“Dear Mr/Ms Hacker, our offices are now closed. Our business hours are Monday through Friday from 8:00 to 18:00. Please hold your hacking attempts till then, as our IT staff is currently enjoying well-earned free time.”
Unfortunately, it does not work like that. We live in an increasingly hostile digital world. Unsurprisingly of course, as the amount of connected systems and companies grows, and the amount of (valuable) data increases at an incredible rate. Software and infrastructure evolution has never been bigger and competition more intense. It would be incorrect to state that this introduces new pitfalls (they have always been there), but they sure have gotten a lot bigger.
The introduction already highlights 2 very clear challenges:
- The hostile part of the internet grows equally fast as regular business keeps digitizing. This introduces both technical and practical challenges for both your business and your IT strategy.
- Attacks are becoming increasingly advanced and automated. Appropriate counter measures are not put in place at the same speed as your attack surface grows.
It is however more easily said than done to have those measures put in place. In the end it all comes to finances, as an unlimited budget would also allow unseen security efforts, but lets not go into that. There are however a lot of quick wins in terms of security that are affordable, some even exclusively in your employees heads.
1. Security policies, or how to clarify and formalize
Always start by taking a step backwards. You’re with your nose right on the problem; too close means it’s just one big blur. Critically examine all aspects of your IT landscape:
- how IT services are drafted, approved and implemented,
- how they are maintained and updated,
- the way employees use IT resources,
- how rights are assigned and even more important: revoked,
Without expensive tools, you can make a major leap in security by just making sure you are in control. Know what you’re doing, how you’re doing it and why. Introducing formal roles, even within a small IT team, can make a huge difference. This does not mean it has to be or become a bureaucracy; keep it agile and appropriate for your needs. Make sure your employees also know how to handle the resources at their disposal by providing the right security framework.
The majority of your employees are not IT’ers. Their ability to assess the impact of some actions related to IT resources is not up to the same level as your technical crew. Guide them, help them, train them. Certainly as IT services are growing beyond your company physical perimeter. Cloud computing, remote / home office, bring your own device, … Make sure expanding your horizon does not lead to lifting your security boundaries.
This can start quite simple with periodic awareness sessions. Also instruct your IT staff to check for undesired behavior and have them give tips & tricks, friendly advice every time they come into contact with a user (f.e. when solving an incident ticket or a change request the user has logged).
Make sure your security measures are up to standard with legislation. f.e. GDPR or general data protection regulation requires you to take “sufficient measures to ensure the safety of data than contains personal information” (this includes any data that is not directly named but can nevertheless be used to identify individuals in any way). There is however no definition of “sufficient”. It’s up to you to reflect on the data set that you administer and define proper measures.
4. Basic protective measures
Of course not everything is free or low budget. Everybody uses a frontend firewall today and has endpoint protection on clients and servers. No need to go deeply technical into that, I believe?
But some companies think having a technical solution in place is sufficient, while it is certainly not. It all comes back to the policies and framework discussion: make sure you do not only use technology but leverage it into an actual IT service by wrapping technology with processes, procedures, awareness and pure common sense.
- do you have monitoring to see what’s actually happening on your edge devices? What about cloud services, are they in the same scope as your internal IT assets?
- do you conduct reviews of your configuration to scan for obsolete config, known issues?
- do you have a process in place that evaluates changes to security measures? A seemingly standard change could have more repercussions than expected.
- do you actively check the update status, known issues (including vulnerabilities and according patches)?
- can you keep control over shadow IT?
5. Basic recovery measures
Backups. Not a new topic and certainly not a sexy one. Again, everybody has them but not everybody knows that their business needs might actually not be covered at all.
Common mistakes are:
- missing offsite replication: one small fire or infrastructure theft and both the original system and backup are gone. Automating the offsite replication often has a lower TCO than seemingly cheaper manual moves of backup media.
- missing restore tests: if you’ve never tried a restore, are you sure you will be able to when it’s actually needed?
- dependancy on tools that are old, require a lot of maintenance, fail often.
- Wrong choice of backup media. Not all media are suitable for any personal situation.
When outsourcing to a service provider or cloud platform, check up on the proper measures by requesting (basic) insight into those platforms. Or just make the proper choices when designing public cloud solutions.
6. Advanced recovery measures
Before going into security measures again, let’s continue on recovery options.
Disaster recovery is a term that is often used in a completely wrong way. Many IT administrators believe they have a disaster recovery environment while they actually do not. Backups can be an underlying mechanism to build actual disaster recoverability, but even offsite backups provide in no way a disaster recovery plan. For disaster recovery you need to take a lot more into scope.
It all starts with the business requirements. What is the impact of downtime on your business (financial, practical, reputation, …) and is your disaster recovery plan in line with your business requirements?
- how fast does your business expect you to be back online? This is measured in the recovery time objective or RTO.
- how much data can your business afford to lose? This is measured in the recovery point objective or RPO.
- which systems are business critical and need priority in the recovery procedures for quicker startup?
Next you have to look into your disaster recovery environment itself. After having determined the business needs, are you sure of the following?
- do you have the technical capability to bring your environment online at an alternate site, including internet breakouts, MPLS connections to your office locations, site-to-site VPN connections, private VPN access, etc.
- do you have the technical capability to bring your environment online with the same technology stack? In other words, if you have specific appliances or capabilities at the primary site, do you have the same capabilities at the DR site?
- do you have sufficient capacity to bring (at least the most critical) systems online at the secondary site or do you have the means to upgrade the DR site in a timely fashion (contractual agreements with suppliers f.e.)?
- do you have the proper availability of IT staff or contractual agreements with service providers to execute your disaster recovery plan (or DRP)?
This is where a lot of dramatic stories originate: when actually required, the disaster recovery simply does not work as intended. Testing your DRP should therefore be a non optional part of your plan.
Again, don’t forget that you also have to take responsibility for cloud solutions. Do not dig your head into the sand by expecting that assuming will be in place there.
7. Advanced protective measures
Last but not least, the sky is the limit when looking at more advanced monitoring. As these are less general than the above topics, going into details requires actual business requirement insight.
- Next generation firewalling: intelligent firewalling, a step up from the standard IP/port/protocol rule based firewalling.
- WAF or web application firewalling: a form of firewalling with deep insight into the expected application behavior. Can f.e. filter certain attack vectors like SQL injection, cross site scripting, … or prevent certain patterns in the data content, f.e. to filter credit card numbers so they can’t be transmitted across the edge of your environment.
- DDOS protection (distributed denial of service attacks): scrubbing, volumetric attack protection, session based attack protection, …
- IDS or intrusion detection systems: monitoring traffic flows and checking for abnormal behaviour.
- IPS or intrusion protection systems: extension of IDS by also taking automated actions, blocking abnormal traffic flows.
- SIEM or security information and event management: toolsets for aggregating network and security information, able to combine information from different systems for further analysis and alerting.
- NOC or network operations center: around the clock monitoring and acting on events, alerts and incidents.
- SOC or security operations center: idem but for security events, alerts and incidents.
Todays digital playground is filled with pit falls and risks. Making sure your IT services are protected with appropriate measures compared to the type of data and in line with your business requirements is a major task.
Make it a continual improvement process though. Don’t start with everything at once and in maximal depth but gradually improve your overall service in an agile way.