10 cost-effective ways to quickly beef up your company security

datasecurityhero.jpg

 Image: Jack Wallen

Company security has never been more critical. Data is being breached on a regular basis, from midsize companies to enterprise giants. But even if you’re a small mom-and-pop shop, you’re not off the hook. All businesses need to keep data security at the front of their minds.

What efforts can you take to step up the security of your company? Will you have to buy expensive equipment? In some cases, yes. But not in every case. There are a number of steps you can take that won’t set you or your company back a half-year’s budget. Here are 10 cost-effective ways you can beef up your company security.

1: Update, update, update

One of the worst things you can do is ignore updates on your servers and desktops. Many times those updates includes security patches required to keep your hardware current with security policies and vulnerabilities. Without those patches, you might well be opening yourself up to various attacks. Although updating can be time consuming (and could cause a slight bit of downtime on servers), it must be considered a crucial step in keeping your company secure.

2: Stay in the know

If you’re in the IT department (which seems likely, if you’re reading this), one of your duties is to keep up with the latest security threats and warnings. If you stay abreast of what’s going on in the world of PC security, you’ll not only be informed of the latest threats but of the newest technology aiming to keep those threats at bay. Be sure to keep tabs on security alerts from the companies that produce products you’ve deployed as well as on general security issues. Read up on the latest security tech and stay open to learning new methods. Take classes, network with other security experts… get connected.

3: Set and enforce password policies

If you have yet to implement password policies, now’s the time. Make sure all passwords are strong and that they’re changed every 30 or 60 days—without fail. This should also apply to wireless security passwords as well as any BYOD device that is connected to your wireless network. Yes, changing wireless passwords on a regular basis can be a pain. But if you’re serious about all levels of security, this should be considered a must-do.

4: Don’t offer open wireless

Ever. Yes, for some companies offering wireless to the public is a necessity. However, that doesn’t mean the public Wi-Fi must be sans password. Set a public password and require customers to acquire it from an administrative assistant. Make it policy to change the public wireless password weekly. If possible, take it one step further and ensure the public wireless is in no way attached to your business network (even if that means purchasing a second pipe).

5: Get strict on policy breakers

You’ve finally managed to set all your security policies to make your company as safe as possible. If an employee undermines those policies, your company data is no longer safe. Security policies should have zero tolerance for infractions. Anyone who breaks them must suffer the consequences. This might be a hard row to hoe, but once you’ve established the staunch take on the policies—and once your staff understands how serious the issue is—your security will be easier to enforce. Understand, this could mean terminating employees in some cases. But if that’s what is necessary to ensure the security of your data, so be it.

6: Require two-step authentication

It never ceases to amaze me that two-step authentication isn’t the default for everything… everywhere. If your company makes use of Google, you should require two-step on every account and work with the Google Authenticator. Your internal servers should also use this type of system (You can even employ two-step authentication on a Linux SSH server.) At every possible intersection of authentication, two-step should be the default.

7: Use Chromebooks when possible

These inexpensive devices can actually help improve your company security in ways you may not have considered. First off, if your company uses Google and its two-step authentication (see above), you’re already a bit ahead of the curve. But with the addition of Chromebooks, you know your users aren’t installing third-party software that could wreak havoc on your network. Chrome OS is, by design, one of the most secure platforms on the planet. Yes, some may find them limiting. But considering most of the work your staff does nowadays is within a browser, a Chromebook might be the ideal solution when security is a prime.

8: Properly vet new hires

Sometimes a security breach doesn’t come in the form of a hacker sniffing out data but in the social engineering made possible at the hands of nefarious employees. It can be impossible to know the complete history and intentions of a new hire, but it is your duty to make sure you know as much about new staff as possible.

9: Rid yourself of paper documents

Papers can easily find their way into the wrong hands. Unless you employ a powerful document shredder (and use it regularly) you run the risk of data leaking if the wrong person picks up the wrong paper at the wrong time. Set a policy that all company data be retained only in digital form and that data must be stored on company hardware within the company LAN.

