The cyber security industry has gotten great at boundary defense. “Firewalls, Firewalls, Firewalls” - that’s all you heard for a long time emanating from the boardroom. Well the times they have changed. Now there are so many regulatory bodies and frameworks to be in compliance with, it is a struggle to keep every mandate straight. Questions like: ”Is your networking properly segmented?”, “How often are passwords changed?”, “what is your password complexity?”, “Is anyone checking those firewall logs?” Meanwhile the bad guys are waiting for your cyber defenses to fail, or worse, finding their own way in. The way they are finding in is through your most valuable resource: your employees. And what common element do all those employees have? ACCESS. They have access to your valuable data associated with your business practices and your clients. This valuable data can be quickly monetized on the seedy side of the Internet: the Darknet. In this article we will review five of the most critical steps in securing your users and therefore securing your data.
1. Training
There is still no replacement for training. If you do not tell your users what is acceptable, and what is not, how are they going to know? You need to take charge and inform them that IT will do its best to protect them, but they have to take proactive steps in helping themselves. Think of it like this, the government, via laws and law enforcement, will set up a framework to protect US citizens. But this framework of protection is futile if you leave the doors to your car unlocked while visiting bad parts of town. Implement a robust training program that includes topics like phishing and acceptable use. Engage with a company that can conduct security awareness training and subsequently test your users to see if they will fall victim to an orchestrated phishing email. Develop a strong acceptable use policy that lays out tolerable user behavior on the network and company owned assets. Be prepared to enforce the consequences of unacceptable behavior. Training will provide a solid foundation upon which to build your users knowledge and defenses.
2. Passwords
Everybody’s nemesis, passwords. You have to implement strong passwords. Period. End of story. They should be at least 10 characters and contain: upper case letters, lower case letters, numbers and special characters. No exceptions. My recommendation would be to implement this as a policy. Enforce password changes every 90 days. Why? That is about how long it would take with modern equipment to attempt to brute force guess the password. If you are able, it is encouraged to implement two-factor authentication for users logging into your company network remotely. A successful example of a two factor authentication implementation is Google’s Gmail. If you choose to enable two-factor authentication with your Gmail account, you log in as normal with your user-id and password, but before you are granted access you have to enter a code texted to your mobile phone. This is just one example. Be proactive. Ask your IT department about two-factor authentication.
3. Controlled Use of Administrative Privileges
Help your users help themselves. Do not allow general users to have administrative privileges on their computers. No one. Ever. No matter who asks, including employees in the highest levels of management. In a properly managed enterprise environment, regular users should not have the ability to install software and/or change system configurations. Even for system administrators, they should use a separate dedicated “admin” account to be used for those tasks that require that level of access. After completing “admin” level tasks, the system administrator should then log out of that account and back into their regular user account.
There are many dangers associated with allowing your general users administrative access on their local machine. If they visit a “bad guy” website, click on a link in a phishing email, or open an infected file, their machine is now under someone else’s control. It is really that easy. Once that machine is under the bad guy’s control, they will use it as their beachhead to slowly take over and control your network - the same network where you store your sensitive and proprietary data.
4. Controlled Access Based on the Need to Know
“Need to know” sounds very government-y, and it is. This has been the guiding principle of the government’s classification system for decades. In the private enterprise this philosophy has gained traction as companies have realized that every employee has access to everything on the network, especially the file server, i.e. the shared drive. The shared drive should be controlled based on which folders each employee needs access to. For example; a new employee, Jim, starts in Accounting. Jim’s manager sends an email to IT stating that Jim needs to have access to the Accounting department’s folders on the shared drive. Jim does not need access to Human Resources, Business Development, Sales, Marketing… You get the idea. Securing various folders on your file server needs to be implemented via policy. Identifying access for new employees should fall on the shoulders of the employee’s manager. Periodic audits should be conducted to ensure everyone is following the rules. This implementation will protect your enterprise in the off chance someone is able to compromise a user’s account. It will limit the level of access of an attacker and allow your network to recover more quickly in the event of a breach. Bottom-line, limit user access to what they need based on their role in the enterprise.
5. Inventory of Authorized and Unauthorized Devices
Do not allow users to connect to your network via any device they want, especially if you have an enterprise wireless network at the office. Your IT staff should not have to worry about the security of every employee’s personal tablet, mobile phone, and non-company laptop. Your IT staff does not know the security status of those devices, and chances are neither do your users. Protect your business from the unknown. Only allow your users to connect to the company network while at work via authorized devices that you control. A list of authorized devices can be easily integrated in your method of enterprise authentication. The least amount of vulnerabilities your IT staff has to worry about, the better!
Secure your users. That is your most valuable, and vulnerable resource. Now you’re ready! Get out there, fix your users and protect your data!
About the author: Justin Prior is a Director at UnitedLex Cyber Risk Solutions and is responsible for investigating computer breaches and conducting cyber risk assessments. Prior to being employed by UnitedLex Justin was a Special Agent with the FBI where he investigated cyber matters for the US Government. Justin also has marked experience with cyber counterintelligence matters, both foreign and domestic.