 |
| Blue teaming is hard! (image credit: Geoff Pryor) |
First tip on that list is accepting that you cannot prevent all hacks. An attacker with enough time, motivation, and resources will eventually succeed. These are also known as APT's or Advanced Persistent Threats. The advice on how to deal with APTs can fill many books and is beyond the scope of this blog post.
Second tip is to build a regular patching process, usually weekly. All software has vulnerabilities, and it is essential that all software your company uses is patched to the most recent version.
Third tip is to educate everyone in your company on basic threats like phishing emails, plugging in unfamiliar USB drives, and installing unapproved software (assuming they have install rights to begin with). Specialized education should be given to developers in your organization to make sure they are writing secure code and testing it before it goes into production.
Fourth tip is to scan all of your assets for vulnerabilities, weekly if possible, and send automated reports to the system owners responsible for addressing those vulnerabilities. Ideally you will have regular contact with these system owners and can review the reports together to validate they have a process in place for addressing the high severity vulnerabilities and understand the risk level they present to the organization. It is useful to keep track of trending vulnerability data to help monitor which teams are on top of their patching, and who needs to pick up the slack.
Fifth tip is to segment your network as much as possible to prevent lateral movement. If someone does click a phishing email and their system is compromised, your network should limit that compromised system's access to even more sensitive systems that might have databases like those leaked by hackers in some of the previously mentioned breaches.
Sixth tip is to consider adopting a bug bounty program, and/or hire third party penetration testers to test your defenses. Learn from the issues they find and adapt your environment to become more secure. Reward your bug bounty hackers well and word will spread that you value their efforts and before long you'll have a small army of whitehat hackers competing to find and report issues. It's better to pay a whitehat $10,000 for reporting an SQL injection vulnerability in a sensitive database, than to have a blackhat find and exploit it so you end up on another breach list. Related to this is to have a reliable contact method for reporting security issues, usually a security@ email address that goes to your InfoSec team.
Seventh tip is to have a reliable inventory of assets on your network, and a regularly updated contacts list for those assets and for all business units. I can't tell you how many times I've found a vulnerability in an asset on the network, but I can't easily identify who's responsible for that system.
I'd consider this a short list of low hanging fruit, and not at all comprehensive. Security is hard, but usually you just have to make some effort to not be so easy to hack that any low skilled attacker can compromise you in minutes. I hope this list helps someone out there, and if you have questions feel free to reach out to me on Twitter.
Great check list and good advise for any IT executive.
ReplyDelete