Cybercrime is an unsettlingly fluid and versatile practice. Some threats are incredibly sophisticated and exploit low-level mechanisms. Meltdown – a hardware vulnerability discovered in 2018 – exploits a CPU performance technique to read a computer’s entire physical memory. After Meltdown was identified, the largest CPU manufacturers worked tirelessly for months behind closed doors to release patches which address the vulnerability.
On the other hand, some threats are less sophisticated. For example, a phishing attack can prompt users to open an email from Micrasoft and navigate to a fake website where they unknowingly divulge their credentials
Fortunately, threats such as Meltdown are not common occurrences, but IT departments must ensure their security strategy covers all bases. This includes everything from highly engineered attacks to seemingly benign threats such as employees sharing data on unauthorized applications.
Besides the assumed benefits of IT security, a good security posture also gives organizations the following advantages:
- Enabling business with industries that have higher security requirements
- Avoiding fines and penalties under legislation such as GDPR
- Improving customer confidence, trust and loyalty
- Protecting sensitive customer data and confidential information
When creating a security strategy, we recommend using the People-Process-Technology (PPT) methodology. This article will describe seven essential items based on the Process and Technology elements.
End User Device Security
End-user devices – such as personal computers – are the most easily targeted elements in an IT network. To protect user devices against threats, organizations should consider the following:
- Antivirus: this should be mandatory on end user work devices, mainly laptops and desktops. Updated antivirus software installed on these devices are able to capture and neutralize known threats from external sources.
- Disk Encryption: a technology which protects device data by encrypting entire volumes. A common example is BitLocker, which prompts a user to input a PIN once the device is powered on to decrypt the disk and allow access to the stored files.
- Application whitelisting: a method where the enterprise can determine which applications are able to open on the device. This prevents any unauthorized software from being installed.
- Virtual Private Network: creates a secure connection over an insecure network (such as residential internet connection). VPNs are a minimum requirement for remote workers to be able to safely access a corporate network and its resources. An even more secure method which enables remote working is Virtual Desktop Infrastructure (VDI) which facilitates the deployment of virtual workspaces.
In addition to the end-user devices described above, businesses must consider all IT assets in their organization. Asset management software and processes can help with ensuring security compliance.
- Decommissioning: end-of-life and end-of-support devices must be retired, even if there is a cost associated with the decommissioning process. Assets which no longer receive vendor support will become exposed to threats.
- Patching: modern asset management software is able to detect and highlight hardware, operating system and software vulnerabilities. Comprehensive asset management policies can make certain that security patches and firmware updates for servers and network devices are pushed in time to solve vulnerabilities.
- Asset lifecycle: creating an asset lifecycle procedure ensures that hardware and software are kept under current vendor support contracts. When an asset is supported by the manufacturer, the asset will benefit from consistent security improvements which protect against new threats and vulnerabilities. Asset lifecycles will also help with forecasting refreshes, so any projects for replacing old assets can be budgeted and planned ahead of time.
Network Security Tools
Network security devices are the first line of defense when dealing with attacks. These main security elements for enterprise networks are:
- Firewalls: the bread-and-butter of security infrastructure, firewalls are physical or virtual appliances which filter and block traffic at a network layer. Firewalls are typically placed between at-risk resources, most commonly between an internal network, and the internet.
- Content filtering: allows or blocks access to certain web resources, either by comparing the accessed resources with a local database, or by querying a master cloud database hosted by the content filtering service provider. Content filtering can be achieved using URL Filtering (which blocks access based on the web address) or using DNS Filtering (which blocks access to certain web resources based on IP addresses). DNS filtering precedes URL filtering, so any DNS blocked will subsequently block all associated URLs.
IT Security Operations Center
A Security Operations Center – or SOC – is a specialized, centralized unit which monitors and manages security related information. In a SOC, dedicated staff are monitoring feeds around the clock, responding to and mitigating any threats. Security Operations Centers are critical for any business that stores or processes large amounts of sensitive data.
A SOC is beneficial for businesses which host multiple databases, have several different office locations and require a single point of visibility, share large quantities of sensitive data with other organizations, and/or need to ensure compliance with various regulatory entities.
Security Operations Centers can be built using multiple models:
- In-house Security Operations Center: an internal SOC team is formed of full-time employees and is typically located in a secure building leased or owned by a business. An in-house SOC benefits from a team of experts knowledgeable about the businesses’ infrastructure and processes, as well as easier communication between the SOC and the IT operations teams. However, an in-house SOC is resource-intensive to maintain in terms of staffing, training and tooling. Setting up a SOC also requires considerable initial investment and time to reach maturity. It may also be limited in terms of area(s) of expertise.
- Outsourced Security Operations Center: businesses who do not want to create an in-house SOC, can outsource the responsibilities to a specialized vendor. Just as with any other outsourced service, the vendor’s ability to deliver will directly impact the quality of the service. When working with a reputable vendor, organizations will be able to leverage a highly mature service and easily implement it into operations. An external SOC also has better access to threat intelligence and can draw upon their experience with other customers. On the other hand, outsourcing a SOC means that company data will be stored and processed externally, posing its own risk, and the security experts will not have the same level of familiarity of your company’s infrastructure as may an in-house expert.
