Keeping your data safe doesn’t always have to be complicated or expensive! The following are some basic tips that can help immediately improve your security posture with minimum effort, all based on the Center for Internet Security (CIS) Controls (https://www.cisecurity.org/controls). These controls are a great resource for anyone interested in establishing a security baseline or learning about areas of improvement for their organization.
Tip 1: Take Care of Your Hardware
- When traveling with your notebook computer or other mobile devices used to access sensitive information, keep them in your sight or on your person.
- If you must leave your devices in the car, lock them out of sight in the trunk rather than leaving them on a seat or on the floor.
- Remember to inform your administrative team about equipment exchanges so they can keep track of which systems staff members have been issued or have returned.
Tip 2: Manage Your Software
- Only download legitimate software from reputable sources; compare hashes if available to ensure that your download is correct and uncorrupted.
- Keep track of independent applications you install on your systems and ensure they are kept up-to-date, or remove them if they are no longer needed.
- Be careful when accepting terms and conditions, particularly if accepting them on behalf of your company; ensure that you read and understand the license and any constraints or obligations.
- Do not install software explicitly for personal use on your work computer or phone, use personal devices instead.
Tip 3: When it Comes to Vulnerabilities, Be Proactive
Here at A.J. Boggs & Company, it’s the job of the 911.net Security Operations Center (SOC) to identify and address vulnerabilities. The SOC continually runs vulnerability scans on company systems to identify and fix common security-related issues, often through changing configurations or applying patches. We use tools that help identify when the systems are not up-to-date and to ensure that needed patches are applied; these are automated patch management systems. We also have tools that help provide protection from viruses and other malware, and others still that help manage workstation configuration. All of these tools work together to assist us in discovering if something is wrong and how we can fix it.
Tip 4: With Elevated Access, Be a Control Freak
Try to administer systems using the ‘Principle of Least Privilege,’ i.e. the concept that elevated access should only be granted when necessary to carry out a specific job role or task. If you have an administrative account in any system or environment, it is your responsibility to exercise extra caution when performing your duties. If an attacker can exploit an account with administrative privileges, the damage can be far worse than exploiting a normal user account, as administrative accounts often offer more opportunities to successfully pivot into other systems and applications.
- Use multifactor authentication and encrypted channels for all administrative account access whenever possible.
- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only those users who need them.
- Implement auditing and logging on systems and applications so that there are records of when an account is added, removed, or accessed.
- Ensure a process is in place to examine system or application logs to monitor for unsuccessful login attempts on an administrative account.
Tip 5: Lock Down Your Devices
In terms of personal devices, particularly mobile devices, take the time to apply secure configuration practices such as the ones listed below.
- Never use a device with the default password; change ALL default passwords, preferably using longer passphrases (15+ characters).
- Ensure that your Operating System (OS) is kept up-to-date, and apply updates as soon as possible following manufacturer release.
- Disable services when they are unnecessary, particularly services that allow connections to your device (wifi, Bluetooth, AirDrop/file-sharing, etc.)
- Don’t install and use applications if you don’t understand their permissions and data settings, and try to allow only the lowest access necessary.
- For mobile devices, use a device management program, such as “Find My iPhone” or “Find My Device,” to ensure that your data can be protected and erased if the device is lost or stolen.