Most high-profile cyberattacks of recent years could have been prevented if companies and government agencies had followed basic security practices. Even the advice handed out by federal government isn’t adhered to by its own agencies, as was clearly evidenced in the hack experienced by the Office of Personnel Management (OPM) earlier this year where 1.1 million fingerprints and 1.8 million social security records, applicant usernames and passwords were stolen.
While the Cybersecurity Information Sharing Act (CISA) may not prove to be completely worthless, as many security experts have pointed out, it doesn’t go anywhere near being able to prevent attacks like those carried out against OPM.
The key concern here is ‘information sharing’, as the bill allows private companies to easily share user data with the Department for Homeland Security (DHS) in return for immunity against Freedom of Information Act requests and regulatory fines related to data they might share.
Following basic security best practices
So if CISA is unlikely to make a significant difference to the nation’s cybersecurity position, what is? I recommend some basic server security tips here on the Netwrix blog: Basic Rules of Windows Server Security. As you’ll find stated there, monitoring and auditing crucial security settings, and looking for unusual activity, are important for detecting potential security breaches.
Don’t forget end-user devices
We tend to invest a lot in securing data and servers as valuable assets in our organizations, and rightly so. But it shouldn’t be forgotten that they form part of a wider network that includes often vulnerable end-user devices, whether they be desktop PCs, smartphones or notebooks.
Don’t rely on antivirus to secure users’ devices. Although AV still has a role to play, definition-based antimalware solutions are becoming increasingly less effective against today’s more sophisticated threats. Technologies such as application control, where only approved applications are allowed to run, and use of least privilege security, where administrative rights are removed from end users, are key to ensuring that hackers can’t jump from vulnerable end-user systems to servers.
End-to-end encryption of sensitive customer data, and other information that could enable a hacker to gain access to systems, is no doubt important. The UK government’s call to outlaw encryption is naturally something that has caused security experts some concern, and would likely have devastating effects for the digital economy because of the inability to do business securely. I’m certain these plans will be reconsidered, and encryption should remain part of your security game plan.
Getting started with security best practices
If you’re looking for a general guide on how to secure your IT systems, the SANS 20 Critical Security Controls is a good place to start. The document was written by the SANS Institute, the UK Centre for the Protection of the National Infrastructure (CPNI), McAfee and other private and public bodies, and provides a great starting point for securing servers and end-user devices.
The recommendations include a requirement for ‘maintenance, monitoring, and analysis of security audit logs’, which a third-party auditing solution can help realize.