It's OK to be paranoid about every last detail when it comes to security.
Tighten that cybersecurity belt
When you setup your network's security plan, quite
often you have the big picture covered but some times there are those
minute details that get shelved or forgotten. Here are a few items IT
security officers should make sure they have covered.
Your own people are an APT (advanced persistent threat)
The weakest link in the security
chain is always the end user. There is always someone who believes they
know better or a policy doesn’t apply to them. To the extent that
compliance with security policies can be automatically enforced even for
the professionals, they should.
Have a clear escalation plan when trouble is suspected
A major retailer had warnings there
was trouble with a point of sale system, but the timing of the alerts
coincided with critical shopping periods. The staff that were concerned
did not have the authority to take the systems offline and investigate,
nor could they locate anyone with the authority. Subsequently, a
disaster ensued. The problem could have been contained had someone acted
when they first suspected trouble. Be sure your staff knows who has the
authority to make the hard call at the first sign of trouble or give
them the authority to do so themselves.
Consider building additional fail-safe into your processes
The military is famous for
redundancy when something irreversible is about to be set in motion. Two
officers are required to activate a missile launch. If one officer
isn’t certain, that officer does not enter their launch codes. Consider
adding dual authentication to any updates being made to a critical
system. A second “officer” must also authenticate and click on the
install button.
Be cautious and control what can be downloaded
Do not allow employees to install their own software. This can be accomplished by limiting admin rights on laptops, desktops, and servers. There are plenty of commercial products out there that do this very well and still allow the machine to run properly in a work environment. Don’t be influenced by the company size or number of employees. The effort you spend helping manage company owned and connected devices is smaller than a breach recovery or the impact of a network infection.Document and keep track of where any open source is used
Everyone thinks of a white list, but
also have a proper request and vetting process for newly requested
software products or applications to be installed. Track the open source
components. Many software pieces are partially or fully based on open
source code. If you don’t know where those components are, you won’t be
able to assess your risk if a vulnerability is discovered later.
Control how company equipment is used, even when it goes home
A corporation must control the Web
browsing capabilities of its users inside and outside the premises when
using company property. Web filters may not be popular with employees,
but many compromised sites seem innocent enough. The only way to protect
your network is to be strict about Web browsing, no exceptions. If
someone wants to view the latest Internet fail they can do it on their
own machine.
Lock down browsers on take-home computers
Perhaps 90 percent of enterprises
have Web filters on their corporate networks. Far fewer have client side
Web filtering to restrict computer use when a laptop or tablet travels
home and is connected to a private network. It’s not popular with
employees, but it is your equipment.
Source: http://www.infoworld.com
No comments:
Post a Comment