Information Security Best Practices

100% security is unrealistic at any cost, however there are certain things you must do and other things which are easy enough that you might as well do which will cover you against the most common threats. 

If you're a small or medium organisation, have a limited budget and don't consider yourself a target then you'll probably be fine if you just take care of items 1 - 4. If you want or need a higher degree of security then you should consider undertaking all the suggestions in this article. This is just the tip of the iceberg however, and if you think you might become a specific target there are many more attack vectors and corresponding defense tactics that could be researched and applied.

Nobody is ever entirely secure. It's just a question of how hard you can make it for attackers and whether you have the capability to even notice if you're being attacked or compromised. 

1. Backups, backups, backups

You're only as safe as your last backup. Good backups are your last line of defence. With good backups you can always recover from a disaster even if it's inconvenient and somewhat expensive. Without good backups, you could be history. 

Backups protect against two different types of circumstance. One is a data loss that you notice quickly, the other is the same but it takes you longer to notice. In this second case, if you don't have a backup from before the problem occurred, you will be learning an expensive lesson. Good backups allow you to restore back to any point in the past going back at least 6 months but possibly 2 or more years. Having anything other than good backups leaves you very exposed to the whims of fate.

It can be too easy to think you have good backups when infact you don't. It can be disappointing to discover this mistake when it's too late.  

Know where your backups are. Know who is responsible for them and get that person to show you the backups. Don't assume that someone else is taking care of it. You might like to test your backups occaissionally to ensure they are what you think they are.

2. Software updates

The single biggest source of security compromises is through unpatched software vulnerabiliies.

For exampe, a security vulnerability gets found and fixed in some software on your computers. You don't update, so you're still running the old version which has the vulnerability. There are automated programs scouring the internet for unpatched computers like yours and they aren't friendly. 

You should understand what software you're running, where you're running it and who is responsible for any security updates.

3. Protect your DNS registrar account

Most users of the internet know roughly what DNS is. Most have not considered is how critical DNS is to the security of their digital infrastructure.

If someone takes control of your DNS registrar account they gain significant control of your systems; they can read and change your emails, modify or replace your website, steal your passwords or domain names and all sorts of other nightmare scenarios. They can literally change the fabric of your digital reality. So, your DNS registration account is probably the most important digital asset that you own apart from ... the email account you used to create your DNS registrar account. If someone compromises that email account they can use it to request a new password from your domain registrar and voila, they now own your DNS and you are probably none the wiser.

Consider keeping a separate "high sensitivity" email account that you only use for your DNS registrar account and maybe a few other highly sensitive accounts. Only access that account from trusted devices (ie ones that you own and have taken specific care to keep trustworthy). This will be inconvenient, you might want to share your DNS registration account with your web developer for example. That's fine, but understand the risk you're taking and make sure you have absolute trust in anyone who has access to your DNS.

One recent vulnerability that really scares me is something called StageFright. An attacker sends you a malicious text message and if your phone is vulnerable, that gives them total control of the phone. You won't ever see the text message, so you'll have no idea that your phone is now owned by someone else. From your phone, they have access to your gmail account, and if you used that gmail address with your DNS registrar, they can request a new password for your domain registrar and from there take control of your entire online infrastructure.

I think DNS registrars are missing a trick. They should have multi-user control panels that allow the domain owner to delegate control over the DNS to a 3rd party without giving them overall control of the account. That's an argument for another day.

4. Publish an employee security policy 

Having an explicit, published security policy can help correctly set employees expectations and the consequences if they fall short. Complying with a security policy should be easy and not doing so should be considered Gross Misconduct. Anyone who is not able to comply with a security policy is a danger to themselves and others and shouldn't be allowed anywhere near your business or network.

A security policy should cover creating strong passwords, having a password strategy, not revealing or sharing passwords, not installing potentially dangerous software (this should probably be enforced by network security permissions), locking computers away when away from desks, use of business computers at home and vice-versa etc.

5. Never send passwords via email

Whenever you send an email it passes through numerous computers on it's journey across the internet. Unless your email is encrypted, which it almost certainly isn't, it woud be trivial for any of those computers to scan for keywords like "password", extract the password and save it for later review. Anyone running such a computer could easily harvest thousands of passwords which could be sold or used for nefarious purposes. The person running the computer concerned may or may not be the legitimate owner of that computer.

Experience tells me you'd have to be pretty unlucky to have your password compromised in this way, but it can happen and people in-the-know take suitable precautions to eliminate the possibilty.

Worse though, when you send a password via email, that password is then available in someone elses mailbox, likely forever. Just sitting there waiting to be discovered. Your security now relies on their email or computer never being hacked and someone discovering your password.

Worse still, is that by sending a password via email you signal very clearly to anyone who is paying attention that you don't take your security seriously, that you are complacent and probably naive. You also give everyone around you permission not to take security seriously either. Don't do it. 

