, ISO / IEC 27001, or similar standards can assist companies in undertaking and supporting the DPIA process.

While GDPR does not specify a framework for risk assessments or threat modelling, a company’s adherence to any well-established and internationally recognised standard will make demonstrating compliance with Articles 32 and 25 much more likely in the event of a breach.

 

  1. Regularly Test

To gain assurance that security controls are working as designed, GDPR asks for a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Assessing and evaluating the effectiveness of security controls is by no means an easy feat. Usually, the larger the IT environment, the more disparate the technology stack, and the more complex the environment. Thus, the harder it is to gain assurance.

Three broad techniques exist to validate the effectiveness of security controls:

  1. Manual assurance. This involves audits, assurance reviews, penetration testing and red-team activities.
  2. Consolidated and integrated security products, so that fewer point products need to be managed and reported on.
  3. The use of automated assurance technologies.

With these methods, you can gain a measure of assurance that your systems are secured as intended. However, it is worth remembering that assurance is not a one-time effort, rather an ongoing, repeatable process.

 

  1. Ensure Threat Detection Controls are in Place

To reliably inform you in a timely manner when a breach has occurred, GDPR requires organisations to report to the regulatory body within 72 hours of being aware of the breach.

For high-risk events, the controller must notify data subjects without any delay. The typical time-to-compromise continues to be measured in minutes, while time-to-discovery remains in weeks or months. In such circumstances, it’s essential to have comprehensive threat detection capabilities that can detect issues as soon as they occur.

Threats can occur internal to the company or externally and can be on-premises or in cloud environments. This makes it important to be able to collect and correlate events quickly as well as supplement the information with reliable threat intelligence to stay on top of emerging threats.

There is not one place or tool that will be suitable for all purposes. At times a threat is discovered on the endpoint, the perimeter, or by analysing internal traffic. In this case, controls should be placed accordingly in the environment to increase the chance of detecting threats as soon as they occur.

 

  1. Monitor Network and User Behaviour

To identify and investigate security incidents rapidly, GDPR is focused on ensuring that citizen data is gathered and used appropriately for the purposes it was stated.

Therefore, it is important to focus not just on external threats or malware, but also to detect whether users are accessing data appropriately. Context is critical when evaluating system and network behaviour.

For example, an abundance of Skype traffic in the network used by your inside sales team is probably a normal part of operations. However, if the database server that houses your customer list suddenly shows a burst of Skype traffic, something is likely wrong.

There are many methods that can be deployed to monitor behavioural patterns. One method is to utilize NetFlow analysis, which provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage. When used in conjunction with a SIEM, you can generate alarms and get alerted when your NetFlow goes above or below certain thresholds.

 

  1. Have a Documented and Practiced Incident Response Plan

To comply with GDPR regulations, organisations need to have a plan in place to detect and respond to a potential data breach to minimise its impact on EU citizens. In the case of an attack or intrusion, a streamlined incident response process can help you respond quickly and effectively to limit the scope of the exposure.

If you have unified threat detection controls and processes established to alert you to an incident, your incident response plan should be able to quickly and accurately determine the scope of impact. You should investigate all related events in the context of other activity in your IT environment to establish a timeline, and the source of attack should be investigated to contain the incident.

Once you have controlled the incident, you should evaluate if a possible breach of personal data occurred and decide if reporting is required under GDPR. Then, you should prioritise and document all response and remediation tactics. Be sure to verify that your incident response activities have successfully remediated the issue. You will need to inform the regulator of all steps taken, and where necessary, inform any affected EU citizens.

 

  1. Have a Communication Plan in place to detect and respond to a potential data breach

In the event of a breach, your organization must report to the regulatory body within 72 hours of being aware of the breach.

For high-risk events, the controller must notify data subjects without undue delay (Article 31).

The notification given is required to at least:

  • Describe the nature of the breach
  • Provide the name and contact details of the organization’s data protection officer
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.

Ask yourself:

  • Can I identify whether systems in scope of GDPR are affected in a breach?
  • Do I have the contact details of the regulatory body that I need to notify?
  • If need be, do I have a reliable mechanism to contact affected customers

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

GDPR: 12 Steps That You Can Take Right Now

So now we know what it is and what it means, this week we take a look at what we should do about it. A really useful starting point is contained in the Information Commissioners website which provides a range of resources explaining GDPR and how organisations can go about preparing to comply with it.

Their 12 steps guide covers the initial activities that can be started immediately and include;

  • Awareness of Decision Makers
  • Information Audit
  • Update Privacy Notices
  • Procedures for Individual Rights
  • Subject access requests procedures
  • Consent procedures
  • Under-age Consent Procedures
  • Privacy Impact Assessments
  • Data Protection Officer
  • International Implications

The guide is summarised below for convenience.

