IT Defense in Depth Part II

IT Defense in Depth Part II 

Last week, we started talking about the different layers of physical security necessary to fully defend your data and business integrity. If you missed that post, I encourage you to go take a look first.  

Today we will look at the human aspect of it, and network defenses. The human layer refers to the activities that your employees perform. 95% of security incidences involve human error. Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are "assuming their employees know internal security policies" and "assuming their employees care enough to follow policy".

Here are some ways Hackers exploit human foibles: 

  1. Guessing or brute-force solving passwords (Anyone still using Password1!?!?!)
  2. Tricking employees to open compromised emails or visit compromised websites
  3. Tricking employees to divulge sensitive information (phishing/spear-phishing)

For the human layer, you need to: 

  1. Enforce mandatory password changes every 30 to 60 days, and especially after you lose an employee (voluntary or forced)
  2. Train your employees on best practices every 6 months
  3. Provide incentives for security conscious behavior
  4. Distribute sensitive information on a need to know basis (stop sharing passwords!)
  5. Require two or more individuals to sign off on any transfers of funds
  6. Watch for suspicious behavior

The network layer refers to software attacks delivered online. This is by far the most common vector for attacks, affecting 61% of businesses last year. There are many types of malware: some will spy on you, some will siphon off funds, some will lock away your files. However, they are all transmitted in the same way: 

  1. Spam emails or compromised sites
  2. "Drive by" downloads, etc.

To protect against malware

  1. Don't use business devices on an unsecured network.
  2. Don't allow foreign devices to access your wifi network.
  3. Have a totally segregated/isolated 'guest' wifi network, if you MUST provide some access to 3rd parties
  4. Use firewalls to protect your network
  5. Make your sure your Wi­Fi networks are encrypted using at least WPA2
  6. Change your wifi network passwords on at least an annual basis
  7. Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
  8. Keep Windows, Java, OSX, and any other operating systems/run-times updated
  9. Use programs that detect suspicious software behavior

The mobile layer refers to the mobile devices used by you and your employees. Security consciousness for mobile devices often lags behind consciousness about security on other platforms, which is why there 11.6 million infected devices at any given moment. Yes, that means your iPhone or shiny new Galaxy S8 Edge could have a form of malware on them. 

There are several common vectors for compromising mobile devices

  1. Traditional malware (drive by downloads from web pages, etc)
  2. Malicious apps (either from app store, google play store, or unknown sources)
  3. Network threats

To protect your mobile devices you can: 

  1. Use secure passwords/PINS (PINs should be 6+ digits)
  2. Use encryption
  3. Use reputable security apps
  4. Enable remote wipe options.

If your business uses an exchange server, either hosted via O365, or on-prem, a form of remote wipe is available to your sysadmin. This would enable them to wipe the company specific information from the device (ie, email, Microsoft MyCompany portal, etc). Take note though, some phones interpret the remote wipe command from exchange to trigger a full device wipe, which could leave an employee that brought their own device (BYOD) left angry that you wiped their family vacation photos. It's really best to provide a company device, if possible. 

Just as each line of defense would have been useless without an HQ to move forces to where they were needed most, IT defense-in-depth policy needs to have a single person, able to monitor each layer for suspicious activity and respond accordingly. That is often an overworked sysadmin, or Jim from accounting that had a BS in CS before he got his CPA. If your designated IT person is overworked, or you don't have an IT person in house, lets see if ROI Technology Inc. might be able to lighten the load, and get your network secure. 

Like & follow ROI Technology Inc. on social media for contests, free e-guides, and more!