There once was a time when up to date anti-virus, a properly configured firewall, and verified restorable backups were considered best practices in terms of protecting your business-critical data. Times have changed a lot, and if this is all you are doing to secure and protect your data and your IT infrastructure then your organization is at extreme risk.
The things you must be doing now to protect yourself in today’s new normal, in no particular order are:
- Gateway/Endpoint Integrated Protection – Separate firewall and anti-virus solutions are no longer adequate. Best practices today employ firewall and anti-virus solutions that work together synergistically and not only prevent, but respond to and mitigate attacks in the most intelligent and automatic way possible.
- Multi-Platform Backups – Single media backup solutions are highly vulnerable to encryption attacks and media failure. Current best practices around data backups fall under the 3-2-1 model which dictates at least 3 copies of the data exist, on 2 different media types, with at least 1 copy being stored off-site and fully disconnected from the network. All backups should be tested regularly to ensure they can be restored.
- Dark Web Monitoring – The typical malicious actor is in an environment on average 190 days before they are detected. In July, 2020 a live auction website discovered that over 3 million of their customer records were being sold on the dark web as a result of a breach they were otherwise unaware of. Without dark web monitoring this breach would have continued to go undiscovered, so enough said on that.
- Mobile Device Security – Cell phones, tablets and notebook computers represent unique security risks that are most often poorly controlled. Cell phones should be encrypted and controlled with remote locking and wiping features deployed. Tablets and notebooks should have local disk encryption. Wireless networks should be monitored for unrecognized devices.
- Multi-Factor Authentication – We see every day that passwords alone are totally inadequate as a mechanism for securing access to critical information. Best practices today require not only a password that is known by the user, but some sort of call-back mechanism that depends on a token that is possessed. MFA should be considered mandatory and for network access and all applications where it is supported.Vulnerability Scanning – Regular external penetration tests and internal vulnerability scanning are the only ways to see what the hackers see. These should be done at least annually with discovered vulnerabilities remediated by IT support.
- Risk Assessment – Not just for compliance anymore, NIST based risk assessments that evaluate IT policies and procedures and compare them against industry best practices will elevate an organization’s IT maturity level and insure basic operational standards are being met. These should be done by all organizations at least annually.
- User Training – The vast majority of data breaches occur as a direct result of an action taken by a user. So much so, that other avenues of payload delivery like worms and automated scripting are seldom used today. Users are the greatest risk to an organization’s data. Regular user training that incorporates simulated email phishing attacks should be required and will dramatically lower any organizations risk profile.
- Email Filtering – Most breaches today happen when a malicious payload in an email is activated. Many of these payloads are file-less, meaning nothing gets written to disk and all malicious code executes in memory, bypassing normal anti-virus operations. All incoming email should be scanned and filtered for malware before entering the environment.
- Secure DNS – DNS (or Domain Name System) is the telephone book for the internet where every request for a domain name like “GOOGLE.COM”, is translated to the IP numbers the computers themselves use to talk to each other. DNS redirection attacks exploit this service to send your users to malicious websites without their knowledge. Secure DNS services ensure that your users are not being redirected to known bad locations.
- Automated Updates – Security holes are constantly being found and fixed, with application and system vendors constantly releasing a stream of fixes and patches that must be applied for a system to be secure from known vulnerabilities. Every single system is a point of failure if security patches and updates are not current, requiring automated solutions to guarantee updates are applied in a timely manner.
- Cyber Insurance – Every entity should carry cyber insurance to protect them from the financial impact of a data breach. Individual policies can vary widely regarding what is and what is not covered. For example, some companies have refused claims if the insured failed a cybersecurity health check. Other claims have been denied after ransomware attacks due to extortion exclusions written into the policy. Review all cyber insurance policies carefully with legal counsel to be aware of potential shortfalls or gaps in coverage.
- Active Event Monitoring – All of the components of your IT environment generate a tremendous amount of log data. This data can be ingested and analyzed to spot malicious activity both inside and outside of the environment, but doing so requires a 24×7 Security Operations Center (SOC) team that constantly monitors and analyzes this mountain of data, triages events and communicates any findings with your local IT support team for remediation. The bad guys are working hard 24×7 to find ways to attack you, requiring 24×7 solutions to defend against them.
This list is the entry point to creating a secure IT environment in the new normal. Anything less than this full list leaves you highly vulnerable to the advanced tactics and sophistication in use by attackers today. Verify with your IT support that these things are being done or you may find yourself the next business in the newspaper for all the wrong reasons.