Here is a sneak-peek and what is likely my most important blog for the upcoming New Year. This is just a partial teaser....
Irvine, CA - I was recently asked by a roundtable of CEOs to advise them on network security. They had a lot of questions and a lot of misinformation. I was surprised as this was a group of technology company CEOs and what I quickly found out is that they did not know much more than my non-tech company CEO clients. From that discussion they asked me to come back and present to them a short list of actions they should take in 2016 to better secure their systems. Initially I wanted to present them with a list of 10 things they should focus upon. For anyone that knows, it is easy to create a list of 100 things that should be done to secure a system. However, I decided in order to make the list actionable and not overwhelming I needed to focus on the 10 things I have seen in the past year or two that have caused the most real-life grief for our new and existing clients. I wanted to keep the list to 10 items, but I had to fudge a bit and expand to 12 core items. Then I added three bonus items for those who are over-achievers and another three for those in regulated businesses like healthcare, financial services and Sarbanes-Oxley.
This list is not complete nor absolute. It is a list I have created largely in order of my perceived importance based upon the real-life hacks, breaches and other maladies related to failures of network security to keep the bad guys out. You will need to assess the requirements that are appropriate for your firm. If you are looking for a good place to start, I offer up my suggestions below.
1. You need to do a vulnerability assessment or security assessment. It is impossible for you to know what actions you should take to properly secure your systems without first doing an assessment. Assessments are common practice at many firms, yet completely ignored at others. It is fairly easy for you to order a vulnerability assessment and the best part is that it takes very little time and participation from you and your IT staff. The cost for this service ranges from a few thousand dollars for a very small firm to several tens-of-thousands or even hundreds of thousands of dollars for larger enterprises. These should be done at least once per year just like your financial audit.
2. Patching for Software Security Updates is perhaps one of the most overlooked and under-rated security measures you can implement to better secure your systems. I maintain that good software patching measures are in some ways more important than your firewall. A firewall is a formidable device that once it gets set-up has a number of ports opened up so that your firm can transact business. That is where it gets weak. Through these legitimately opened ports attackers will send nasty payloads that compromise your system, often without you knowing. Imagine a hardened castle all buttoned up, but the draw bridge must be opened in order to conduct commerce. Through that legitimately opened bridge come the sneak attacks, the scammers, crooks, mischievous and spies that you can’t readily see. Your team can and should be doing your patching on servers and PCs monthly (or sooner for emergency releases) and other devices like routers, switches and firewalls at regular intervals. Your staff should be able to provide reports that show you the status of your patching practice. Alternatively you can contract for this as a service for about $35 per month per server and around $12-15 per month per PC, laptop.
3. E-mail spam/malware filtering with Link reputation checking are some of the most vital steps you can take to block malware and social engineering before it ever reaches your users. This is also a strong backstop to the user training you should be doing. Spam filtering of e-mail has many positive attributes. It significantly reduces the amount of e-mail coming in that can clog your network bandwidth and tie up your e-mail server. Most spam filtering services also block malware, viruses and other bad stuff before it reaches your users. The service will block e-mails that are designed to socially engineer (fool your users) into clicking on links or revealing information they should not reveal. The recent scourge of highly destructive ransomware is most often coming in through e-mail. Some spam filters will have reputation-checkers to validate whether a link is suspicious and/or known to be dangerous. User training is good, but not foolproof. Spam filtering is not fool proof either, but together they are very effective. For clients that do both, we see very few network compromises. Good spam filtering services that have scanning and blocking of malware and reputation checking for links typically costs only a few dollars per month per user and it is also very easy to implement.
