Easy Steps to Help Maintain IT Security
Cyber-security breaches all over the news these days. The enemy is creative, sophisticated, and apparently operating with relative impunity. The typical business has a lot of exposure, via each email account, computer, mobile phone, and Internet connection. What is the typical business to do in response to all these threats?
- Keep software up-to-date
Software has to be updated regularly to patch bugs that make it vulnerable to hacking and malware. Fortunately, many software products now update automatically, but that doesn’t mean IT staff should can forget about updates entirely.
Sometimes updates fail, due to a glitch or an incorrect setting. IT staff should periodically verify that updates appear to be taking place on each PC, and intervene if there is an issue.There are other situations that require automatic updates to be disabled, especially on some servers where downtime needs to be carefully coordinated. If that is the case, IT staff should schedule regular review and planning of required updates. Without prompting on a set schedule, updates are likely to take a back seat to other matters. Meanwhile, servers can go months between updates, exposing the business to unnecessary risk.Finally, when software reaches the end of its lifecycle, vendors typically stop releasing security updates. If IT staff are unaware that support for a product is discontinued, they may assume updates are proceeding even though they are not. IT staff, therefore, need to itemize each software product and version, so that discontinued products may be replaced prior to becoming a liability.
- Use “restricted” user accounts
It is a very common mistake to have users log-in to their PCs with an administrative-level account. This is frequently done out of convenience — so that users are fully empowered to manage all aspect of their computer without the need to ask (or log-in as) an administrator. That convenience comes at a steep cost to computer security, however. Even though the user needs administrative privileges less than 1% of the time, those privileges are there 100% of the time… including during activities that are at high-risk of exposure to malware (such as browsing the web or opening email).In the event that malware does execute on the computer, it is usually far less damaging if contained within a single “restricted” user account rather than having free reign under an administrative account. Under the restricted account, it is denied access to the most critical settings, and it cannot simply overwrite operating system files with its own. In short, it can hijack the one account but usually not the entire machine.Today’s operating systems make it easier for users to cope with restricted accounts. Some of the restrictions have been loosened for common (and fairly harmless) settings such as power management and certain printer settings. To further empower users without empowering the bad guys, it is also possible to set-up a “local administrator” account that the user has access to. Users can then be trained to authenticate using the local administrator account when they need to make a change.
- Always maintain high-quality Anti-Virus
Businesses should always maintain a high-quality anti-virus solution on each of their computers and phones. Furthermore, they should never let the subscription lapse. Luckily, there are a lot of high-quality, low-cost options. For business, we recommend making sure anti-virus solutions features centralized management. Centralized solutions help save money on deployment by remotely removing the previous antivirus solution and installing themselves automatically. The remote administrative utility also helps keep track of your machines and ensure that they are all getting virus definition updates.
- Change your passwords regularly
Human beings are the weak link when it comes to password-based authentication. We want a password that is simple to remember, and isn’t hard to type. Unfortunately, that means passwords are frequently re-used many different places, and can be simple for the bad guys to guess or “crack”.The solution is to develop better password hygiene, enterprise-wide:
- Enforce “strong” passwords (require passwords to have a minimum number of characters, uppercase and lowercase, a number, and a non-alpha-numeric character (ex: #, %, !).
- Require users to change their password every month or two.
- Educate users not to re-use passwords between applications and web sites.
- Secure your file shares
While having a file share is very common for today’s businesses, it isn’t nearly as common for shared folders to be thoughtfully secured. For example, many shared files are simply open to any user of the network — with little thought for who should be able to read or write, or which users don’t need access at all.Even if you trust the user, and they are entitled to access the files (such as the owner of the company), it isn’t necessarily wise to grant the user permissions that they do not need. Much like the rationale for using restricted user accounts above, when data (or a feature) is exposed without reason, it is accessible not just by the user, but by malware or a malevolent user that gains access to the user’s account. Therefore, it is far safer to grant file/folder access on the basis of need. Furthermore, the question is not just whether the user needs access, but whether they need to write as well.
- Maintain a strong firewall router
A good firewall is must-have for an Internet connection, but it isn’t enough to “set it and forget it.” Researchers have exposed glaring security vulnerabilities in many routers from well-known brands (like this recent story in PC World). In addition to using a strong password (never leave the default password) routers periodically need to have their firmware upgraded. Eventually — particularly if you think your model might be subject to a security vulnerability — routers need to be upgraded to a new model.To help be sure that the firewall does not have an incorrect setting, it is a good idea to verify that your common service ports are secured. You can use an online tool for free, such as Gibson Research Corporation’s ShieldsUP.Finally, access to the router’s administrative portal should be restricted to secure means only. In other words, administration should be via HTTPS or SSH connections, even if those connections only happen from “inside” your network.
