As cyberattacks increase and become more dangerous by the day, every company must have a solid cybersecurity game plan in place, then follow it closely. The game plan needs to be structured, with an extremely well thought out policy, process, and procedure to cover each of the following areas:
A: Standardization. Employee PCs are the preferred way hackers breach a company, so let’s start there. An example of a company policy standard is that all employee hard drives must be encrypted, without exception. Another is that no USB drives may be inserted into a company device. Controls may also be set through the use of a standard hard drive image. This basically means each company PC, broken down by department, must contain a hard drive configuration identical to every other hard drive for that department. Sales people all receive a laptop tailored for sales personnel, HR employees get the HR configuration, and accounting employees are assigned one just for accounting. This is true for every department in the company. If five departmental PCs were lined up next to each other, when they boot up for the first time, you shouldn’t be able to tell one from another. The version of the operating system, and applications, will start off as a duplicate for each person in the department, and the images will be frequently updated. A company can allow their employees the ability to move their icons around, or change the default background and screen saver supplied by the operating system creators, but not much more than that. I’ve seen many PCs become infected due to free screen savers that employees downloaded from the internet.
B: Employee Training. Cybersecurity training is so important; an uninformed employee may accidentally mess up, because we’re all only human. Most employees dread online training because they find it boring, or feel it takes too much time away from their normal work. A company should really dig into multiple training products before they buy one, as some can be engaging for the employee, as well as informative.
C: Deskside Support and the Help Desk. For small companies, both of these groups can be combined into one unit, though large companies might outsource them. Deskside support refers to the team who puts together and configures the PCs for company employees, preferably from the standard image I mentioned. Deskside support personnel also transfer data from an employee’s laptop to a new one when the old one fails, or becomes obsolete. Employees call the help desk when they have a specific problem with their system, such as a hard drive failure, corrupted memory, application issues, or if the system mysteriously won’t boot up. The help desk will work with employees remotely to diagnosis the issue, and fix it if they can. The purpose of deskside support and the help desk is to help employees solve their problem as quickly as possible. In relation to cybersecurity breaches, these groups are the first line of defense when an employee reports something strange is happening with their system, and they’re the ones best able to recognize if PC security has been compromised.
D: Physical Security. How does a company keep hackers, social engineers, and just plain thieves from gaining entry to their facilities? Many use a badge system, or one based on biometrics. These systems were costly at one time, but prices have come down to where they’re affordable for most companies. Social engineers will definitely try to work around them — one method they employ is sneaking in behind an employee with legitimate access to the facility, using a technique called tailgating. A company should place cameras at all entrances and exits, as well as throughout their facility, to record these areas 24/7. Site security is a topic that must be emphasized during employee cybersecurity training.
E: Physical Locks for Laptops. A $20 lock is the best way for an employee to physically secure their laptop to prevent it from being stolen. A 2017 Kensington study reported that 24 percent of laptop thefts occurred at the office, while 27 percent were taken from transportation vehicles, especially cars. Employees must put their laptop inside the car trunk if they can’t take it with them, or secure it to the desk when they’re in the office if there’s no lockable cabinet. Laptops are a choice item to steal, and will disappear in the blink of an eye.
F: Limit Employee Permissions. Passwords annoy employees, but they slow down hackers quite well. Restrict employees’ abilities to change passwords to something weak that someone could easily guess. A hacker must put in extra work to crack each password level before they can reach the operating system, and applications. Time is a crucial factor when a company laptop falls into their hands.
G: Force Software Updates at Login. To gain access to the corporate network, employee PC software must be current. If employees are given the choice to do an available update, they’ll generally put it off. The VPN client, operating system, and antivirus software should be updated to the most current version before a PC can access the corporate network, to detect, block, and remove security vulnerabilities.
H: Remove Employees’ Ability to Install Apps. The reasons for this are many, and all of them are good for the company’s bottom line. If allowed, employees could install free software from the internet, and bring hackers straight into the environment. Need I say more? Much of the free software on the internet is put there by hackers as a trap, so don’t allow employees to needlessly let them in to your environment.
I: Hardware Standardization. Smart companies buy their PCs and servers from one manufacturer. That’s wonderful; personally, I take it two steps further: whether I’m buying 50 servers, or 100 PCs at a time, I order the identical model, then say I want them to come from the same batch off the assembly line, with consecutive serial numbers. Why? Because even if hardware is the same exact model, the parts inside of it may be different. Like a car maker, hardware manufacturers have multiple vendors, and buy the most economical part available at the time. Requesting consecutive serial numbers is a good way to avoid that.
