Layered Security - IT Security Best Practices

IT security breaches cost the American economy billions of dollars a year. It's not just large enterprises that are affected. Thousands of small and medium size businesses are victimized by cyber-criminals every day. According to FBI Director James Comey, "There are two kinds of companies in the United States. There are those who have been hacked...and those who don't know they've been hacked."   

Today’s sophisticated cyber-criminals use a variety of methods to launch their attacks including malicious software or "malware", spyware, ransomware, distributed denial of service attacks, data leakage, and logic bombs. The best way to defend against these attacks is to implement a “Layered Security Strategy”. A layered security strategy utilizes multiple security components to protect your network, data, and users on multiple levels. 

When a company is hacked they can suffer huge monetary losses, but the more severe damage is the blow their reputation and credibility takes. Any organization can improve their security posture by taking a number of common sense steps to secure their network and data. Think you need to break the bank to become secure. You're wrong. A lot of the steps you can take are inexpensive, or in some cases free. Sometimes it's just a matter of taking full advantage of what you already have in place. For example if you have a domain controller and have active directory enabled you can implement an organization wide password policy, force screen shutdowns after a period of inactivity, restrict user rights and privileges on your network, enable two factor authentication for secure remote access, and deploy network antivirus and internet content filtering.

Below is a general list of IT security best practices every business should take: 

Remove Administrative Rights – nobody should have them for daily computer use (including System Administrators!)

Lock down Service Accounts – account logon restrictions, no RDP access, unique passwords/logons for each Admin, change default passwords.

Principle of Least Privilege – users should have access to minimum resources they need to perform their job. Least amount of files, least amount of websites, least amount of rights.

Password Policy – apply using group policy – Minimum 6 characters, complexity, max age 90 days, account lockout.

Patch Management – WSUS, SCCM or alternative solution to make sure all software is patched and up-to-date. 100% certainty no gaps on external facing systems.

Computer Lockout after Inactivity– via Group Policy on all PCs and servers.

Windows Firewall – enabled on all PCs via Group Policy, port/service exceptions only via GP.

Services Baseline – stop or remove unnecessary services. 

Security Awareness Training – the biggest vulnerability in most systems are the users. You must have regular training to expose them to best practices and how to identify risks.

White Hat Social Engineering – test the effectiveness of your user’s security awareness. Send “white hat” phishing emails to see which users need more limitations or training.

Software Restriction Policies – limit what software can run on computers using Local or Group policy.

AppLocker – better than Software Restriction Policies. Rather than just stopping “Known Bad” software it can be set to audit usage and then only allow “Known Good” based on Publisher or digital signature. Built into Windows Server 2012 R2 however requires Windows 7/8 Enterprise or Ultimate on desktops that will be locked down.

EMET – Enhanced Mitigation Experience Toolkit – further lockdown poorly written apps from exploits.

Hardware Firewall– configured with “Deny All” rules and then ports opened up only as needed. Your firewall should also have the ability to inspect encrypted traffic coming in to your network from the internet. 

Network Antivirus / AntiMalware – only catch 10%-40% of threats however still a mandatory first level of defense.

AntiSpam/AntiVirus Email Filter – email is still a popular threat distribution model. A good email filter can eliminate 95%+ of email phishing and virus threats.

Internet Content Filter – must have for all Internet connected PCs in your organization. This is more useful than blocking users from going to Facebook or YouTube. The real value internet content filtering provides is preventing users from accessing known rogue websites that look legitimate but are the attackers gateway in to your network. 

Multifactor Authentication – must have for all remote access (if not available at least secure by VPN or IP). Stolen remote login credentials are useless if multifactor authentication is in place. This could have prevented the Target breach from happening. 

Internal and External Vulnerability Scans – quarterly/annual to confirm no open windows to the outside.

Ryan Cody