4. Network Security Policy is where we start getting into some of the more complex and costly measures to implement. Some aspects of network security policy are rather easy and essentially free to implement. Other aspects are difficult, costly, take a lot of time to implement and can require some fine tuning in order to get them working right. Below is a list of some of the more common things I recommend based upon my view of the tragic results that likely ensue if they are ignored. The first step is to establish your network security policy. That usually requires hiring a consultant who is knowledgeable in this area to help you create one appropriate for your firm. This will generally start at a few thousand dollars or more depending upon your needs and the size of your firm. Complex policy work can run into six figures in large enterprises. If you want to short cut that and get crib notes on what you can do right away, look to my recommendations below:
a. Least Privilege/No Admin rights – what the heck is that? At far too many firms I see all the users on the network having the same access rights to everything that the network administrators have. What that means is that if one of your user’s accounts get compromised by a hacker, that hacker has access to your entire system just like your network administrator. The hacker can do anything he or she wants to do at that point and you are powerless. Damage will be swift and immense if that is what the hacker wants.
b. Password Changes - Password refresh and complexity is perhaps the easiest and lowest cost thing you can do to implement better network security policy. It can be easily enforced through system rules so that it does not even take any management oversight. You should be forcing your users to change their password at least every 90 days, you should enforce a minimum standard for complexity such as 8 characters and include at least one number and special character. Lastly don’t let them reuse a password for at least 10 password change cycles.
c. Lock Your Keyboards - Locking computers is another free policy to implement, but it does require a culture shift within the company. What locking the computer means is that when a user leaves his or her computer they lock the machine so that a password must be reentered before anyone can use the machine again. This keeps outsiders visiting your firm or employees not authorized to access certain information from jumping onto an unattended machine and doing things they should not. Rules can be implemented that if a PC is not used within a certain period of time that the system locks automatically. This can be a failsafe, but it is a weak failsafe compared to establishing a culture where users lock their keyboards by pressing CRTL-ALT-DEL and Return when they walk away from their PC. At Alvaka, if someone forgets to do that there is almost always a companywide e-mail that goes out from that user’s PC saying “Hey, I am buying pizza today for everyone” or “Bring your car by at lunch. I am doing car washes today.” That is universally known within the company that someone did not lock their keyboard. It is part of our culture that in a friendly jesting way embarrasses the user to make sure they lock their keyboard next time they walk away. I suggest you adopt something similar.
d. Background Checks - I suggest you background check your employees, especially those in IT who hold the keys to the kingdom. At Alvaka Networks everyone has background checks for criminal history, drug testing and even driving record and credit history. If you fail to do this you are hiring the people rejected by other firms. Here is my case in point. About 12 years ago we used a recruiting firm to hire two new engineers. The recruiting company represented that they did background checks. When asked by our HR department whether we should do a background check I almost said “No” but then decided we should do one anyway to be consistent with all our other hires. Two days later I answered a call. All I heard was, “WILLIAM, HE IS STILL ON PAROLE!” I said, “Who is this?” as I did not even recognize the excited caller. It was our detective who does the background checks. One of the guys we hired who was already on the job for two days and doing amazing work was a criminal still on parole for stealing from his previous employer. I just could not imagine someone as technically talented as this individual could be a criminal. I don’t correlate amazing technical work and criminality for some reason, and this guy did amazing work. But in fact he is a criminal. He was immediately suspended from work and then terminated as a candidate as we can’t have someone like that work for Alvaka Networks and our clients. I figure he is working for one of our competitors or an end-user company and likely ripping them off. Don’t be his next victim. Background checks can be performed for about $100 per employee per check. That is inexpensive for the peace-of-mind provided.
e. File Type Blocking – You can use Group Policy and filtering to restrict certain file types associated with malware from entering the network. Files ending in .zip are a prime example. If you don’t have spam filtering and mail scanning this becomes especially important. This sort of change to your network can run from as little as a few hundred dollars to a few thousand depending upon size and complexity of your set-up.
f. Separation of duties – Make sure you have separation of duties in who can do certain functions when managing your network, acting as the keeper of password managers, encryption keys, etc. Too much power consolidated within one person is a recipe for disaster. I can point to engagements we have been pulled into where one person held all the keys to the kingdom and millions of dollars were embezzled. Again, this sort of change to your network can run from as little as a few hundred dollars to a few thousand depending upon size and complexity of your system.