J: Backups. Company servers must be backed up every day. When a hacker gains access to a server and erases a data volume before they’re discovered, that’s a major issue. If daily backups aren’t done, a company loses valuable info they must painfully recreate, and it’s no longer an issue — it’s a nightmare.
K: Server Standards. It’s not realistic to build identical server images, unless they’re performing the same function. With that being said, policies that define server standards must be in place. Before a server is put into production, it must go through a rigorous examination during what I call the Start of Service (SOS) phase. When a server is finally put into production, it means the server is solid, all the applications have been thoroughly tested, and it’s ready for use by employees or customers from that point forward.
L: Endpoint Management, Patches and Updates. This is absolutely critical, as exploiting security exposures is one way hackers will breach your network. An internal endpoint manager is great for any company, because it can deliver updates to thousands of PCs at the same time. This is different than an external update, like the one that delivered malware to 18,000 customers of SolarWinds, one of the most infamous cyberattacks in history. Patching a server with 1,000 users on it is in a completely different category. It’s obvious a major server can’t be updated as easily as a PC. A software update problem — one that brings down an important server — will take a big financial chunk out of a company’s bottom line.
M: Maintenance Windows. Servers may only be patched or updated during a specified window of time, called the maintenance window. This is usually four to six consecutive hours in a month, typically on the weekends, as specified in a Service Level Agreement, or SLA. The maintenance window doesn’t count as downtime, but websites should always stay online, because they use multiple servers. Security patches take precedence over the maintenance window, and are applied as soon as they’re available, even when it’s outside of the hours agreed upon in the SLA.
N: Change Control. A Change Control Request, or CCR, is a detailed breakdown of the work to be done on a server, network, phone system, or any IT move, add, or change — similar to getting a repair estimate for your car. A mechanic lists what they need to fix, but once they start, they may find other problems to correct, and the estimate is revised. A CCR for a server is similar, and every change is requested or approved, progress is tracked, and after the work is successfully done, the request is closed. Then it becomes a read only record, and is archived for future reference. CCRs are extremely important for evidence following a data breach, and cybersecurity forensics teams will study them closely.
O: Problem Management Records. Different from a CCR, Problem Management Records allow the cybersecurity team to make their own judgement calls on the spot, and then get manager approval later. This is invaluable in emergency situations, such as when security patches need to be applied quickly to prevent vulnerabilities from being exploited by hackers, or in cases of hardware failure.
P: Network Architecture. What can be more important than a network architecture designed to optimize cybersecurity defense, and minimize data breaches? For company networks, it’s the equivalent of designing castle walls to keep out invaders. A small- to medium-size business usually can’t justify the cost of a full-time architect, and will hire an established firm to work with their network team. Great network architecture will result in a smooth running and very solidly protected corporate network.
Q: Network Penetration Testing. Also known as pen testing, this is the scanning of a company’s network to test the strength of its security and determine whether the network can be penetrated. Scans are run against the network, searching for security vulnerabilities, such as ports that can be exploited by hackers and are open by default when they should be closed. I recommend companies hire an external third party to run the tests, due to their objectivity, expertise, and specialized tools.
R: Network Firewalls and Intrusion Detection Systems. Ten years ago, hardware like this was very pricey, but the costs have dropped tremendously. Routers and firewalls are a must have, but in my mind, so are multiple types of intrusion detection systems. A network intrusion detection system (NIDS) will monitor the data traffic on your network and report any suspicious behavior. A host-based intrusion detection system (HIDS) will monitor the hosts — like PCs and servers on your network — for changes that conflict with the company cybersecurity policy, as well as other suspicious activity. An intrusion detection and prevention system (IDPS) is the next level up, as it can do more than just monitor the network.
S: Network Engineers. When hiring one, a company must vet them well. You can have the best network design, awesome hardware, and great monitoring software tools, but without a team of solid network engineers, your company will still be vulnerable to cyberattacks and data breaches. When it comes down to crunch time, network engineers work hand in hand with the cybersecurity team to squash critical threats.
