Backing up critical data has been one of the longest standing but most often overlooked strategies. With a wealth of options to choose from, we have no excuses to not backup our most valuable asset: information. Many media types are available along with cloud options. Enterprise may consider hosted solutions and disaster recovery sites. Planning is essential. Make sure crucial data is included as new systems come online and data stores are moved. Include backups of network devices. Avoid storing corporate data on local computers. Regular testing and annual disaster recovery exercises are obligatory. Remember backing up your personal data.
Multi Factor Authentication adds another layer of defence that makes the difference between breaches and disaster avoidance. Users may object to the introduced “complexity” but the value to their personal and professional lives must be understood. Organisations should plan the implementation in a phased approach using a prioritised list of defended assets. Whether using mobile apps, biometric, or established solutions such as fobs and smart cards, MFA has evolved from being an option to a necessity, especially in our cloud focused environments. From critical payroll data to personal social media, you must consider using MFA against the present threat landscape.
We often install applications with factory settings but never bother hardening them properly. Default passwords, outdated versions, open ports, and insecure services introduce vulnerabilities to your environment. Begin with an inventory of applications, understand how to secure them, and then move forward with configuration changes to improve your security posture. Use vendor and industry best practices when securing your applications but remember to thoroughly test the solution and use change management lest we create unintentional denial of service attacks. Patch applications to the current versions and enable logging and alerting. Use the principal of least privilege when granting application access.
Microsoft Office macros represent significant efficiency but also a vulnerability when not managed correctly. The ability to automatically execute tasks and code is a double edged sword when entire systems may be impacted. Verification and testing of macros is mandatory, underpinned by secure distribution, policy, and digital signatures. Rare is the environment without macros where disabling them completely becomes an option. Consider macros beyond the Microsoft space. Do not trust any macros that have not been vetted. Revoke the ability of users to modify the macro policy settings. Train staff on macro safety. Restrict macro privileges. Enable auditing and alerting.
Patching operating systems may be more critical than patching applications. While applications may be the action, the operating system enables the action. We all think of the ubiquitous Windows operating systems but should never overlook Linux, Unix, Mac, mobile platforms, and even IoT and network appliances. Like applications, products are released with imperfections and by various means, the vendors endeavour to resolve those imperfections. Wannacry and Petya are recent examples highlighting the need for a patching strategy. Get informed, get involved, and get protected by making it part of your regular maintenance. Acquire patches, verify their purpose, test, and deploy.
Administrator accounts have tremendous power. Beyond server and domain administrators, we must consider service accounts, workstation local administrators, and network appliance administrator accounts. A full, accurate, and current inventory of these accounts, who has access to them, and that they match the roles enabled is critical. Auditing and logging are essential. Avoiding generic administrator accounts is crucial. Implementing control over administrator accounts must have management support but can create a political firestorm. Use groups to assign privileges and audit these delegations regularly. Engage change management before making elevated account changes. Used incorrectly or maliciously, administrator accounts can have catastrophic consequences.
Patching Applications is often overlooked in the security strategy of organisations. While patching operating systems is a regular task, business focused applications that are relied on daily end up being forgotten. Productivity software on the desktop, critical payroll and HR applications, and even the system firmware and software on network appliances (physical and virtual) must be updated and patched to the current stable versions as part of your patch management strategy. Replace or remove unsupported systems. Acquire updates from vendors when available and consider underpinning support agreements. Compromise of a vulnerable application can quickly escalate to exploiting your entire infrastructure.