By Kari Tontarski
There are a ton of ways that you’ve tried to secure your environment. Whether it is through talking through the many risks of poor security practices, to implementing the latest technologies. Somewhere, somehow, something inevitably gets in. So, we’re going to talk about the proactive maintenance approach you can take to your infrastructure to grow your secure footprint, invest wisely with your budget, and meet your long-term goals.
#1 Low Budget
Let’s face it, this is your bottom line. If you can show results when given nothing, there is a good chance you will get your foot in the door, so to speak, to an actual budget. So, let’s start with those low-cost tactics to build up your infrastructure security.
The Human Firewall
There is no better protection against cyber threats than a knowledgeable staff that maintains a hygienic approach to their technological use. To do this, the people you work with must be cognizant of basic security procedures. Not the inner workings of technology itself. These basic practices can be found, well, pretty much anywhere on the internet but if you want an easy to access article, here’s mine from earlier this month that is targeted toward end users.
The best way to invest in your human firewall is to establish a consistent line of communication; for example a SharePoint space, or a generic email address that sends notices. You want to institute a single space for acceptable use policies, common inquiries, notifications, education, and collaboration. Utilizing these communications consistently will help staff members stay up to date and prevent missing out on crucial pieces of information.
Test everyone’s skills. Not just Billy-Jean at reception, but Francois the CFO too. No one is exempt from securing themselves, their coworkers, or company data. You can do this with mock phishing emails, social engineering over a phone call, or using team building exercises to encourage collaboration and team work. Exercises can be done across the company, or even per department. The more you practice, the more creative you’ll get.
Not only will your staff be well educated and empowered, they will know they can rely on each other too. “Hey, Steve. Did you get that email from Bob? The one with the .zip file?” or “Wendy. I can’t get to Facebook. Is there something wrong with the internet?” This method keeps a lot of questions off your plate, so you can focus more on securing the technology, while they secure each other.
Because Knowledge is power! Hackers, attackers, cyber criminals are all using their knowledge, so why shouldn’t the rest of us reciprocate? Regardless of an underlying drive towards seeking out information, staying current on cyber security trends is a necessity in today’s world.
Start on the inside of your environment. Understand the people, how the departments are run. An element of psychology ties into IT. Understanding people is crucial to the development of a safe and efficient environment for your company to operate in. Knowing the particulars of your organization can really help you identify which tools are beneficial, and which will end up being a hindrance on operational efficiency. This also ties right into your Human Firewall, so there is a good chance you’ll have this understanding by the time you’ve made it this far.
If you don’t have one already, develop a maintenance practice for… Everything. End user computing (desktops, laptops, mobile devices), servers, applications, antivirus, network gear (switches, firewalls, wireless access points, routers), and make sure you have valid backups of your network configurations, software configurations (SMTP relay, connection/use methodologies), servers, data (keep your network shares off the C Drive), and document the way your hardware is configured (RAID, JBOD, iLO). If you can implement asset management and maintain it without losing your mind, you are better than the rest of us. If you can’t, dream alongside the rest of us.
Regularly audit permissions to data (mailboxes, distribution groups, network drives, software) and your group policies. Ever implement a GPO to roll out a new configuration and forget to clean up afterwards? Yep. Regular audits will help with that. The better your maintain these configurations and settings, the faster and better your environment will behave and you’ll have improved your understanding of it.
It’s a common misconception that a third-party tool or some fancy technology is required to monitor your environment. It’s not required, although it does make the job easier. However, if you’re on a strict budget it is beneficial to utilize the verbose logging capabilities that your operating systems already provide. Most networking equipment comes with some type of logging or reporting capabilities. As long as you are regularly looking at usage and patterns there is a good chance you’re going to pick up something that is out of place. A good example is kicking off rogue APs from your LAN controller. You don’t need fancy monitoring equipment, just the knowledge of your MAC addresses.
Last Note: ITIL. Read it and use it.
This is where things get complex, time-consuming, and e x p e n s i v e. If you have made it this far… You are freaking awesome!! I suggest you take a vacation before you proceed on the following steps.
Step one: Set a target, or targets
Before you begin to really plan out what you want to buy, or if you want a specific tool for your ‘Adminly duties’, I suggest you take a moment to think about what you’re looking to accomplish. This target should not include hardware upgrades for devices that are end-of-life; if you have devices that have reached their life-time, then replace them. Do not purchase something you can grow into, because you haven’t decided your growth pattern. If you choose the hardware too early in your planning, testing, and deploying you’re going to experience a lot of headache and heartache.
Step two: Identify compliance requirements
If you’re a company or service provider that deals with Personally Identifiable Information (medical, financial, etc) you are subject to industry regulation and government compliance. If you operate outside of your native country, you are subject to the regulation and compliance requirements for that country, and if you operate globally, you are subject to GDPR as well. Knowing these requirements will dictate what solutions you can implement and may minimize a lot of your previous considerations.
Step three: Identify risks
This is where it gets sticky, like dust sticky, so you may as well clean it up before you build on it. There is often a disconnect between the opinions of acceptable risk. Identifying the gaps between what you have identified and what upper management is willing to risk must be determined, and if possible, bridged. That bridge can have a massive impact on your target(s).
Step four: Compilation of Data
Blarg. The most tedious and time-consuming part, because this part also includes your business plan. Your proposition, so to speak. No one in their right mind likes doing this, but it is a necessary evil of business. Kind of like this blog, or blogs in general.
Step five: Benefit Analysis
You’ll have a comprehensive structure of your current position, where you need to be, and where you want to be. Next, divide these into three types of management processes; Risk, integration, and external participation. Once each of these areas is identified- in great detail, I may suggest, you may move forward to utilizing the ITIL Tiering methodology and breaking the risks apart.
Partial: inconsistent and reactive
Informed: consistent and aware
Repeatable: standard and consistent in policy
Adaptive: proactive or predictive threat detection
Try to align these tiers, and any other tiers you determine to correlate to what is starting to look like a plan of action. Don’t be fooled though, we’re just getting started.
Step six: Assessment
This is the fun part. This is where you get to stretch your legs and poke all the things you’ve been wanting to poke for however long it’s taken you to get here. Yes, it will feel good. Then it will feel terrifying. From here you can decide to be defeated or strengthened by the knowledge you’ve claimed by your poking and kicking. I suggest the following areas.
Outdated software, hardware, operating systems, and services because you will need to start here. Eat the sour candy.
Create a testing environment. This is crucial for development of your environment. This is where you can validate antivirus and antimalware tools. This is where you can validate the functionality of your software for users. Next you can validate the flow of network traffic and the efficiency of a firewall.
Penetration test your network. See what is opening and listening. See if you can hide information in your legitimate packet traffic.
Run a vulnerability scan.
Test behaviors of all employees. This includes the executives and even board members if they have access to the company data.
Check how, where, and who can access company data.
Once you have all this information, rate it, identify the impact, and present it with a score. If you have a subscription to Office 365, check out their Secure Score feature. You can use that as part of this assessment too.
Step seven: Action on gaps
With all the information at hand, you’ll see gaps. Some small, some big, some terrifyingly deep and black crevasses with disturbing and unknown creatures of the underworld. Whatever it is, you’re well equipped to handle them, and you can address them methodically, logically, and with some seriously awesome tools.
Step eight: Implementation
Not the end, but the beginning of more learning and oh, please, so much documentation. These documents create training materials, processes, and wider implementation. This is right where the Proof-of-Concept part comes in. If you document your POC well, you’re going to be able to phase your implementations out smoothly and effectively. Seriously, you’ll thank yourself later for writing this $*** down.