Getting a Handle on Security
ECHO’s been getting a lot of questions lately from clients with security concerns. This isn’t surprising, given the high-profile breaches that have resulted in most of us having to think about our relationships with companies we trusted to keep our information safe. As if taking our shoes off before boarding an airplane wasn’t bad enough, the threat landscape nowadays extends well into the information space. A great many of us now have to keep a watchful eye on our credit rating, and virtually all of us have had to change our automatic billing settings when a company we trusted with our credit card let us down. ECHO knows its clients don’t want to be that company who caused that problem.
It’s easy to be beaten by the scope of the task at hand if that task is to simply “do something about security.” Where to even begin? While your industry may have specific guidelines, the National Institute of Standards has some guidance that is a great place to start, even if the government doesn’t always get the details right. What it boils down to is largely common-sense: identify your risks in regularly scheduled reviews. Protect your information’s confidentiality, integrity and availability by keeping backups, encrypting sensitive information and defending your network. Above all else, have a written policy and train your employees.
Before you run off to read 30 pages of NIST guidelines, diligently fill out the worksheet and start drafting policy, let’s look at some things everyone should be doing that are on that list and that Echo can help with.
#1 – Patch management
This belongs at the top of the list. If your software and hardware are out-of-date, they are susceptible to exploits. Targeted hacking is one thing, and a lot of us like to think that we’re unlikely targets for criminal misdeeds, but most of the damage that wreaks havoc on IT budgets is the result of automated vulnerability scanners that exploit the things they find on your network. You defend against this by making sure you’re not running old versions of software – Windows, OS X, the firewall’s firmware, Office, Java – anything that might touch an email, a website or a flash drive. Echo can automate most of this in moments if you’re struggling with it.
#2 – Antivirus software
Call it what you like – anti-virus, anti-malware, anti-spyware, anti-bad-thing-running-on-my-computer-ware – you need an effective line of defense running on your servers and workstations. It needs to be able to identify known threats but it also needs to be able to identify suspicious activity when unidentifiable threats gain a foothold. There’s no excuse for not having this, so the question becomes one of manageability and effectiveness. It’s a difficult question to answer given the marketing efforts of the companies competing in this space. Echo has experience in dealing with most of these vendors’ products. We know a lot of it is downright awful and does more harm than good, but we have found notable exceptions to this rule and will generally recommend Bitdefender or Sophos depending on your particular needs, based on ease of deployment, catch rate and low management overhead.
#3 – Backups
The usual task of defining what needs backing up, how often to back it up, and how quickly you’ll need it back. What you use is a question of how expensive not having the thing you’re backing up would be – virtually every combination of recovery point objective and recovery time objective is attainable at some cost. Echo is experienced in solutions from Veeam and Axcient as well as the myriad of Storagecraft-based solutions, as well as tools designed to keep off-network mobile devices backed up. This decision always starts with considering the cost of downtime. Talk to us if you’re having trouble deciding what best meets your needs.
#4 – Firewalls
You’d no sooner sit on BART naked than you’d expose a network to the internet without carefully thought-out limitations on what’s allowed in. Firewalls have come a long way in days of late, with the “next-generation” versions capable of identifying the applications running on your network and allowing granular controls on what’s allowed. Complicating matters again is the marketing being done in this space. Whether you go Cisco, Palo Alto, Fortinet or Meraki is largely a function of the number of users on your network plus the features and throughput you require. Echo’s experience with these products can make this decision a lot easier.
#5 – Remote access
No matter how good your password policy is (you do have one, don’t you?) people tend to choose passwords that are easily cracked should their computer fall into the wrong hands (but you have encryption on that laptop, right?) This is why we’d like to see all the ways users can reach your network from endpoints you don’t control – like some random web browser on the internet – be subject to multi-factor authentication. If the password falls into the wrong hands, there should be one more thing needed to reach the account, like a scrolling code on a smartphone or a text message sent during login. This is not as difficult to accomplish as it might seem, and if figuring out how to do this seems like a daunting task, we can probably make the deployment of a solution that uses Duo Security or Google Authenticator an easy win for your organization’s security and your peace-of-mind.
Finally, it’s worth mentioning that without some architectural overview that takes security into account, it’s quite possible to deploy well-patched, backed-up systems with up-to-date antivirus software behind next-gen firewalls in ways that are utterly insane and leave the door open to exploitation. A second set of eyes on your network is never a bad idea, and a regularly scheduled vulnerability scan would be a good idea too. Some of our clients have tasked us with securing their networks, while others have had us assess the efforts of others. No company should do both.
If you’ve been thinking about security lately, you already know you’re not alone. When you’re ready to act on it, we’d love to help.