Securing our online presence: the threats and some solutions.

Part Three: Defensive solutions — Policy, Procedure and other pesky documents.

This is the probably the area of defence that no-one really cares for; training is fun, technology is exciting, but paperwork that’s just tedious…. Right? Sorry folks but this is critical, without the correct processes and procedures getting anything done, at least in a meaningful way, is going to be difficult if not impossible. I’m sure every one has come across policies, procedures, standards and guidelines, but can you define what they are?

· Policies; these are the guiding principles, values and strategies used to define organisational and personal behaviour. They are high level and independent of any technology. They are mandatory within the organisation and may even be legal requirements.

· Standards; the processes, measures, qualities and specified requirements needed to meet the policies

· Procedures; the ‘how to’ documents. These specify the particular way of accomplishing tasks. They should be consistent and repetitive steps that accomplish an end result, e.g. server or switch configuration builds.

· Guidelines; although not mandatory, they provide guidance and best practice approaches to specific topics, for instance the interpretation and implementation of policy.

These documents need to be regularly (annually?) reviewed for relevance, they should have owners assigned who are responsible for their upkeep. Generally, the CIO would be responsible for the IT policies, with junior managers looking after the remainder. Engineers should be accountable for the configuration and system documents for their area. An organisations policies etc should be pushed to 3rd parties, vendor support etc. why would you secure your business when your supplier leaks like a sieve!

Keep an eye on industry best practices and incorporate these standards as appropriate. Use established frameworks such as:

Systems development life cycle (SDLC) — to plan, create, test and deploy software solutions.
Information Technology Service Management (ITSM) — to align the delivery of IT services with the needs of the organisation.

Information Technology Infrastructure Library (ITIL) — a globally recognised set of best practices and standards that support ITSM.

There’s a reason these frameworks exist — [when used properly] they work — make use of them!

Launch a quick search in your favourite web browser and you will have a plethora of examples and templates to guide you through creating your documentation. Remember though, when compiling your policies, you need to write them in a way that can be enforced and enforced they must be. Consider implementing a zero tolerance, at all levels; remove and prosecute violators, then advertise the reason for their removal.

Staff, especially those with privileged access, should be actively and intensely monitored. Have pre and post employment and credit checks along with post employment confidentiality agreements. Make staff security awareness training compulsory and link this to system access — don’t attempt or fail the training — they don’t get access to company systems or information.

You need to define what business data is critical to your organisation. Protect this information in the most secure fashion possible and have a contingency plan should this protection fail. Have comprehensive disaster recovery and business continuity plans and test them annually. Make sure your risk management plan is maintained with actions, mitigations and controls testing. Ensure you have asset management lifecycle processes to ensure hardware and software remain within vendor support.

Part Four: Defensive solutions — Technology

This is the area that gets the technical folk salivating. However, I’m not here to promote products or go into any technical detail, but hopefully just make you think. The amount of technology used in defending your network comes down to the risk appetite of your organisation, or the importance of your personal data, and the amount of money you are willing to spend.

For the home user: There are many anti-virus (AV) products available both free and at a cost. Regardless of which you choose I would recommend more than one AV product is used on your devices; they all work slightly differently and update at different times, so more than one will increase your defences.

Firewalls are another product home users should consider. They range from free software applications to physical appliances [choose the unified threat management (UTM) devices, they offer better protection across your network]. UTM appliances do have a price tag attached, but will give you better security across a home network. In both cases if you’re new to these solutions install them initially in their default state and then learn how they work and implement these changes to improve your defences.

Web filters are another solution; these are able to limit access to particular web sites or genres. These can again be free or at cost and are comparatively easy to use. Whitelists can be set up, meaning only those sites/topics explicitly listed may be visited, or blacklists where all sites/topics may be visited except those explicitly listed. These are simple solutions to protecting your family from accidentally (or otherwise) visiting unsavoury sites.

Lastly do allow those annoying automatic updates to run, they are released for a reason. They patch vulnerabilities in application or operating system security, and fix bugs that cause problems.

For the business user: All of the above still applies. The difference here being the free stuff isn’t going to be up to the task of defending enterprise networks. This is where it can get expensive [and technical, so apologies to the non-techies, your browser will explain in detail should you wish it]. The use of data encryption; both in transit and data-bases, web application firewalls, network and host intrusion detection/protection, proxies, sandboxes, honey-traps and network segregation are all solutions that need to be considered in your network defences. Patching, as mentioned, exists for a reason and the incidences of hacked businesses that have failed to patch in years is not insignificant. AV for organisations should be on both servers and end user devices, again using different engines.

If your organisation needs a solution and it doesn’t exist in the market place, design it yourself, but remember — security starts at the application. Once you’ve developed your own solution be a testing zealot — before you release it. Try to embrace new technology, it is harder to target for the hackers — it’s new to them too.

When you believe your security measures are fully engaged make use of an independent vulnerability and penetration testing organisation to prove (or not) your assumptions. Make this a regular task, every 12 months for instance.

The internet of things (IoT), mobile devices and bring your own device (BYOD) are all areas of technology that are becoming more prevalent, they must be a part of your security design. For all of your devices — Patch, Protect and Segregate (especially IoT). Remove remote administration access to all your systems, have your engineers go to site to make changes — one less thing for the hackers to use against you.

For all network security employ multiple layers of defence, use different vendors and train your staff. There is a global shortage of security engineers and there will be for the foreseeable future, the hackers know this, so you are going to have to grow your own experts.

Treat the internet as a battleground, the war is raging right now and there are no rules for your adversaries. Assume all your enemies are professional and defend your network accordingly.