- Virtual Operations Security Center (VSOC): as an abstracted version of a SOC, a Virtual SOC can be used as an extension of an in-house security team. A VSOC is typically used by IT security vendors when offering managed security services, such as managed firewall, security information and event management (SIEM), or vulnerability management services. A Virtual SOC is a good option to complement an existing in-house security team with additional services and expertise. Xamin offers this type of partnership and services with the highest industry rating for security and downtime.
Vendor and Partner Security Reviews
When using a third-party provider, a business inherits all the risks associated with their supplier’s product or service. This means that to achieve a comprehensive security strategy, organizations need to scrutinize their vendors’ and partners’ security posture. Here are a few elements which must be taken into consideration:
- Onshore and offshore resources: while offshoring resources may help reduce costs, there are security implications with sending data and allowing access to personnel located in a different country.
- Certifications: vendors who have a good strategy typically have a security certification from a regulating body. Typical IT industry standards include SOC 2 and ISO 27001.
- Security Testing: security assurance via testing can be validated in two ways. These can be done by directly conducting security testing on a product or requesting from the vendor a testing certificate issued by a reputable independent third party.
User Permissions and Authentication
One of the fundamental methods of ensuring security is granting access to the right data for the right people. While a simple username and password method is sufficient for commercial applications with little personal data, we recommend additional authentication:
- Multi Factor Authentication: adds an extra protection barrier by requiring more than one metric for proving identity. We know of three types of proving identity:
- Something you know: these are the good old-fashioned passwords
- Something you have: typically, an item which only the authorized person has access to, such as an ID card, token, or more commonly nowadays, a smartphone.
- Something you are: biometric data that belongs to the authorized person, the most accessible being the fingerprint or face scan, available on most smartphones or laptops today.
By combining a password with any of the other two authentication methods, it becomes significantly harder for a cybercriminal to access an account without physical access to the user.
- Risk-Based Authentication: a system which takes into account inconsistencies in the login behavior of the end user. If the system detects a deviation in the common behavior, such as a different IP address or different log-in time, it will increase the risk profile associated with the login attempt and will prompt for additional credentials. You may be familiar with this type of authentication used to identify credit card fraud.
- Centralized user permission platform: enables a specialized team to grant and revoke user access to tools based on needs and policies. This method is especially useful in the case of employee onboarding and offboarding, to ensure when employees leave or change roles their access to applications and data is revoked.
- Single sign-on (SSO): is a method which enables users to log into multiple applications with a single set of credentials. Once a user inputs their username and password into an application, they will be able to automatically log in to others without retyping any credentials. The password is encrypted by the SSO system and passed directly to the supported applications. This encourages the use of stronger passwords and decreases eavesdropping or keylogging opportunities for hackers.
File Sharing Policies
As almost every organization deals with the management and sharing of files and information, file sharing policies can include the following:
- Sensitivity labels: a great security feature in Microsoft 365 is the ability to assign a sensitivity label to any supported document or email. These can help you prevent files from being accessed by people outside your organization and select people inside the organization.
- File Encryption: encryption ensures that even if a document is leaked to external people, the document will not be readable. Some file sharing applications (provide built-in encryption, the files being only accessible to company employees. When sharing confidential documentation with external users, encryption via user permissions or passwords is strongly recommended.
- Disabling USB drive ports: this reduces the risk of offline copying and sharing of files.
- Disabling file transfer on applications with third party access: The unfortunate term ‘Zoombombing’ was coined as unwanted users accessed video conferences. For platforms which allow third parties to join a call via a web link – including Skype – file sharing should be disabled. If a confidential file is added on a videoconference bridge, everyone, including potentially unauthorized third parties can freely download the file.
- Preventing the use of unauthorized communication apps: employees may take the path of least resistance when communicating inside their team, which in many cases resorts to communications apps such as WhatsApp. We discuss more about how to discourage this in the next section on Shadow IT.
Preventing Shadow IT
Shadow IT is the practice where business managers purchase IT products – such as collaboration or data analysis tools – without going through the approved provisioning process. This usually happens because these buyers need an additional tool quickly and do not have the time or resources to build a business case.
Shadow IT has multiple security risks associated with it. Without internal security assurance for the purchased tool, the software provider may not have good security accreditations and practices, and the tool will become a vulnerability. User access will not be controlled by IT, but rather by the purchasing team who will create new accounts. These accounts can be shared or leaked which can result in major data breaches. The unapproved tool can also process sensitive data which should not be shared on unsecured channels.
To discourage Shadow IT, the IT departments should conduct regular audits to ensure no external tools are used. We also recommend creating an IT provisioning process that is transparent, simple and quick.
While these steps serve as a good baseline for businesses looking to create a security strategy, this can only be achieved with participation across all business functions and buy-in from all levels of the organization. We welcome the opportunity to speak with you about a security assessment, as well as additional ways to safeguard your organization, employees and customers.
Founded in 1999, Xamin offers industry leading managed IT services to financial institutions as well as other highly regulated and reputation-sensitive industries. The organization provides a suite of technology solutions including infrastructure, security, cloud, data protection and professional services. Xamin specializes in transforming IT to a revenue driving capability for an organization rather than a cost and compliance challenge. Its consultative, “white glove” approach ensures its services meet the needs of the customer and auditors. Xamin has committed annually to the examination and reporting of controls in a service organization under the SOC2 Type II certification. Xamin is a subsidiary of Mowery & Schoenfeld, a comprehensive accounting and advisory Firm.