Clean up your act with basic security hygiene.
According to the Ann Barron-DiCamillo, Director of the Department of Homeland Security’s Computer Emergency Readiness Team, 85% of recent breaches could have been prevented by following three easy steps:
- Reduce admin/access privileges
- Whitelist applications
- Up-to-date system software patching
- (I would add a fourth to this list: Secure your remote access technology.)
Now while I can’t say for myself that these data security best practices will make you hack-resistant, these four items are some great steps to basic security hygiene that many organizations have problems implementing.
Let’s discuss these data security best practices so you can understand why they’re important, and how to correctly implement them in your organization.
SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know
#1: Reduce administrative privilegesSecurity always starts with control. And it’s hard to have control when many people at your organization have administrative privileges. When I say administrative privileges, I mean the highest level of permission granted to a computer, system, environment, network, or server user. In short, admins have more privileges than normal users.
Administrative privileges allow the user to (among other things)
- Turn on and off their anti-virus scanning
- Add new users
- Turn on/off event logging
- Download and install new programs
- Gain access to OS or system software
- Pretty much do anything they want…
So what’s the problem with allowing users more rights?
When an attacker enters a network, one of the first things he does is try to escalate his user privileges. Typically, attackers can more easily extract sensitive information from a system, and move through a network easier if they have administrative privileges.
See how this could have the potential to be destructive? Poorly managed administrative privileges make privilege escalation easier. Reducing privileges among staff helps prevent your system from being broken, and broken-into…intentionally or unintentionally.
If you reduce the number of people who have admin rights, you reduce your risk.
Good rules of thumb for assigning privileges
- Only trusted people at your organization should have administrative privileges, such as IT administrators.
- Limit highly privileged accounts to only log on to secure systems. That way it reduces the chance of exposing credentials to higher risk computers. In other words, don’t use the same admin login credentials for critical servers and office workstations.
- When logged in as an administrator, don’t use your email account. Limit your access to the Internet to known trusted sites. This reduces the risk of accidental malware installation, phishing attacks , etc.
- The best way to give the right people the right permissions is through role-based access. In a nutshell, it means users are only allowed the bare minimum access that their job requires. That way they don’t have access to anything they don’t need.
#2: Whitelist applicationsAnother good way of controlling the security of your data is by determining exactly which applications you want running on systems for various roles.
Whitelisting, also called trust listing, is when an organization only allows the applications on the whitelist to be downloaded/used and prevents the download/use of any other application. In contrast, blacklisting specifically outlines the applications you want to avoid, then allows everything else in.
Whitelisting vs. blacklisting
In the security world, people have strong opinions about whitelisting and blacklisting. I believe both have their place, however you should understand that whitelisting almost always requires more thought than blacklisting. You really have to think exactly which software/devices/etc. you want in your network and if they deserve your trust.
Remember, whitelisting isn’t a cure-all.
If set up correctly with security in mind, whitelisting prevents employees from accidentally opening software that isn’t approved, and can even prevent malware downloads. Remember, employees are your weakest link. If employees utilize whatever applications they feel like, they could put you at risk. Control what applications they use with whitelisting.
#3: Software patchingOur third aspect of control we need to discuss is software patching. Application developers will never be perfect. They will regularly release updates to patch security holes. Security is the #1 reason to update.
Why? Once a hacker knows he can get through a security hole, he passes that knowledge on to the hacker community who then exploits it.
Where should you install updates?
- Operating systems
- Application software
- Internet browsers
- POS terminals
- Other critical software
Be vigilant about consistently updating the software associated with your website. Keep in mind, some software and browsers can become so outdated, the creators stop supporting it (e.g. January 12, 2016, Microsoft stopped providing technical support and security updates for older versions of Internet Explorer.) In cases like these, the best option is to update to the latest browser.
Because hackers have an unlimited amount of time to find vulnerabilities, they can and do find and exploit vulnerabilities. That’s why it’s important to update your systems and applications to reduce the likelihood of exploitable vulnerabilities.
SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1
Don’t forget about other critical software installations like credit card payment applications. In order to maintain Payment Card Industry PA DSS compliance, your payment applications must be properly configured and have the latest updates and patches. This same principle relates to POS terminals as well.
All of these systems and applications have notification lists and some have forums you can participate in to receive notifications on security updates. Talk to your vendors about how often they release updates and try to get on a notification list. You should never have to search for these updates; you should always be notified when they are available.
Published updates often contain essential security enhancements that will correct vulnerabilities in existing versions.
Just like computers, mobile devices must be patched often to eliminate software or hardware vulnerabilities found after initial release.
The more systems, computers, and apps your company has, the more places a cybercriminal can find a weakness. Vulnerability scanning is a great way to help indicate when software patches have yet to be updated in your system. It is arguably the easiest way to discover holes in business systems that cybercriminals would exploit, gain access to, and compromise an organization.
Data security best practices bonus: Remote access securityRemote access makes doing business extremely convenient…but it also increases your risk if not configured correctly. Exploitation of improperly configured remote management tools is the plan of attack most frequently used by hackers.
If not properly secured, remote access puts organizations at a severe security disadvantage by allowing attackers to bypass the firewall and most other system security measures and remotely gain access to the POS or other systems in the payment environment.
Learn more about remote access insecurities in my previous blog post.
Make it so…Now that you understand some of the best data security best practices that increase organizational security, go implement them! If any of these tips seem overwhelming, make a plan to implement or check that they are correctly implemented by the end of the year. If you simply don’t know how, contact your IT vendor, or speak with one of our data security consultants.
Updated on March 9, 2016
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.