10: Employ full disk encryption

If you’re really concerned about the security of your data, you should be using encryption on servers, data drives, desktops, and mobile devices. Making use of encryption might well mean that your IT staff has to endure a short period of long nights and nightmares, but this type of downtime is well worth the effort. In the end, your data will enjoy much-improved security.

Data security is an ever-moving target that you need in your sights at all times. If you’re not willing to make some changes and tow the hard line, your company data could easily be at risk. With a few exceptions, this list security “upgrades” should be very simple to put into play.

Also read…

Other steps

Have you found other affordable security measures to protect your information assets? Share your suggestions with fellow TechRepublic members.

Why the NSA may not need backdoors

 Image: Declan McCullagh/CNET

James Bamford’s 2012 WIRED article The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say) is a fascinating read about the NSA’s monster data center near Bluffdale, Utah and what it might be used for. Here’s an excerpt:

“Breaking into those complex mathematical shells like the AES is one of the key reasons for the construction going on in Bluffdale,” explains Bamford. “That kind of cryptanalysis requires two major ingredients: super-fast computers to conduct brute-force attacks on encrypted messages and a massive number of those messages for the computers to analyze. The more messages from a given target, the more likely it is for the computers to detect telltale patterns, and Bluffdale will be able to hold a great many messages.”

Bamford then suggests the super-fast computers are part of the High Productivity Computing Systems program located in Oakridge, Tenn. (of Manhattan Project fame), specifically in Building 5300 according to a former senior intelligence official involved in the project interviewed by Bamford.

The official mentions that security intensified in a big way when the Building 5300 team made a huge breakthrough, adding, “They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption.”

Fast forward to 2015 and more evidence

Over the past several months, US law enforcement agencies have been advocating backdoors be added to encryption software, raising the ire of security pundits everywhere. The pundits fought back until finally the federal government cried “uncle.” The battle may have been won, but is the war really over?

Paul Rosenzweig is skeptical. Rosenzweig, founder of Red Branch Consulting PLLC, a Homeland Security consulting company and a senior adviser to The Chertoff Group, wrote an interesting post on the Lawfare Institute’s website. He mentions the whole issue about backdoors is only relevant if current public-key encryption techniques are indeed uncrackable, as per numerous qualified cryptographic sources.

Rosenzweig then speculates, “What if, in fact, certain implementations of public key encryption techniques are not as robust as we think they are?”

Rosenzweig’s theorizing resulted from a Freedom to Tinker article by J. Alex Halderman, associate professor of Computer Science and Engineering at the University of Michigan, and Nadia Heninger, assistant professor of Computer and Information Science at the University of Pennsylvania. In the article How is NSA breaking so much crypto?, the two academics make the case some implementations of the Diffie-Hellman protocol (used by HTTPS and VPN systems) can be cracked.

This is not just idle conjecture. They, along with 12 coauthors, recently presented their paper Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (PDF) at the Association for Computing Machinery’s 2015 Conference on Computer and Communications Security. Through hard work and serious number-crunching, as evidenced in the paper, the team of authors determined, “Through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”

Halderman and Heninger offer the following details:

“If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes.

“But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to ‘crack’ a particular prime, then easily break any individual connection that uses that prime.”

Is it worth the NSA’s bother?

The paper’s authors are realistic, saying the computations required would be a technical feat not seen since the Enigma cryptanalysis during World War II. “Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates,” write Halderman and Heninger. “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”

As to whether it’s worth it to the NSA, Halderman and Heninger state:

  • Breaking a single, common 1024-bit prime would allow the NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally.
  • Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites.

The authors put it simpler, “In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”

The NSA’s dilemma

In conclusion, Halderman and Heninger point out the NSA’s dual-purpose mission of gathering intelligence and defending US computational systems is an unrealistic expectation, adding, “If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem.”

In the agency’s defense, the authors admit the NSA recommends transitioning to elliptic curve cryptography, which isn’t known to suffer from this loophole. However, Halderman and Heninger also point out, “The security community is hesitant to take NSA recommendations at face value, following their apparent efforts to backdoor cryptographic standards.”

