The news is filled with data breaches of large retailers such as Target and Neiman Marcus. Unfortunately, smaller companies are also targets for attacks, pardon the pun. In Verizon’s 2013 Data Breach Investigations Report reports that attackers did not discriminate based on business location, size or industry. These stories also tell us that just complying with PCI (Payment Card Industry standard) is not enough.
The traditional way to protect computer networks in the past has been to create a strong perimeter by setting up firewalls at the edge as a traffic cop on what is allowed in and out. We recommend that you look at your areas of risk and protect from the inside out. I’m going to talk about some quick best practices and how they could have prevented or reduced the affect of these breaches.
- Use two-factor authentication wherever possible, especially for remote access. For example a smart phone application that provides one time passwords each minute. Not only the HVAC contractor, but all remote users should have had a two factor system in place. PCI states that a two factor system should be in place to access the payment network. In this case the HVAC vendor was not connecting to the payment network…which leads us to.
- Separate your important stuff network from your really important stuff network. If you have systems that process payments and store Personally Identifiable Information, separate it from your main network and keep contractor systems off of your main network as well.
- Along those lines, only allow access to systems and data when its needed. Don’t give privilege to users or networks that shouldn’t have access. Your R&D people don’t need access to the Payroll server.
- Keep your systems and software up to date. Vulnerabilities and bugs can lead to holes that hackers can get in.
- Put in effective email filters and educate your employees. A good email filter will go a long way but none are perfect. Educate your employees on making good decisions regarding opening emails that they get. The old adage was that you don’t open email from strangers. However, your friends and colleagues are sending stuff unknowingly too. Phishing – the act of using a fake email or website to get you to give up your information – is the number one way that external threat actors are collecting password credentials and gaining access.
- White list your applications wherever possible. It’s like having a bouncer at your party. If you aren’t on the list, you don’t get to go inside. This isn’t always possible in dynamic organizations and is difficult/costly to maintain but probably will provide the most protection. if you have systems that are fairly static like Point of Sale terminals, white listing would go a long way to prevent the bad stuff from taking hold.
- Create an IT security Policy, disseminate it to your employees, follow it, and test it. Creating a policy gives you props when you are talking to a compliance policy auditor, but it doesn’t do you any good protecting an attacker. Social engineering (including email phishing and even by phone) is common vector of attack used by malicious users. Give them kudos or rewards for thwarting an attempt.
- Monitor all of the above using automation where possible and ensure that you or your IT team is effectively alerted when bad stuff happens.