The old saying that security is only as strong as your weakest link could not be more true today. Bad actors are targeting every element of the organization--from AC outlets to staff members--so it's imperative that all hands are on deck when it comes to security. Of course, security is complex, requiring expert, strategic, methodical, continuous thinking about what could go wrong and how to ensure that it doesn't. No documentation can address every security issue and task, but a security to-do list can go a long way toward locking things down and developing awareness across the staff. Following is a start: 20 things companies can do to help lock things down.
1. Log out. It seems simple, but many users don't realize that you are logged in until you are logged out. Every window and tab in your browser can watch you until you log out. Leaving a session open is asking for a session hijack.
2. Beware random flash drives. Always physically recycle them. Don’t be a scout and attempt to find the owner or juicy details. Some flash drives are malicious. Don’t find out the hard way.
3. Stay informed. The security landscape is constantly changing, and it can be overwhelming to try and keep on top of the latest security trends and products. But ignoring security news is failing to fully protect your organization.
4. Watch what you wear. A 100% polyester shirt and no anti-static protection can cost you big. Synthetic blends, wool and cold dry days can mix to make you a ball of electricity, looking to leap into an unsuspecting piece of hardware.
5. Enforce long, complex passwords. Everyone likes easy-to-remember passwords and SSIDs, but access points need the longest permissible password possible.
6. Read your logs. Your logs are only as useful as the time you take to look at them. Many coders spent a lot of time ensuring that all pertinent data goes into a log when something has gone awry. It’s your duty to look at the logs. There are fabulous log organizers available that are easy to configure and cover most bases, but they are effective only if someone looks at them.
7. Sniff your own wires. Wireshark is easy to use. Several known exploits/KEs use internal packet sniffers to search for relationships, hosts, unsecured logons, password tables copied from hosts, and worse. Go ahead, sniff your organization's wires. Look for the incredible, and you may find it.
8. Trust no one. Can you recognize everyone you see? Are they wearing appropriate badges? Penetration testers take great pride in walking into an organization, maybe disguised in a FedEx uniform. They plug in, and your data goes out.
9. Check the paper trail. Are users tossing documents that should be shredded? Is the shredder working and being emptied? Is it being used?
10. Patch. Period. Unpatched firmware is called: the malware mushroom pond. The hardware asset doesn't matter; virtually all of them have firmware, and that firmware--given the recent processor attacks--must be updated.
11. Update the authorized username list. Especially in today's gig economy, people come and people go. It's imperative that the authorized username list is updated on a continuous basis.
12. See something? Say something. Teach end users that if they see something (like, say, a charger plugged into a wall outlet with an Ethernet cable attached) they need to say something.
13. Ixnay mobile WiFi hotspots. No, you cannot use a mobile WiFi hotspot on your phone while on premises.
14. No double-dipping. Only one person through the door per swipe.
15. Leverage CASB. Cloud access security brokerage manages ugly, long passwords, permits multifactor authentication (MFA) and generally leaves a nice forensic trail of actions when in the cloud.
16. Crack down on MFA keys. Make sure that end users understand that under no circumstances is it OK to leave MFA keys in obvious places (such as desk drawers) to keep them handy. To ensure that it's not happening, conduct random audits and confiscate and systems left with a key in a USB port.
17. Check the seal. Most vendors send sealed boxes to their clientele. Multiple tape jobs aren’t often seen, unless it’s a repair job. There are a number of hardware attacks that require having physical possession of the hardware device. Are people trained to spot what should be new hardware with multiple layers of tape or shoddy boxing? Pilfering and infiltration might be a reasonable suspicion.
18. Avoid (or get a handle on) cloud sprawl. As companies put more and more workloads into the cloud--some that IT knows about and some that it doesn't--it gets increasingly difficult to manage access, compliance and protection.
19. Properly dispose of hardware. Where is obsolete hardware being sent, and are drives and other recoverable assets leaving with them? Hard drive disposal is important, but so is disposal of backup drives, flash drives, and even SIM cards and SD-cards. Often, shredding contractors handle this. Have you ever watched them destroy your drives? All of them? Physically? To tiny unrecognizable bits? Do this randomly. The same goes for swipe cards and other authentication devices.
20. Don't leave backup to chance. How many backups have you randomly checked recently to ensure they can be correctly restored in the event of fire, theft, corruption, hack/rack/ransom? Do you have a test platform you can use to assess reliability and resiliency?
Feel free to post, circulate and make this security to-do list your own.