Use This One Simple Trick to Improve Your Organization’s IT Security Posture
Posted March 25, 2016 by Jeremy Wanamaker
Caution and Proper Use are Key
Ask anyone working in IT what the top concerns in the field are, and it’s likely most people will name IT Security near the top of the list. The increasing frequency of news-making data breaches at high profile corporations, combined with new types of attacks in business of every size, has forced security to the forefront of our thinking. Cryptolocker and other ransomware variants are so lucrative for cyber criminals that new variants are popping up daily. The anti-virus vendors can’t keep up.
Historically, those working in the IT department have purchased increasingly sophisticated firewalls and security software to mitigate the threat posed by malicious software. While technological solutions are an important aspect of an organization’s security posture, security researchers have realized that the most effective tool against hackers is proper user behavior.
What if I told you that there is one simple rule that, if followed, would prevent over 90% of data breaches and hacks at small and mid-marked organizations?
Here it is:
Do not open any link or attachment received in email unless you were expecting to receive it.
By following this rule, combined with safe web-surfing habits, I personally ran a PC for years without an anti-virus program installed, and never once had a virus infection. I’m not advocating that we go without anti-virus software. Rather, I am making the point that anti-virus software should be secondary to caution and proper use.
Now, in our business, we are fortunate enough not to have a sample size of virus infections that is large enough to be statistically significant. However, in every case I reviewed of virus infections where the root case was known (i.e. the user fessed up to what they did), the virus made its way onto the network because a user clicked an email link or attachment they were not expecting. In some cases, users clicked links in emails that had been flagged as Spam. Based on a review of the virus infections we’ve seen, I would estimate that greater than 90% of them were the result of a user clicking on a malicious link or attachment in an email.
For those wondering how email containing malicious links or attachments made it through to our customers, I’ll mention that we use best-of-breed Anti-Spam software from Google, Microsoft, and Reflexion. No Spam filter is perfect, and users are far too willing to cede responsibility because they believe the technology will protect them.
We’ve identified the simple rule that will help prevent a large percentage of virus infections. It must now be communicated to the user base, and repeated on a regular basis. Through repetition from management, following this rule will become second nature.
The first step is to send company-wide emails from HR or Executive Management with the rule. This should be done on a monthly basis initially, and then repeated once per quarter after three months. It should also be brought up at company-wide meetings, so it becomes as well understood as, “show up on time,” or “don’t steal office supplies.”
Additional User Guidelines
While the rule given above will have a large impact on improving a company’s security posture, there are additional guidelines that we recommend. They are as follows:
Company-owned computers are for business use only. They may not be used for personal use including gaming, social media (unless job related), or shopping. They may not be used by anyone except company employees.
Do not connect a personal computer to a business network. IT departments can put safeguards in place to prevent this from happening, but a simple policy against it is sufficient to protect many small businesses.
Do not use thumb drives for both business and personal use. I personally don’t find thumb drives useful anymore, but I recognize that they have their place. If you must use a thumb drive, label it, secure it, and do not mix personal and business on a single thumb drive.
The recommendations given so far are all user-based, and do not involve technology. If they are properly implemented and followed, they will significantly reduce an organization’s vulnerability to cyber criminals. However, technological solutions do have their place. We recommend proper configuration of wireless networks. We also recommend that all businesses of any size run anti-virus/anti-malware, Cryptoprevent, and a firewall with content filtering. For businesses that are high-risk or want a bit more visibility into their network, we also recommend a SIEM.
Do not give your corporate Wi-Fi network password to anyone outside your organization. You have no idea how well their systems are protected against malware. Also, make sure your guest Wi-Fi network cannot access your corporate Wi-Fi network. This sounds obvious, but we’ve seen guest Wi-Fi networks that had direct access to the corporate network because they were not properly configured.
RADIUS Authentication of Corporate Wi-Fi
RADIUS is an authentication protocol that works with Microsoft Active Directory (or other directory service) to authenticate Wi-Fi access with a username and password. That way, when someone leaves the organization and their account is disabled, they no longer have access to the Wi-Fi network. If you have a WPA/WPA2 password that has not been changed in years, your previous employees still have access. Lock it down with RADIUS.
Anti-virus and anti-malware
Anti-virus software is still relevant and important. It should not be the sole line of defense against cyber criminals, but it should be used, especially since it can be purchased inexpensively. It’s important that business anti-virus be standardized, monitored, and updated a minimum of once per day.
CNS installs a copy of Webroot Anti-Virus on every system we support.
Cryptoprevent is a program written to stop Ransomware by preventing programs from running in specific directories where users have access to save and run applications. It can create some problems running legitimate applications, so it’s a good idea to test it before deploying it company-wide. Cryptoprevent has saved us countless hours of ransomware recovery time.
CNS installs a copy of Cryptoprevent on every system we support
Firewall with content filtering
A firewall with content filtering is another must-have to properly secure a business network. Besides blocking obvious categories such as known-malware, pornography, and gambling, you can also block time wasters including social-media, gaming, and shopping. For even more control, buy a firewall that can integrate with Active Directory, so that marketing can access Facebook but the rest of the company cannot.
For full visibility into your network, you need a Security Information and Event Management (SIEM) system. SIEM systems collect logs from all the devices on your network and analyze them, looking for malicious behavior. A good SIEM will cross-correlate events from different devices, and alert when suspicious log events are observed. Without a SIEM, network administrators may have no idea that hackers have infiltrated the network.
Cybercriminals are becoming more sophisticated in their attacks every day. As more of our lives and data move to the cloud, we can only expect to see their level of sophistication increase. While it’s still important to have proper technological safeguards in place, proper user behavior and compliance are the most critical safeguards against data breach. Make sure your users are aware that they are being targeted, and know how to avoid becoming a victim.