Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

5 Security Best Practices Every IT Pro Needs To Know

5 Security Best Practices Every IT Pro Needs To Know
By

What must IT pros know in order to maintain security without diminishing end users' productivity? Here are five InfoSec best practices businesses should implement today.

Many small to midsize businesses have IT departments that double as the information security staff. But security often is at loggerheads with IT; the job of IT is to make sure users can access their systems and data to be productive, while security's job is to reduce risk, even if it means making it more cumbersome for workers to be productive.

This apparent conflict of interests is exacerbated by the fact that IT staff is generally rewarded and compensated on how well IT works, and how little downtime there is, rather than how secure the corporate resources are, or how well IT is able to mitigate data breaches.

For SMBs without dedicated InfoSec employees, the question becomes: what basic components should the IT staff know in order to secure their systems without impacting how users work? Here are five crucial InfoSec rules all network and help desk staff should know, even if security is not in their primary job description.

Maintaining Proactive Security

While a lot of the company's security components can be automated, the most serious security vulnerability cannot be programmed or hardwired -- it is the end user. The serious data breach at security vendor RSA several years ago occurred because a user opened an email attachment that the company's email client had routed into the spam folder.

Social engineering of employees is perhaps one of the most difficult problems for a company to overcome, but also one of the most important for the IT team to understand. Companies need to set up policies and procedures to address potential social engineering contacts and encourage employees to follow the procedures.

Let's take a look at these five lessons that are most critical for the IT staff to know:

  1. Use the log files that your applications and network devices already create to identify potential issues.
  2. Phishing, a form of social engineering, is an extremely popular attack vector. Teach your users to recognize a phishing attack and not to click on email attachments unless you can verify the attachment is legitimate. If the user is not sure about an attachment, follow the corporate policy to authenticate the attachment.
  3. Tell your users that if they get a phone call from someone who identifies himself as a fellow employee asking questions that seem inappropriate or unusual, that they should confirm the caller's identity and authorization before divulging any information.
  4. Require every person going through a security door to present his or her ID. Do not hold doors open for strangers or allow others to tailgate on your security ID card.
  5. Teach your users to never put a thumb drive or other storage device into a corporate computer if the user does not know where the drive originated. A popular ploy of attackers is to give away infected thumb drives or "drop" them in parking lots of target companies. If in doubt about the safety of a thumb drive or other storage device, employees should ask the IT staff to scan it first for potential malware before inserting it into any computer.
MORE: Shadow IT: How To Detect And Mitigate Cloud Security Risks
MORE: 3 Things You Can Do To Prevent Shadow IT

Understanding Log Files

Numerous networked devices in companies generate log files of network or device activity. Unfortunately, many companies do not have either the trained staff or the time to scrutinize these logs for anomalous activity. However, these files generally are the first items forensics investigators check after a data breach because they often store crucial data about the breach.

Even SMBs without dedicated security teams should monitor log files from firewalls, operating system event logs and other devices. While not every company needs to invest in an enterprise-class Security Information and Event Management (SIEM) system, there are many low-cost alternatives that can perform the rudimentary tasks, identifying potential breaches based on reading log files.

The key to understanding log files is to identify what doesn't belong. Most log files will contain volumes of duplicate and mundane information. In order to identify what does not belong, it is essential to identify what constitutes a baseline -- the day-in and day-out log entries that show normal, acceptable activity so that anomalies will stand out.

If a network log, for example, shows that Joe from accounting is accessing the network from an IP address in China at 2 a.m. when the network manager knows that Joe was at work in Chicago that afternoon, this anomaly could identify a potential compromise of Joe's credentials.

Similarly, if the logs show that a database server is sending data off the network through a port that is not normally used for this activity, then that, too, can signal a potential breach of security.

Defending Against Social Engineering

Phishing and spear phishing attacks are two of the most popular malware attacks because they can be easily disguised as valid emails. It was, in fact, a spear-phishing email attack that caused the massive breach at security vendor RSA a couple of years ago. These attacks play on the recipient's expectation that the emails they receive are valid.

Employees need to be aware of company policies against opening messages and attachmentsthat are not from people they know and are not expected. Companies should create policies and procedures for employees to work with the IT team to verify and authenticate questionable emails.

Social engineering is a serious problem in companies. Phishing is not just used via email; telephone spear phishing, a popular social engineering approach, is a common method for an outsider to call an employee and simply ask for credentials. Similarly, employees should not answer company-confidential questions on the phone from someone whom they have not authenticated as an employee with the right to know the information.

For example, if an employee gets a call from a person identifying himself as someone from the "help desk" or "support" who is asking questions about a user's password, or whether another employee is working at their desk, company policy should require the person getting the call to first authenticate that questions are indeed coming from someone in the company with the need to know. Policies will vary based on the company, but at a minimum the recipient of the call should first confirm with their supervisor or an IT supervisor that the request is authorized.

MORE: Information Rights Management: The Missing Piece In Enterprise File Sharing
MORE: Top 10 Myths About Virtual Private Networks (VPNs) Debunked

Physical Security

Too often companies are breached because an attacker gains physical access to sensitive data without being challenged or authenticated. Even SMBs have data that is confidential and should be secured by more than a locked office door. At minimum, critical servers should be protected by at least two-factor security, such as a physical token or biometric scan and a login and/or password or PIN (personal identification number).

Card keys or near-field communications security can be used for outside doors, and company policy should require that no employee should allow another person to enter a building without using their own security key.

But physical security is more than just keeping bad guys physically out of an office; it also means keeping them logically out of the office. IT departments should have rules for employees about what kinds of thumb drives they are permitted to plug into their systems. While new thumb drives that are still in their retail packaging are generally safe from malware, storage devices that employees pick up at a trade show or find laying on the ground in the parking lot might well be infected.

Because of the high number of thumb drives that are used daily, it can be problematic for IT to test every thumb drive users have. One approach the IT department can use is to set up a PC in a common area that is on its own network segment and firewalled from any critical systems. The system should be configured with high-quality antivirus, anti-malware and other security software to ensure the device has no malicious data on it.

Some risk managers might consider any USB-connected device with data on it an unacceptable network risk and require that users who want to connect such devices first must do a complete format of the media. Corporate risk requirements will dictate how intense the security is for non-corporate USB storage, but that is something that should be part of every company's risk plan.

RELATED: