You Too Can Stink at Information Security!
“Security? We don’t need no stinking security!”
I’ve actually heard a CTO utter words this effect. If you subscribe to a similar mindset, here are five ways you too can stink at information security.
- Train once and never test
Policy says you and your users need to be trained once a year, so once a year is good enough. Oh, and make sure you never test the users either—it’ll only confuse them.
- Use the same password
It just makes life so much easier. Oh, and a good place to store your single password is in your email, or on Post-It notes stuck to your monitor.
- Patching breaks things, so don’t patch
Troubleshooting outages is a pain. If you don’t patch and you don’t look at the device in the corner, then it won’t break.
- The firewall will protect everything on the inside
We have the firewall! The bad guys stay out, so on the inside, we can let everyone get to everything.
- Just say no and lock EVERYTHING down
If we say no to everything, and we restrict everything, then nothing bad will happen.
OK, now it’s out of my system—the above is obviously sarcasm.
But some of you will work in places that subscribe to one or more of the above. I’ve been there. But what can YOU do? Well, it’s 2020, and information security is everyone’s responsibility. One thing I commonly emphasize with our staff is no cybersecurity tool can ever be 100% effective. To even think about approaching 100% efficacy, everyone has to play a role as the human firewall. As IT professionals, our jobs aren’t just to put the nuts and bolt in place to keep the org safe. It’s also our job to educate our staff about the impact information security has on them.
So, let’s flip the above “tips” on their head and talk about what you can do to positively affect the cyber mindsets in your organization.
Train and Test Your Users Often
Use different training methods. Our head of marketing likes to use the phrase “six to eight to resonate.” You’re trying to keep the security mindset at the front of your staff’s consciousness. In addition to frequent CBT trainings, use security incidents as a learning mechanism. One of our most effective awareness campaigns was when we gamified a phishing campaign. The winner got something small like a pair of movie tickets. This voluntary “training” activity got a significant portion of our staff to actively respond. Don’t minimize the positive effect incentives can have on your users.
Lastly, speaking of incentives, make sure you run actual simulated phishing exercises. It’s a safe way to train your users. It’s also an easy way to test the effectiveness of your InfoSec training program and let users know how important data security is to the business.
Practice Good Password Hygiene
Security pros generally agree you should use unique, complex passwords or passphrases for every service you consume. This way, when (not if) an account you’re using is compromised, the account is only busted for a single service, rather than everywhere. If you use passwords across sites, you may be susceptible to credential stuffing campaigns.
Once you get beyond a handful of sites, it’s impossible to expect your users to remember all their passwords. So, what do you do? The easiest and most effective thing to do is introduce a password management solution. Many solutions out there run as a SaaS offering. The best solutions will dramatically impact security, while simplifying operations for your users. It’s a win-win!
One final quick point before moving on: make sure someone in your org is signed up for notifications from haveibeenpwned.com. At the time of this writing, there are over 9 BILLION accounts on HIBP. This valuable free service can be an early warning sign if users in your org have been scooped up in data breaches. Additionally, SolarWinds Identity Monitor can notify you if your monitored domains or email addresses have been exposed in a data leak.
Patch Early and Often
I’m guessing I’m not alone in having worked at places afraid of applying security patches. Let’s just say if you’ve been around IT operations for a while, chances are you have battle scars from patching. Times change, and in my opinion, vendors have gotten much better at QAing their patches. Legacy issues aside, I’ll give you three reasons to patch frequently: Petya, NotPetya, and WannaCry. These three instances of ransomware caused some of the largest computer disruptions in recent memory. They were also completely preventable, as Microsoft released a patch plugging the EternalBlue vulnerability months before attacks were seen in the wild. From a business standpoint, patching makes good fiscal sense. The operational cost related to a virus can be extreme—just ask Maersk, the company projected to lose $300 million dollars from NotPetya. This doesn’t even account for the reputational risk a company can suffer from a data breach, which in many cases can be just as detrimental to the long-term vibrancy of a business.
If you’re breached, you want to limit the bad actors’ ability to pivot their attack from a web server to a system with financials. This technique is demonstrated with a DMZ approach. However, a traditional DMZ may not be enough, resulting in the rise of micro-segmentation over the last few years. The fun added benefit you can get with a micro-segmentation approach is as you’re limiting the attack surface, you can also handle events programmatically, like having the firewall automatically isolate a VM when a piece of malware has been observed on it.
Work With the Business to Understand the “Right” Level of Security
If you’ve read my other blog posts, you know I believe IT organizations should partner with business units. But more than a couple of us have seen InfoSec folks who just want to lock everything down to the point where running the business can be difficult. When this sort of a combative approach is taken, distrust between the units can be sowed, and shadow IT is one of the possible results.
Instead, work with the BUs to understand their needs and craft your InfoSec posture based on that. After all, an R&D team or a Dev org needs different levels of security than credit card processing, which must follow regulatory requirements. This for me was one of the most resonant messages to come out of The Phoenix Project: if you craft the security solution to fit the requirements, the business can better meet their needs, Security can still have an appropriate level of rigor, and better relationships should ensue. Win, win, win.
Security is a balancing act. We all have a role to play in cybersecurity. If you can apply these five simple information security hygiene tips, then you’re on the path towards having a secure organization, and I think we can all agree, that’s something to be thankful for.