All IT Heads today are faced with a dilemma. On the one hand, budget pressure is forcing them to find ways of doing more with less. On the other the demands of IT Security and the need for updated Cyber security solutions mean new software, new appliances and new staff.
Most would jump at the chance of implementing simple low-cost measures that would improve security.
The place to start is to admit that most IT Security problems start between the keyboard and the back of the seat facing the monitor. While war stories about external hacks, DDOS attacks and sneaky attempts to subvert the firewall and cyber security solutions are the most popular, users are the most common cause of security breaches.
That is where to start with simple IT Security counter-measures, cheap and easy ones at that.
Users frequently feel that security is there just to be an annoyance. They must understand why there are Cyber security solutions in place. Make it company policy to explain the security environment to new starts when they join, and frequently reinforce the message through company‑wide email alerts.
Typical reinforcement messages relate to phishing. Users must understand that an email apparently from a buddy asking them to click on a picture of a cute kitten is probably malware. The wisdom to be driven home is never, never, never, click on a suspicious link in an email, even if it looks like it comes from a reputable source.
Part of the education programme is to make sure that passwords aren’t written on a post-it and stuck onto the desk monitor. A text file on the desktop called “Passwords” is also a big giveaway.
Equipment and software configuration
Set up desktops such that users don’t have administrator rights. They cannot change systems settings or download and install software. Block access to and downloads from music and video Internet sites. Obviously, sites with questionable content should be blocked. Set up your malware systems to automatically scan flash drives and CD/DVDs as they are loaded.
Force use of a password enabled screensaver that kicks-in automatically after a set period to stop an unauthorised user tailgating onto someone’s system.
This may be difficult in these days of Bring Your Own Device, but authentication can be used to block malware at the gates.
One other thing that is often overlooked. Revoke user access rights the instant they resign, especially if they have been fired. Disgruntled ex-users with access to company information can cause all sorts of damage. A second thing is to revoke users existing access rights when they change job function and reallocate them according to their new post. Finally, make sure that ex-employees are removed from all distribution lists, company and personal. Ex-employees have been known to continue to receive confidential correspondence after leaving a company just because they stayed on a mailing list.
A good practice is to have a regular review of user access rights to check that they are still valid.
A key issue is strict application of your password policy. Far too often users choose easily remembered passwords – “qwerty123” or “password”. Many passwords are their car index number, birthday or the name of the family pet. You need strong and frequently changed passwords.
Most authentication systems allow for forced password expiry and password creation rules. Make sure that the expiry option is switched on, and that the creation rules force a minimum length of at least eight characters, and a mixture of upper and lower case letters, numbers and special characters.
On a related point check your systems software. It has been known, and again far too often that the default systems administrator accounts and default passwords are still active. Change the account names of privileged accounts. As far as is known, no automated hacking attacks have been carried out using anything other than the default account names. Apply your password policy to privileged accounts.
Some gurus even suggest getting rid of all the privileged accounts like domain admin that have unrestricted access to entire or partial systems functions.
Other techniques include disabling Internet access on servers that don’t need it.
Honeypots and Traps
Another often disparaged but useful technique is to set up a trap for hackers, often called a honeypot. A piece of kit that does nothing of any business value is set up to be attacked and monitored. When an attempt is made to hack it, this creates an immediate alert and the attack can be investigated and thwarted very quickly.
On a more technical point, lots of successful hack attacks using automated malware come through services continuing to operate through standard ports. Change them.
You can also change standard directories. For example, install Windows to C:\W10, not C:\Windows.
All the tricks shown above will greatly increase security, and at a very low cost.