Friday, May 14, 2021

Ordering off the Security Menu

In a column that ran earlier this month, I took a look at ‘defense in

depth’ for small business — well, actually, for all businesses. In this

follow-up article, I’ll lay out a basic list, or menu, of security

technologies and processes that business and technical folks should

consider.

I call it a menu because it’s a list that you can pick and choose from.

Some technologies and processes may apply to your business, while others

may not. Let this serve as a guide and choose from it based on risk

factors and needs.

  • Documentation — This is often a dirty word to IT and small

    business. The fact is that documentation is needed to ensure continuity.

    Even if you are a one-person IT shop, can you remember all of your

    firewall and Internet router settings after one year? Documentation is

    invaluable for disaster recovery, as well as for training new people and

    communicating with teams.

  • Formally Assign Duties — If there are security tasks to be

    performed, make sure you identify who will do each task and write out a

    schedule to follow. Unassigned tasks are apt to be skipped or done in a

    haphazard manner. Consider creating checklists for people to date and

    sign when tasks have been completed.

  • Change Management — The owner of an accounting practice was

    telling me he always has issues with his accounting software after the

    vendor applies updates. To compensate for such issues, at a minimum, be

    sure that you have full system backups of the application and database

    before ever applying a patch. Ideally, have a small test system where you

    can install the patch first and go through a series of tests so you can

    validate the outcomes to make sure the new functionality performs as

    planned, and that existing functions did not break.

  • User IDs and Passwords — Small businesses frequently skip

    user IDs and passwords at the operating system and application/database

    layers out of a mixture of trust, and a desire for simplicity and

    expediency. This absence of access controls creates a serious security

    hole. First of all, once someone gains access to one of these systems,

    they have full control. Secondly, with unique user IDs and passwords for

    each user, you’ll have a log to fall back on to find out who may need

    training in the event of errors or to determine when a mistake was made.

  • Password Rules — Bear in mind some simple rules about

    passwords.

    — Make them at least eight characters long and a mix of letters, numbers

    and symbols;


    — Have them expire every 60 days in case someone steals both a user ID

    and a password;

    — Have the system set to lock an account after three or five failed

    attempts at getting the password right. Investigate why an account is

    locked versus simply resetting it;

    — Don’t allow people to write their user ID or password on a note and

    stick it to their monitor or under their keyboard…;

    — Remove/disable default accounts such as ”administrator” or

    ”guest”. If you can’t, then at least change the password to something

    more secure;

    — On a daily or weekly basis, check the logs of access attempts to look

    for abnormal behavior;

  • Limit Rights — A cardinal rule of security is to give users

    as few rights as possible to do their jobs. This means that a person in

    accounts receivable only gets what he/she needs to perform that job. This

    helps keep people from getting into parts of the system where they don’t

    belong.

  • System Logs — Be sure to log access and important

    transactions, and make sure someone reviews the logs on a daily or weekly

    basis. This helps safeguard against errors, as well as security breaches.

    Logging data without review is pointless.

  • Monitoring & Alerting — Determine how automatic systems can

    be set up to monitor the network and servers, and generate alerts about

    suspicious activity. Alerts are often simple to set up and worth their

    weight in gold.

  • Physical Access — Limit physical access to servers, wiring

    closets, and system backups. If someone can pick up tapes, or even entire

    servers, and walk away, you’ve totally lost control. Setting up a keycard

    and keycode for access would be idea, because both would create access

    logs. Tell employees not to let strangers wander around in critical

    areas.

  • Firewalls — Any organization with access to the public Internet

    needs a firewall. There are tons of models with a mile-long list of

    features. The question isn’t whether you need one or not. The question is

    more along the lines of which one. That is partially determined by the

    amount of traffic you get and the features you may want. In terms of any

    firewall, there are some important caveats to bear in mind, though. A

    firewall that isn’t monitored and maintained with updates can create a

    false sense of security. An organization that invests in a firewall also

    needs to determine how IT will review the logs and keep the system

    current. This may be a prime activity to outsource in part or entirely.

  • Detection & Prevention — An Intrusion Detection System (IDS)

    is a passive monitoring system that generates alerts based on suspicious

    activity either at the network or host device level. An Intrusion

    Prevention System (IPS) is reactive in that it can automatically shut off

    network ports or take other measures to counter perceived attacks. Now,

    to be done right, these systems are often high maintenance. If an

    organization puts one in and never reviews and updates the unit, they are

    again creating a false sense of security. Make the time, or outsource the

    work, to do it right.

  • Anti-Virus & Anti-Malware — This is one category that all

    businesses need on their desktops, notebooks, and servers, especially

    email and file servers. The traditional anti-virus systems are rapidly

    evolving to deal with threats, such as viruses, Trojans, spam, and

    spyware. Key attributes to look for include automatic signature updates,

    system reports, and a report of virus activity on all workstations.

  • System Backups — Having reliable backups are a failsafe in

    the event that data is destroyed or corrupted. But sometimes a few key

    processes are missing from the backup plan. Review backups and job logs

    to ensure the backups were successful. And there must be routine

    restoration tests to make sure data is backed up with integrity. There

    are many cases where people backed their systems up daily only to find

    out, when the data was needed most, that the tapes were actually corrupt.

    In addition, store copies remotely.

  • Encryption — The strength of the encryption routine, the

    quality of the password and the rate at which keys change all affect how

    secure the data is.

  • Patches — For a variety of reasons, some patches work and

    others can cause systems to outright fail and never boot again. IT needs

    to formulate a process for dealing with patches — how to best find out

    about them, research and testing, deployment, and how to rollback or

    remove the patch if it fails. Patch management should be part of an

    overall change management process.

  • Power — While not hacker-related per se, risks relating to

    reliable power should be taken into account. In case of a relatively

    minor power outage, many firms have invested in UPSes, but with a battery

    life of only three to five years, they need to be checked periodically.

    And those systems should be tested with real world loads to make sure

    they keep the systems up long enough for an orderly shut down to happen.

  • Other Issues — Your risk assessment may turn up other

    threats. In areas prone to flooding, there may be a need for sensors that

    trigger an alarm when water is detected, and shelving to lift equipment

    well above the average flood level. Resources listed at the bottom of the

    page can provide a wealth of resources on other threats and means to

    reduce their risk to the organization. Every organization has different

    risks. Make sure you know what yours are.

  • Similar articles

    Latest Articles

    Database-Tuning Platform Launches and...

    PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

    Top 10 Professional Services...

    Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

    What is Data Aggregation?

    Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...

    Dell APEX: Our...

    One of the missteps IBM made last century was collapsing their sales model, which was services based, to generate a short-term revenue spike. Up...