(Post 6 of the 12-week Information Security Management blog series)
So far in this series, I have written about risk, trending threats to small business, and how employing cybersecurity can be beneficial to your organization’s ability to withstand disaster. If you have been following along, I recommend that business managers and owners take an interest in understanding what threatens their business and having a plan to address those threats. The ways in which threats are addressed are called countermeasures or controls. These are the mitigating actions taken to reduce the likelihood a vulnerability will be exploited or to minimize the damage caused by an incident.
Many controls should be carefully considered with respect to the actual vulnerabilities one’s organization has. Their cost should be weighed against the potential loss that they serve to protect against before being implemented. Some controls, though, should be implemented without delay. These are the controls I call the basics because they apply to every organization, large or small. They apply to every industry and every network configuration, even if an organization only has a single computer. The basics equally apply to individuals’ personal computers and home networks. These controls are the essential minimum best practices and countermeasures that I believe every computer on this planet should have implemented to provide a minimum level of protection.
Technological Countermeasures
- Anti-malware software – Anti-malware, or antivirus software is readily available for free or at a minimal cost. PC Magazine recently published an article listing and comparing the most popular choices. The most expensive listed in this article is less than $40. If you use a Microsoft Windows computer, you already have fairly good protection built-in with Windows Defender. Anti-malware software, if kept up to date, provides constant protection against malware, such as viruses, Trojan horses, and worms that can wreak havoc on your systems. The companies who publish these application put a great deal of work into finding malicious applications and publish new malware definitions regularly. To be best protected, virus definitions should be updated multiple times per week.
- Software firewall – Like anti-malware software, software firewalls serve to protect the local system they run on. Firewalls work by blocking traffic into and out of a network based on the type of traffic and what port it is traveling on. This type of firewall can keep malware that has found its way onto your network from spreading or even sending your sensitive information outside of your network. If you have a Microsoft Windows machine, again, you already have Windows Firewall. If you would like an alternative, Tech Radar lists several good options that can be had for free.
- Network firewall – I’m not referring to the famously expensive Cisco, Sophos, or Palo Alto Networks firewall appliances. Though if you can afford them, they provide superior protection. Instead, I am referring to what is likely built-in to your small office / home office (SOHO) router provided by your internet service provider. SOHO routers these days normally have firewall functionality built-in. Because it resides on your router, it is able to provide first-line defense to your entire network. They cannot block encrypted traffic over an authorized port and they cannot distinguish malicious traffic from legitimate traffic, but they can universally block all traffic on a given port and protocol. For example, if you use Telnet (or even know what it is), there is no reason that outside traffic should be able to Telnet to your network. A SOHO router’s firewall can be configured to block all port 23 traffic at the firewall itself, allowing you to use Telnet inside your network (I recommend you don’t, though) and disallowing any Telnet traffic from outside your network.
Best Practices
- Require authentication – Each individual in your organization, or even in you household, should have their own separate user account. User accounts should require authentication, at a minimum, with a user ID and password. These two items, together, are used to uniquely authenticate an individual user. Authentication provides nonrepudiation (that one cannot deny something). It keeps people solely accountable for their actions while using a computer and releases others from liability. It should go without saying that in order for nonrepudiation to exist, account credentials should not be shared.
- Least privileged user – This is a principal that states that no user shall have more permissions or access than what is essential to the performance of their duties and responsibilities. Employing the least privileged user principal means that user and administrative accounts should be separated even to the point where administrators have two accounts: one for their non-administrative duties, and one solely for performing administrative tasks. Even home users can benefit from maintaining an account for daily use that does not have administrative rights. How is this beneficial? I’ll offer two reasons: 1) administrative tasks should only be performed by someone qualified and authorized to perform them. You do not want someone who doesn’t know what they are doing to be poking around, installing unauthorized software, and changing settings that may harm your systems. 2) Malware can most easily assume the rights of the user’s account that it runs under. If the user’s account has limited rights, so should most malware. This effectively can limit the damage some forms of malware can impart.
- Passwords – There has been long-standing advice that one should change their passwords often. The National Institute of Standards and Technology (NIST), the very organization that defines the U.S. government’s best practices now disagrees with that practice. Their Special Publication 800-63-3 states that credentials should only be changed when there is a valid reason, such as there was an attempt to access an account or when a breach is suspected. Frequent changes to passwords lead to people choosing insecure passwords that are more easy to remember. Passwords should be at least eight characters long, include a combination of special characters, numbers, and both uppercase and lowercase letters, and should not be commonly found in a dictionary.
- Patch Management – Larger organizations with sizable IT budgets might use patch management solutions like Microsoft SCCM or Symantec Patch Management Solution, but small organizations on a tight budget or individuals might not be able to justify the cost of the software and technical expertise required to run them. Patch management is still critical though. The very reason patches exist is often because a vulnerability was found in software and the publisher has corrected it by releasing a patch. If these patches are not applied, your computers remain vulnerable to being exploited. An organization with a small number of computers can simply run the built-in system update that is part of the operating system on each computer and regularly look for updates to the software the organization uses and then manually apply them as soon as possible. Try not to hold onto old versions of software for too long because developers eventually stop updating old products to focus on maintaining their new products.
This all may seem like a lot, but really it is just the tip of the iceberg if you want to be secure. These seven countermeasures can go a great distance in protecting your valuable IT assets if they are made a part of your every-day business practices. It only takes a few moments to create a new account with limited access or to update virus definitions and look for software patches. Firewalls can be relatively left alone once they have been configured if there is not frequent changes to your network. Just a little thought into creating a password can mean the difference between an account that is easy to breach and one that is not worth many attacker’s time to crack into. All these controls can be implemented into an organization or household with the resources already present and, in most cases, without having to spend a single cent.