Ordering off the Security Menu

Download the authoritative guide: Cloud Computing 2019: Using the Cloud for Competitive Advantage

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
In a column that ran earlier this month, I took a look at 'defense in depth' for small business -- well, actually, for all businesses. In this follow-up article, I'll lay out a basic list, or menu, of security technologies and processes that business and technical folks should consider.

I call it a menu because it's a list that you can pick and choose from. Some technologies and processes may apply to your business, while others may not. Let this serve as a guide and choose from it based on risk factors and needs.

  • Documentation -- This is often a dirty word to IT and small business. The fact is that documentation is needed to ensure continuity. Even if you are a one-person IT shop, can you remember all of your firewall and Internet router settings after one year? Documentation is invaluable for disaster recovery, as well as for training new people and communicating with teams.

  • Formally Assign Duties -- If there are security tasks to be performed, make sure you identify who will do each task and write out a schedule to follow. Unassigned tasks are apt to be skipped or done in a haphazard manner. Consider creating checklists for people to date and sign when tasks have been completed.

  • Change Management -- The owner of an accounting practice was telling me he always has issues with his accounting software after the vendor applies updates. To compensate for such issues, at a minimum, be sure that you have full system backups of the application and database before ever applying a patch. Ideally, have a small test system where you can install the patch first and go through a series of tests so you can validate the outcomes to make sure the new functionality performs as planned, and that existing functions did not break.

  • User IDs and Passwords -- Small businesses frequently skip user IDs and passwords at the operating system and application/database layers out of a mixture of trust, and a desire for simplicity and expediency. This absence of access controls creates a serious security hole. First of all, once someone gains access to one of these systems, they have full control. Secondly, with unique user IDs and passwords for each user, you'll have a log to fall back on to find out who may need training in the event of errors or to determine when a mistake was made.

  • Password Rules -- Bear in mind some simple rules about passwords.
    -- Make them at least eight characters long and a mix of letters, numbers and symbols;
    -- Have them expire every 60 days in case someone steals both a user ID and a password;
    -- Have the system set to lock an account after three or five failed attempts at getting the password right. Investigate why an account is locked versus simply resetting it;
    -- Don't allow people to write their user ID or password on a note and stick it to their monitor or under their keyboard...;
    -- Remove/disable default accounts such as ''administrator'' or ''guest''. If you can't, then at least change the password to something more secure;
    -- On a daily or weekly basis, check the logs of access attempts to look for abnormal behavior;

  • Limit Rights -- A cardinal rule of security is to give users as few rights as possible to do their jobs. This means that a person in accounts receivable only gets what he/she needs to perform that job. This helps keep people from getting into parts of the system where they don't belong.

  • System Logs -- Be sure to log access and important transactions, and make sure someone reviews the logs on a daily or weekly basis. This helps safeguard against errors, as well as security breaches. Logging data without review is pointless.

  • Monitoring & Alerting -- Determine how automatic systems can be set up to monitor the network and servers, and generate alerts about suspicious activity. Alerts are often simple to set up and worth their weight in gold.

  • Physical Access -- Limit physical access to servers, wiring closets, and system backups. If someone can pick up tapes, or even entire servers, and walk away, you've totally lost control. Setting up a keycard and keycode for access would be idea, because both would create access logs. Tell employees not to let strangers wander around in critical areas.

  • Firewalls -- Any organization with access to the public Internet needs a firewall. There are tons of models with a mile-long list of features. The question isn't whether you need one or not. The question is more along the lines of which one. That is partially determined by the amount of traffic you get and the features you may want. In terms of any firewall, there are some important caveats to bear in mind, though. A firewall that isn't monitored and maintained with updates can create a false sense of security. An organization that invests in a firewall also needs to determine how IT will review the logs and keep the system current. This may be a prime activity to outsource in part or entirely.

  • Detection & Prevention -- An Intrusion Detection System (IDS) is a passive monitoring system that generates alerts based on suspicious activity either at the network or host device level. An Intrusion Prevention System (IPS) is reactive in that it can automatically shut off network ports or take other measures to counter perceived attacks. Now, to be done right, these systems are often high maintenance. If an organization puts one in and never reviews and updates the unit, they are again creating a false sense of security. Make the time, or outsource the work, to do it right.

  • Anti-Virus & Anti-Malware -- This is one category that all businesses need on their desktops, notebooks, and servers, especially email and file servers. The traditional anti-virus systems are rapidly evolving to deal with threats, such as viruses, Trojans, spam, and spyware. Key attributes to look for include automatic signature updates, system reports, and a report of virus activity on all workstations.

  • System Backups -- Having reliable backups are a failsafe in the event that data is destroyed or corrupted. But sometimes a few key processes are missing from the backup plan. Review backups and job logs to ensure the backups were successful. And there must be routine restoration tests to make sure data is backed up with integrity. There are many cases where people backed their systems up daily only to find out, when the data was needed most, that the tapes were actually corrupt. In addition, store copies remotely.

  • Encryption -- The strength of the encryption routine, the quality of the password and the rate at which keys change all affect how secure the data is.

  • Patches -- For a variety of reasons, some patches work and others can cause systems to outright fail and never boot again. IT needs to formulate a process for dealing with patches -- how to best find out about them, research and testing, deployment, and how to rollback or remove the patch if it fails. Patch management should be part of an overall change management process.

  • Power -- While not hacker-related per se, risks relating to reliable power should be taken into account. In case of a relatively minor power outage, many firms have invested in UPSes, but with a battery life of only three to five years, they need to be checked periodically. And those systems should be tested with real world loads to make sure they keep the systems up long enough for an orderly shut down to happen.

  • Other Issues -- Your risk assessment may turn up other threats. In areas prone to flooding, there may be a need for sensors that trigger an alarm when water is detected, and shelving to lift equipment well above the average flood level. Resources listed at the bottom of the page can provide a wealth of resources on other threats and means to reduce their risk to the organization. Every organization has different risks. Make sure you know what yours are.

    Submit a Comment

    Loading Comments...