T: Redundant Hardware. If a hacker gets on your network and damages a server OS file system, or tries to erase a storage device, sometimes the only way to stop them is to momentarily take the server down, identify and kick the hackers off the network, and bring the redundant device online. The OS file system on a redundant server will be set to read only, and files can’t be manipulated as they can be on the primary server.
U: Failover Hardware. Unlike redundant hardware, there is no time delay between replication of a primary storage device and its failover; this is done by design. For major online retailers like Amazon, each minute of downtime can cost a million dollars or more. Failover hardware is a must have for cases when hardware dies, because the failover device will take over immediately, and business will go on as usual. It takes deep pockets to have a primary device, redundant hardware, and a failover, but for an online retail company whose websites must be available 100 percent of the time, this is the way they’ll need to go.
V: Proper Server Security Classification. This is huge — when a server is incorrectly classified at a lower security level than it should be, that gives hackers a better chance to break into the network or take down your website. Hackers love to go after internet-exposed servers, like sites used for selling products to customers. If a website server is accidentally given a lower security classification, such as that for a server used internally to test old software products, that’s a no-no. Company policy should require that website servers be updated immediately once an emergency security patch is released, while more time is given for a test server because it’s behind so many layers of protection. I’ve inherited servers incorrectly given a lower security classification, and it can be very hard to bring them up to speed without disruption.
W: Obsolete Operating Systems and Contained Environments. Sometimes a software company must continue to support their apps running on an old operating system that’s no longer supported by the OS maker. OS makers will no longer provide operating system security patches for these obsolete systems. As a workaround, a company can put any server running on an obsolete operating system into a contained environment, where it’s boxed in behind so many layers of network protection that only a very restricted group of employees can access it. As new security patches will never be released for the obsolete operating systems, this is the best a company can do in most circumstances.
X: Implementation. After a server has been built, tested, and put into production, implementation of the cybersecurity policies laid out by the company must continue to be strictly followed. On paper, a company can have the best policies in the world, but they need to be closely adhered to for them to be effective. Only by ensuring that the cybersecurity team knows the company policy for each task they perform, and then continues to stick to them without deviation, will security vulnerabilities be closed to cyberattacks.
Y: Compliance and Device Checkups. What’s a device checkup? Think of it as the equivalent of an annual checkup with your doctor, where they run tests against your prior baselines. A device checkup is similar, and will give a complete picture of a server’s current compliance posture in comparison to previous cybersecurity results for IP scanning, patch updates, server administrator, root account management, backups, antivirus, and other areas of interest. This will be true for each company server exposed to the internet, or any internal server that contains confidential employee information, valuable customer info, or intellectual property. Device checkups for production servers are assembled every quarter, and stored in a secure online repository for at least two years. A company with strong cybersecurity policies in place, and a team who correctly implements them, will amass a large amount of good compliance data about their servers. Each server will have its own data collection in the repository, and when it’s examined, it will reveal if they’re compliant. If not, a close investigation will also reveal when, where, why, and how deviations occurred. This is critically important, not only to understand the compliance status for each server, but it will also lead into another crucial phase in the cybersecurity lifecycle of a server: internal auditing.
Z: Internal Auditing. How can a company know if their servers have been kept compliant without regular internal audits? If a server is picked for an internal audit, the cybersecurity team must defend how well they’ve managed the server, as measured against the company’s policies. From the time a server is built, through when it’s put into production, and as it develops into a server that may service thousands of users, data about the server was tracked, collected, and stored in a repository. We know that once per quarter, the cybersecurity team compiles the data into a device checkup. Auditors will request device checkups for the servers they’ve picked for audit, and the cybersecurity team must present them in a timely fashion, as well as any updates since the last device checkup was completed. With the evidence in hand, auditors will closely examine the compliance history of the server. The purpose of the audit is to reveal whether or not the cybersecurity team has followed company policy to the letter, for every variable that would expose the server to a data breach. When it comes to internal audits, failure is not an option; for each data point a server fails on, that’s an exposure hackers could exploit if they were able to penetrate the network and attack the server. As the stakes are so high, an audit can spiral into an emotional, adversarial relationship, one that pits the auditors against the cybersecurity team. This should be avoided at all costs.
About the Author
Johnny Young (aka JohnE Upgrade) is a 35-year veteran of the cybersecurity industry. He shares his expertise in a video streaming subscription series called “Cyber D,” a repository of education on cybersecurity at the corporate level.