Here are my top-10 tips to keep your business secure.
1. Reduce the number of external connections: Trim the number of discrete external connections to a departmental network by using the consolidated Internet gateways provided. Users will benefit from the protection provided by higher level cyber defences deployed at the enterprise level that monitors for, and can respond to, unauthorized entry, data exfiltration or other malicious activity.
2. Patch operating systems (OSs) and applications: Implement a timely patch maintenance policy for OSs and third-party applications to reduce departmental exposure to threats that could exploit known vulnerabilities. Use supported, up-to-date, and tested versions of applications, tested and approved by your IT department, ideally via an automatic patch management system.
3. Enforce the management of administrative privileges: Minimize the number of users with administrative privileges and revalidate the need for privileged accounts on a regular, frequent basis. Use two factor authentication for accessing sensitive applications or for remote network access. Perform administrative functions on a dedicated workstation that does not have Internet or open e-mail access.
4. Harden Operating Systems (OSs): Prevent compromise of assets and infrastructures connected to the Internet by disabling all non-essential ports and services and removing unnecessary accounts. Both an enterprise-level auditing and anti-virus solution are key elements of any secure configuration. Ensure the appropriate network architecture choices and security procedures are in place.
5. Segment and separate information: Information stores and protection needs should be categorized, based on sensitivity or privacy requirements. Zone networks by segmenting infrastructure services into logical groupings with similar communication security policies and information protection requirements. This approach is used to control and restrict access and data communication flows.
6. Provide tailored awareness and training: IT security awareness programs and activities focused on user behaviour should be reviewed and maintained frequently and made accessible to all users with access to departmental systems. The human element will continue to provide an element of exposure. Management involvement in information protection decisions is essential in choosing appropriate security controls.
7. Manage devices at the enterprise level: Use Government of Canada-furnished equipment within a device management framework and provide control over configuration change management. If a bring-your-own-device scheme is considered for a network with low expectations of confidentiality and integrity, a strict control policy must still be implemented as one element of the risk mitigation strategy.
8. Apply protection at the host level: Deploy a Host-based Intrusion Prevention System (HIPS) solution to protect systems against both known and unknown malicious activity. HIPS can also take active measures by stopping an application or closing ports in the event of an intrusion. Monitoring HIPS alerts and logging information will provide early indications of intrusions.
9. Isolate web-facing applications: Use virtualization to create an environment where web-facing applications can run in isolation. Internet browsers and e-mail clients are examples of applications that are susceptible to malware. Any malware that infects the virtualized environment cannot get out of the sandbox; therefore, the malware cannot infect the host or enterprise.
10. Implement application whitelisting: Explicitly identify authorized applications and application components and deny all others by default to reduce the risk of executing zero-day malware. Application whitelisting technologies can control which applications are permitted to be installed or executed on a host. Application whitelisting policies should be defined and deployed across the organization using group policy management.
To learn more about what MNP’s Technology Solutions can do for you, contact Danny Timmins at 905.607.9777 ext. 230 or firstname.lastname@example.org