- Maintain a firewall on each PC and Server
Having a good firewall at the “front door” is essential, but what about threats that come from within your local network? There could be a malware running on a PC or phone, or a malevolent user trying to prod-around your systems for vulnerabilities.Strong network security has many layers, including firewalls on each of your PCs and servers. Of course, inside your network you start to relax things a bit — for example, opening a port on your server so that other PCs can access a service. If something doesn’t need to be exposed, though, it should be protected by a firewall running locally on the PC/server.This is especially important for devices such as laptops that leave your network and join untrusted wifi networks. Public wifi networks (think coffee shops, airports, etc.) in particular are plagued by threats that could latch onto your unsecured devices while they visit. These threats could access file shares mistakenly left open, or exploit security vulnerabilities in the operating system to plant malware on your device.
- Secure your WiFi
It is quite common for businesses to share their WiFi password with customers, vendors, and/or employees so that they can connect with their own phones and computers. In some cases, this is practically unavoidable — especially with respect to visiting customers.Business operators need to consider, though, the security implications of having “untrusted” devices on their network:- Each untrusted device brings new threat of malware infection
– Confidential files may be inadvertently exposed to snooping
– The network could be “choked down” by unnecessary activityOne option to increase security is to set-up a separate WiFi access point just for “guests” that does not have direct access to the local network. This way, the threats are partitioned to their own network. Furthermore, the WiFi password can then be changed more frequently, because it is no longer necessary to update the password all of the company-owned devices (because they connect using a separate WiFi network).Speaking of the newly-secured WiFi that is dedicated to company-owned devices, it is best that only a few, trusted individuals know the WiFi password and are the “gatekeeper” whenever a device needs to be added to the network. Carefully guarding the WiFi password is obviously good for security (for one thing, it reduces potential for ex-employees to access the network from outside, before IT staff change the WiFi password).Another great option for securing your WiFi network is to require that all PCs and phones first have an antivirus solution in place before adding them to the network.Finally, just like other network appliances, wireless access points need to periodically have their firmware updated. Many will do this automatically if you configure them to do so, and this is clearly superior than relying on IT staff to manually update them. These devices also periodically need to be upgraded, as they get behind not just on technology, but also on security once they are no longer updated by the vendor.
- Secure devices that don’t have antivirus
The so-called “Internet of Things” refers to the movement to connect almost anything to the Internet: thermostats, appliances, vehicles, surveillance cameras, printers, streaming devices, phones… practically anything. Those devices usually don’t have a firewall or antivirus protection.In addition to using a strong administrative password for these devices (never the default password), the firmware on these devices should be periodically upgraded if the device does not do so automatically.It is also possible to help secure these devices using a product like Bitdefender Box. Bitdefender Box, in short, is an inexpensive network appliance that monitors your network and devices for vulnerabilities and signs of infection.
- Eliminate software that you don’t use
It isn’t always obvious that unused software can be a liability, but it absolutely can be. Take, for example, common products such as Java and Flash. Each product is frequently installed on PCs under the reasoning of “why not — it is free, and a lot of folks use it.”Unfortunately, that reasoning does not promote the best possible security. Java and Flash can both be engaged when visiting web sites. Under ideal circumstances, they are not supposed to execute malicious code, but they can and do have vulnerabilities that are exploited by evil-doers. Even if the software is up-to-date, so-called “Zero-Day” threats exist where the vulnerability is yet unknown to the vendor or the world community.The practical way to minimize this threat is to remove unnecessary software. Flash is great for playing music and videos, but is that really necessary for each PC? Java is needed to access some web sites, but those sites tell you if that is the case — and those sites are not as numerous as some might expect.Removing unnecessary software — whatever the product may be — reduces exposure to threats. As an added bonus, it can help your PCs and servers run faster, too.
- Have a good backup plan
There are times when you can do everything else right, and fate still gets the best of your data. That’s why it is important to develop an effective backup strategy, and continually monitor that the backup is functioning properly.One of the biggest challenges to getting a good backup is simply not knowing what files need to be protected. That is why it is critical not just to work with an IT specialist, but one who really knows your systems in great detail.You can start by itemizing each of the applications that you depend on. It may be easy to remember your accounting database, but perhaps there are other — less obvious — databases (that might be dedicated to running your HR functionality, a tool room, or your sales contacts). For each application, identify where, precisely, the data is stored, and then identify how — and how often — you will back it up. For some critical databases, it may be worth backing-up the “log file” really frequently to help restore transactions right down to the moment disaster strikes.
Also be sure that at least one of your backup methods makes it “off site” on a regular basis. Some disasters don’t always spare your backup media (think break-ins, fires, and tornados). Whether you carry your backup media home with you or upload your files “to the cloud”, it doesn’t matter so long as the files are safely stored somewhere else.