Also see

Security report: Industry and online presence drive your cyberthreat profile

 Image: iStock

What do hackers want to steal from your company, and how will they attempt it? That depends on the kinds of data you have, and how you primarily transact your business: online or face-to-face.

Alert Logic explains in its 2015 Cloud Security Report that cyberattackers are changing their tactics based on industry. An online retailer or financial services firm will more likely face attacks on its external web apps with customer credit card information as the target, whereas an oil company or a manufacturer with minimal online presence can expect to deal with more traditional hacking methods focused on proprietary data.

Also in the report, Alert Logic notes an increase in cyberattacks on cloud environments due to the popularity of public cloud solutions, and recommends two main approaches for protecting your firm’s IT environment, which I discuss below.

Alert Logic provides security solutions for on-premises, cloud, and hybrid infrastructures. The Texas-headquartered firm built up the data for the report from its customer base, analyzing over 800,000 security incidents in 2014, from more than 3,000 organizations around the world.

Cloud vs. on-premise

No surprise here: in 2014, more enterprises migrated their infrastructure to the cloud, and cyberattackers have taken note. Alert Logic reports that hackers view cloud targets as easier prey, and the authors believe that to a certain extent, the hackers are correct.

Some enterprises have the false notion that cloud infrastructure (IaaS) providers fully take care of security concerns — they don’t. Alert Logic recommends the “shared security” model: knowing where IaaS security measures end and where your firm has to place its own defenses.

Cyberattacks on cloud environments grew significantly over the previous year, while the number of attacks against on-premise infrastructure stayed “relatively flat.” The growth figures for 2014 cloud attack methods are:

Alert Logic recommends these two ways to enhance your firm’s cloud security.

  • Know the shared security model: Cloud providers, such as Amazon Web Services (AWS), typically have security controls that include physical, perimeter network and hypervisor layer. IaaS customers need to secure their own applications, data, and network infrastructure that are located in that external cloud environment. Your IT security plan under the shared model has to include technology, information, people, and processes.
  • Understand your threat profile: Your industry, degree of online interactions, the applications you run, and the kinds of data you own will determine the types of attacks that hackers will initiate against your enterprise. Knowing that and your compliance requirements will drive the kinds of security solutions that you need to focus on.

The authors caution that on-premise attacks have not stopped — there is just more effort being put into compromising cloud environments. The “relatively flat” trend comes as no surprise to Alert Logic: hackers have experience penetrating on-premise infrastructures and will keep using what they consider to be effective methods.

And since on-premise environments will not disappear in the near future, Alert Logic issues this warning:

… it is important that organizations continue to invest in their security framework for all of their physical data centers, applications, and mission-critical infrastructure.

The report authors stress that successful attacks on internal, on-premise applications can give hackers the “keys to the kingdom,” i.e., user credentials. With these, “the attacker has unfettered access to an organization’s application and the valuable data it can access,” resulting in information theft over a considerable period of time, and, quite possibly, damage to a company’s reputation.

Divergence by industry

The main takeaway of the report is the “even wider divergence of threats” when Alert Logic reviewed cybersecurity incidents by industry. Alert Logic found that the biggest factors determining attack vectors are a company’s online presence and how it interacts with its customers. In addition, they concluded that the amount of online interaction was an even more significant factor than a firm’s IT environment.

The report’s authors use the example of an e-commerce company compared to a heavy equipment manufacturer. The e-commerce company needs multiple pathways for customer interactions via mobile devices, and also processes numerous customer transactions each day, all of which makes it a target for hackers seeking credit card data.

The equipment manufacturer has fewer online interactions, and its sales are based mainly on formal, in-person meetings. There is little of value for hackers to steal in its customer-facing applications — the real “gold” for cyberattackers is its proprietary data, such as confidential product designs and financial information. Hackers would take the company’s internal data and try to sell it to the manufacturer’s competition.

Alert Logic sums up this industry difference trend by writing that:

Businesses with a large volume of online customer interactions are targets for web application attacks to gain access to customer data. Businesses with few online customer interactions are more likely to be targeted for their proprietary company data, not their customer data.

For more details, download the Alert Logic 2015 Cloud Security Report.

Also see