Ten Tips: Best Practices in Information Security
Security gaps can hurt what your business has most valuable – information, but small attitudes and investments can minimize the risks
The maxim is true: companies need extreme security measures to combat extreme threats. That said, here are 10 best practices that could protect your company’s digital security threats significant portion.
Corporate Security consumes a huge time, money and human resources amount. Therefore, Security software vendors often generate annual reports, such as Symantec’s “Internet Security Threat“, which highlights threats and security trends, as well as ways to fix and prevent attacks.
Thus, I have separated the 10 best practices that address the major security breaches identified in these reports, excluding those that are obvious and those that do not work in practical terms. The list focuses on corporate security, although some topics can be used in home or personal settings. Are they:
- Data Encryption: Data stored on internal, external (mainly) disks, system files, and any remote access or exchange of information with the company, must be encrypted. Encryption is essential to protect sensitive data and to help prevent data loss due to equipment theft or loss. Remember: Information is the company MOST active; in addition, encryption today is cheaper and more commonplace than you might think.
- Use digital certificates to sign all your sites: Save your certificates on devices such as “Routers or Load Balancers” rather than WEB servers, as traditionally still done in much of the market. Always obtain certificates from trusted authorities.
- Implement DLP (Data Loss Prevention) and Audit: Use data loss prevention and file auditing to monitor, alert, identify, and block the data flow inside and outside your network. Some Security suites already have this feature natively, the challenge is to break the paradigm or even resistance as to its use.
- Implement a “strict” policy for removable media: Restrict or limit the USB drives use, external hard drives, USB flash drives, external DVD recorders, and any recordable media. These devices facilitate security breaches in both directions, from the inside out and from the outside in. It is estimated that the employees information theft index who were dismissed or asked to be disconnected from their companies was 69% according to the Ponemon Research Institute. The study called “Job at Risk = Data at Risk” talked to 945 people who left their companies in the last 12 months and 67% of respondents said they had used confidential information from their former companies to re-enter the market.
- Safe sites against MITM1 (Man-in-the-Middle) and Malware infections: Use SSL; “Scan” your site daily for Malware; set security flags for all session cookies; use SSL certificates with ExtendedValidation.
- Use spam filters on e-mail servers: Use spam filters, such as “SpamAssassin”, to remove unwanted e-mail from both inboxes and junk e-mail folders. Prevention goes through education, so teach your users how to identify unwanted messages even if they are from a trusted source, through corporate communications campaigns and/or internal webinars.
- Use a complete Endpoint solution: Some vendors suggest using a MultiLayered product to prevent malware infections in users’ equipment. Today, having only antivirus software is no longer synonymous with protection, in addition it requires Personal Firewall and intrusion detection to have what I call a minimally secure suite.
- Security by the binomial Software and Hardware: Use Firewalls, Antivirus servers, Intrusion Detection devices, HoneyPots2 and, ostensive monitoring to track DoS (Denial of Service) attacks, virus signatures, unauthorized intrusion, port scans (PortScan), and other attacks and attempts to breach corporate security.
- Keep Security patches up to date: Some antivirus programs have automatic and daily updates. Make sure your security software and/or hardware is up to date with the latest anti-malware/virus signatures and patches. If for some reason you have to disable the auto-update service, run a system check regularly and have a minimum remediation plan for the worst case.
- Educate your users: As stated above, security is compulsory for education, so user awareness is certainly the most important “free software/hardware” solution – An informed user is a user who behaves more responsible and takes less risk to company data, whatever the level it is.
It is worth mentioning that I am not leaving out the physical security, which we agree is one of those measures considered obvious. In addition, there are other “obvious” measures that I hope are clear to everyone, such as: software use that is tracked, software use for regression testing on your operating system, VPNs use, strong passwords use, and so on.
Companies can not neglect or afford to take risks safely. Safety is expensive, and it is even more expensive not to have it.
According to the newspaper Valor in 6/16/14 – “A study by Bain & Company revealed that daily hacking attacks on companies have increased by 30% in the last year to 247,400 per day. On average, companies take 210 days to find out they’ve been hacked and another 24 days to fully solve the problem. In relation to 2011, there was a 22% increase in the time spent by companies to detect intrusions and remedy their effects. ”
Perhaps your company is one of the few that can assimilate the thump and pay for these setbacks, but many certainly can not. Therefore, having Security is still the best policy and vigilance is paramount. Be aware of this and encourage your users to have it too.
Aluisio Andrade is Operations and Services Director at Nap IT
E-mail: [email protected]
1Man-in-the-middle = You get your coffee, connect to the establishment’s Wi-Fi network and get to work. You’ve probably done it a hundred times before, right?
Nothing seems out of the ordinary, but know that someone is watching you. They are monitoring your web activity, recording your bank credentials, home address, personal email and contacts – and you will not be suspicious until it is too late.
Today’s thieves will no longer steal your wallet or even purse as you enter the subway, but instead will use an arsenal of cyberattack methods to secretly appropriate your information. While you drink your delicious coffee and take update advantage of your emails and social networks, a hacker will intercept the communication between your computer and the cafe’s Wi-Fi router, and access your personal information available on your smartphone or laptop.
This method is known as an MITM or “man-in-the-middle” attack, and is just one of many weapons cyberlodges use to steal it, or rather to steal it, after all you’ll even notice it until you reach your card first bill.
2HoneyPots = tool that simulates security holes in a system and gathers information about the attacker. It is a trap kind for invasors, however, it does not offer any protection kind except exposing the flaw.