1. Awareness 

You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

 

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

 

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

 

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

 

6. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

 

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

 

8. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

 

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

 

10. Data Protection by Design and Data 

Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

 

11. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

 

12. International

If your organisation operates in more than one EU member state (i.e you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

In our next blog we will discuss some of the technical implications borne out of GDPR compliance.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

10 Quick Facts you need to know about GDPR

1. It is an EU regulation as of 27 April 2016. Which gives EU citizens additional privacy and rights

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

 

2. GDPR is legally enforceable from 25 My 2018

 

3. GDPR imposes higher fines – 4% annual global revenue or 20m euro, whichever is greater. Non-EU companies that process individual data will need to comply.

 

4. Key features

  • Obtaining permission for processing personal data must be clear and must seek affirmative response
  • Data subject has the right to be forgotten and records erased
  • Controllers must report data breach within 72 hours, unless it is low risk
  • Adequate contracts must be in place for processing data

 

5. Individual rights include

  • Correction
  • Consent
  • Access
  • Portability

 

6. Notification of Breach must include

  • How many records exposed
  • Any mitigating measures taken
  • Categories of data breached
  • Measures taken to prevent breach
  • Risks to individuals

 

7. What is a breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

 

8. GDPR will still apply despite Brexit

 

9. Regulator will have beefed up powers

  • Warnings
  • Reprimands
  • Compliance orders
  • Ban processing
  • Fines
  • Ban processing
  • Order suspension of data flows

 

10. You still have time – JUST

Start the process by auditing your data usage

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Nyetya Global Ransomware – actual costs

You may recall our recent blog post below which was posted in June.

A new ransomware virus variously named Nyetya, Petrwrap and GoldenEye has been spreading globally over the last 24 hours.


This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is evolving apace. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

This and other recent virus attacks serves to reinforce the need for a defence in-depth approach to security with comprehensive controls at all levels of an organizations IT infrastructure.

Some figures have been released about the actual financial damage caused by the virus

It cost the TNT division of parcel delivery company FedEx over $300m, losses are continuing and the company has not yet fully restored its systems. At one stage they had to resort to WhatsApp for internal communication because email systems were not useable.

Shipping company Maersk has announced damage around the $300m mark also.

Reckitt Benckiser the company behind household brand names such as Dettol and Durex have also taken a massive hit announcing potential attributable losses at a minimum of $140m. This figure is due to be updated when they announce results in October.

More details about these costs and impact on the businesses can be found in the BBC article below.

View the article

With such eye-watering figures from just a few selected companies who have been transparent enough to share the information, you really wonder the full scale of damage that this and other cyber attacks have caused.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

5 Top Tips to Secure Your Business from Cyber Attacks

Security is a topic that can cover many volumes so treat the list below as just snapshot quick-fire summary. Nothing will substitute doing the hard work necessary to put together a comprehensive security policy and operational procedures to underpin it.

  1. Have a security strategy with executive level backing

It is a fundamental requirement for executives to define what the valuable assets hence what needs to be secured above everything else. The strategy will then underpin the protection of these assets via policies, procedures and governance.

  1. Design your systems with security at the core

Security has traditionally been tagged on business systems as an afterthought. As security threats are pervasive so must security mitigation. Hence security design needs to be incorporated into all elements of a business; clients, networks, services, applications and people. Some basic design techniques are listed below.

  • Segment your network into logical system based zones so you can segregate critical systems and apply network security controls to them.
  • Protect your Internet Edge but also internal traffic (east-west), cover the most used vectors of attack (email, web).
  • Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access.
  • Plan carefully home and remote users access – they should have equal security controls as users on the office network.
  • Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relevant logs and events for your systems.
  • Design for secure management and physical access to your IT assets.
  1. Protect your endpoints/servers

Once endpoints are compromised they can be used to propagate threats throughout the business. It is therefore critical to constantly protect endpoints and isolate that quickly if they become compromised. Endpoint protection tips include;

  • Create and maintain and policy for patching and updates – keep up to date with patches and security updates
  • Create a maintain a hardware and software repository – know what you have in your network
  • Limit user rights to do changes to endpoint
  • Access to sensitive information should be done in a secure manner and data encrypted in transit and at rest.
  • Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software Firewalls, which support centralized management and can be integrated with your network security controls and monitoring tools
  • Regularly do backup of important data in a safe manner (encrypt and secure data in rest in motion) – mitigates the effects of ransomware attacks
  1. Train your personnel

Security is as good as its weakest link which often times are people working in the business.

Users should be made aware of the importance of security measures in place, what threats are out there and triggers that should raise their suspicion – simple things like:

  • unsolicited emails with strange hidden links – aka think before you click
  • file attachment with general but well-sounding names

Users should be given Social Engineering training and be aware of the techniques used. The training and education of personnel should be an ongoing process not a one-time thing

  1. Test, test and test!

The only way to really know your security level is to regularly test it!

Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel. The range of test should include;

  • Formal security audits that would look at procedures and if they are being followed/enforced
  • Automated vulnerability assessments – usually performed every 2-3 months and done internally
  • Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed
  • Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorized people either via phone or in person or to get physical access to company restricted areas

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.