10 Basic Information Security Practices
Here’s a few basic information security practices you can use to reduce an organization’s risk of a data breach.
These include recent recommendations from the US Community Emergency Response Teams (CERT)’s security measures (PDF) to protect the Water Information Sharing and Analysis Center (WaterISAC), as well as data security guidelines released in July by the Federal Trade Commision (FTC) to protect consumers’ privacy and data.
1. Start With Security - Limit Scope
Factor security into every department of your business, including human resources, sales, accounting IT, etc. Start by limiting scope and securely disposing of personal information that your company doesn’t need to operate. For example, storing data after an online transaction is completed is unnecessary and leaves you at greater risk of losing sensitive customer data.
2. Train Employees on Security
General information security awareness programs for employees should include basic training on social engineering, which can convince users to unknowingly hand over sensitive information, like passwords, to criminals.
Training your users on how to spot a phishing email that appears to be sent from a trusted source or how to spot a spoofed website that has a slightly altered domain name can reduce your organization’s risk of a data breach.
3. Inventory Devices and Eliminate Exposure to External Networks
Any industry has certain devices that contain sensitive information that shouldn’t be connected to and exposed to external networks. Start by making a list of your hardware, software, data, apps, etc. that contain or may provide access to sensitive data, then determine which should be isolated.
For example, the manufacturing and critical infrastructure sector has industrial control systems that are used to control equipment and machines that shouldn’t ever be connected to the Internet, even through another network, as they can be compromised by a malicious hacker.
4. Encrypt Sensitive Data
The FTC recommends encrypting sensitive stored data and in-transit data using methods like TLS/SSL (Transport Layer Security/Secure Sockets Layer) encryption, data-at-rest encryption or an iterative cryptographic hash.
Mapping your encryption strategy to ensure data is secured at all stages, as it’s sent to servers and locations, can help your organization close security gaps. Ensure proper encryption configuration, since improper configuration can make apps vulnerable to attacks.
5. Use Secure Remote Access Methods
It should be standard for users to access networks remotely via a Virtual Private Network (VPN) that allows users to securely send and receive data over the Internet. But further securing VPN logins with two-factor authentication should also be standard, as credentials are easily stolen or guessed.
Two-factor authentication requires another method to verify your identity, after using a password. Using a mobile authenticator app, a user can securely log into their VPN by approving a push notification.
Devices that connect to networks remotely via VPN must also be updated to the latest software versions in order to reduce the risk of vulnerabilities and malware that can be introduced to corporate networks. Endpoint security solutions with device insight, analysis and remediation can identify outdated devices and help administrators quickly update them.
6. Strong, Non-Default Passwords…Plus 2FA
It should go without saying but isn’t always the case, especially in large organizations with many moving parts and different account owners - use unique, strong passwords for each account, and always change the default password on any login. Password managers can help you generate new passwords every login, or remember them for you.
Establish and enforce password change policies (number and type of characters, number of days to change them, stricter policies for admins, etc.). Malicious hackers use brute force attacks that attempt millions of character combinations to guess your password, often cracking weak ones in a matter of minutes.
And of course, using two-factor authentication in conjunction with a strong, unique password is essential for complete access security. Enable a solution that allows you to set a lockout and fraud policy, which locks a user out after too many unsuccessful login attempts and notifies admins of fraud, guarding against potential brute force attacks.
7. Enact the Principle of Least Privilege
Role-based access control limits the amount of permissions or access to certain network resources and data based on job function. The idea of least privilege is that a user only has the bare minimum needed to complete their job. This can reduce risks associated with stolen passwords, as a malicious hacker has a smaller chance of getting access to everything.
For example, contractors do not need access to systems that contain credit cardholder data in order to log their hours for billing. Separate and limit access to either account.
Limiting access can be easier with the ability to set custom security policies and controls, such as those that block login attempts from certain IP addresses, locations, anonymous networks and more.
8. Implement Network Segmentation
By classifying sensitive data and related IT assets/systems, and then restricting access to these systems, you can achieve network segmentation. The principle is, the compromise of one system shouldn’t easily lead the compromise of another, protecting against lateral movement if a malicious hacker should gain entry.
Separating different systems can work for security solutions too. For example, a more secure authentication setup should involve one primary authentication method sent over one channel (username and password sent over Internet), and a secondary authentication method/channel (push notification sent over mobile authenticator app).
If a remote attacker taps into your Internet connection, then they can easily steal your password, and your second form of authentication - if delivered over the same channel. Learn more about out-of-band authentication.
9. Keep System Logs
Logging the activity of systems can help security auditors and investigators find the source of any issues. Monitoring network traffic allows organizations to pinpoint any anomalous behavior, even that of authorized users, to identify a potential compromise of a user’s account.
Many compliance regulations, including the Payment Card Industry Data Security Standards (PCI DSS) list logging as a requirement with standard 10.7 mandating that companies retain an audit trail history for at least a year, with the minimum of three months immediately available for analysis.
10. Update Software to Avoid Vulnerability Exposure
Get a patch management system in place and maintain awareness of new vulnerabilities, which can quite literally pop up nearly every day. Adobe Flash releases notifications very often, sometimes even off-schedule from the typical Patch Tuesday to address critical vulnerabilities being exploited in the wild.
It can be difficult to do so on a timely basis, especially for the growing number of unmanaged devices that IT encounters from their user base as BYOD (Bring Your Own Device) becomes the norm in many workplaces.
Investing in an endpoint security solution that not only detects outdated software running on user-owned devices, but also notifies them to update can save administrators time by enabling users to quickly remediate their own vulnerable devices.
There are many, many other best practices, like implementing an incident response/disaster recovery/business continuity plan, backing up your data to an offsite location, ensuring physical security with appropriate monitoring, surveillance and access controls, etc. But starting with the 10 basics above can go a long way in reducing your risk of a data breach.