If anyone does send you a password via email consider it to be compromised and change it immediately (though worst case it might be too late). If the person sending the password is someone you trust with matters of security, re-evaluate your relationship with that person.

6. Encrypt authenticated traffic

Any service or website where you log in is "authenticated" and should use end-to-end encryption eg https, ssl or ssh.

If you don't use encryption (ie https) it's possible that other people on the internet will be able to read or even modify your network traffic. Amongst other things, an attacker could do something called session stealing where they steal an authentication token from your network stream and use it to make their own requests using your authentication.

One particular danger area for unencrypted data is over wifi. All users of a given wifi network in a coffee shop or corporate office are able to read all the others unencrypted traffic. This means that people with the right  tools can read any unencrypted emails or take control of any unencrypted applications that you're using. Everyone can see what you're looking at, if they know how. If you're updating the corporate content management system over wifi anyone around you could take control of your session and make changes using your identity.  

Fortunately, these days almost every social media site and webmail provider forces https everywhere. Corporate sites tend to lag behind because it's been a pain and expense to implement encryption. LetsEncrypt launches in Q4 2015 and will make encryption free and convenient. There's never been a better time to start encrypting.

7. Secure your Wifi 

Firstly, make sure you're using WPA2 encryption preferably with AES enabled. If you're using WEP or even no encryption at all, your network is wide open.

You should also ensure if you have WPS, it should be disabled as it's a massive security vulnerability.

8. Create a guest network

When you give someone access to your wifi you also give them other priviledges that you may not realise. They can read any other traffic on your wifi. They can also scan all the other devices on your network for vulnerabilities which could let them take control of any vulnerable computers. All this would be automated so the person you trusted doesn't have to do anything themselves, just have a malicious program running on their device.

Importantly, it's not about whether you trust the person or not. It's about whether you trust the security of their device, something you really don't know much about and likely neither do they. Worse than that, since once they have the password they can access your network indefinitely, you are trusting that their device will remain uncompromised forever. They don't even have to come back, they could be walking or even driving past your network, their device recognises the network and connects to it and the newly install malicious program does it's thing. Actually a proper network scan takes time, so you'd be unlucky if someone driving past were to compromise your network but the example highlights the extent of the problem.

Modern wifi routers make it very easy to keep 2 separate networks that don't and can't talk to each other. One for trusted devices and one for guests.

9. Implement an Intrusion Prevention System

Intrusion Prevent Systems (IPS) monitor your network for suspicious traffic and automatically take measures to block and report malicious devices. There are other categories of software such as Intrusion Detection Systems (IDS), Unified Threat Management (UTM) and Security Information and Event  Management (SIEM) which do something similar. These types of systems provide various capabilities for monitoring and responding to threats to your network security.

Of all the suggestions in this article, implementing an IPS is going to be one of the more difficult and expensive undertakings. Probably still beyond most small businesses at this stage.

There is one particular Intrusion Prevention System called "fail2ban" that is very commonly installed on web servers. If you have managed hosting, which most people do, then quite likely your web server is being protected by fail2ban. This software detects any suspicious requests from the internet and silently blocks potentially malicious computers from accessing your server for a period of time, making attacking the server that much harder.

10. Take care with BYOD and BOYA (Bring Your Own Device / Application)

If you're going to allow your employees to bring their own software into your network, ie by allowing BYOD (Bring Your Own Device) or not preventing users from installing their own software on business devices then an Intrusion Prevention System and/or SIEM is arguably an essential precaution. The more employees you have the more your more your chances increase of a rogue application causing problems on your network or even compromising it's security.

BYOD is possibly the most risky thing any organisation ever does in terms of it's information security. It also highlights the dilema that security professional face, because whilst dangerous, it's also convenient. Your sales team are almost certainly going to want to be able to connect their smart phones to your CRM system for example and it's unlikely they are able to ensure their own information security. 

If you allow BYOD then you at least need a sophisticated, and actively managed Intrusion Prevention System that analyses your network traffic to identify and block any compromised or malicious devices.

11. Review your physical security

Any computer in an area accessible to untrusted people is a potential point of attack. Even a stray cable running through a public area could be turned against you in insidious ways. 

Computers should be locked whenever the owner is away from their desk. It's possible to own (ie take control of) an unlocked computer in less than 5 seconds. It's as easy a typing a url or inserting a usb drive or DVD.

Any computer that is going to be left unattended in a non-secure space should be significantly further hardened against attack. It should have a BIOS password set, there should be no access to usb sockets or dvd drives and the computer case itself should include physical security that prevents any access to the internals. Even then, I would take an extremely paranoid stance regarding the level of trust you give such a computer, assume it will be compromised sooner or later and design your security procedures around that.



Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
To prevent automated spam submissions leave this field empty.