Perspective from a Seasoned CIO: Top 10 Tips to Improve Your Information Security Program
Author: Mike Gentile with Cameron Cosgrove
As security practitioners who have built hundreds of security programs for organizations around the world, the team at CISOSHARE is able to provide a unique perspective on what it takes to design an effective information security program. For this article, we thought it would be helpful to reach outside of our organization and mine the knowledge and experience of a veteran CIO.
As a seasoned Fortune 500 CIO, Cameron Cosgrove has developed a deep expertise in the enterprise computing space. His blog, DIGITALCTO with Cameron Cosgrove, provides valuable insight and advice for those hoping to learn more about technology and information security.
Because of his extensive experience, Cosgrove has a wealth of knowledge for organizations struggling to figure out the most effective way to address information security. Here are his top 10 tips for improving your organization’s security program.
Top 10 Tips For Improving Your Information Security Program
1. Create Backups – and Make Sure They’re Working
Even in a worst-case data breach scenario, backups are a blessing. “If all else fails, you can get your data back,” Cosgrove says. He points to the massive security breach that occurred when attackers targeted Sony in 2014. In that situation, their backup data took years to rebuild and recover. However, they never realized there was an issue until efforts to recover the stolen data were underway. How can you ensure that your backups are in place and functioning when you need them?
First, Cosgrove suggests performing a one-time audit of all PROD applications, files, directories, and folders to ensure they’re actually being backed up. In reality, a large number of files aren’t successfully backed up or fail on a regular basis. Your IT team should use the audit to get all files in a backup job. In some situations, the current backup infrastructure isn’t large enough to handle all of the files. If so, that will need to be addressed as a separate project.
Part of this audit is documentation, and your team should present a monthly report showing all backup fails and completes. Every quarter, the team needs to test the recovery of random files and document this information in a report, as well.
Next, a weekly or (even better) bi-weekly backup of key non-prod data is in order. This includes things such as development libraries, files, and builds. The IT team should have backup files easily accessible for a quick recovery to get the organization up and running should a problem arise. It’s also important; however, that system back-ups are stored off-site. Cosgrove recommends using tools and storage platforms that enable a real-time automated synchronization to an off-site location or cloud service. Finally, it’s a good strategy to put your backup on a separate network. This will reduce traffic and the impact on network performance. It will also protect data from being stolen or erased by an intruder on your main network. While some may balk at the cost of creating this additional backup infrastructure, consider that the cost and disruption of an information security breach.
The IT team should have backup files easily accessible for a quick recovery to get the organization up and running should a problem arise. It’s also important; however, that system back-ups are stored off-site. Cosgrove recommends using tools and storage platforms that enable a real-time automated synchronization to an off-site location or cloud service. Finally, it’s a good strategy to put your backup on a separate network.
Finally, it’s a good strategy to put your backup on a separate network. This will reduce traffic and the impact on network performance. It will also protect data from being stolen or erased by an intruder on your main network. While some may balk at the cost of creating this additional backup infrastructure, consider that the cost and disruption of an information security breach is much greater.
2. Validate Accounts
One of the easiest ways for hackers to gain access to your network is to break in via a valid administrator’s account. From there, they can wreak untold amounts of havoc – installing malware and creating new accounts. This is a prime way to exploit a system while remaining undetected for months at a time.
To prevent this from happening, your organization must detect and disable compromised and fraudulent accounts immediately. Here is Cosgrove’s method for doing so:
Every night, create an export a text file from your HR system of all people that should have access to the network. This includes employees, consultants, contractors, and so on. From your network (active) directory, export a text file of all accounts that actually do have access. Establish a batch job to compare the two files and look for differences.
Most of the differences you’ll find will be new and terminated employees. If you notice an account that isn’t in your HR system, however, that should raise red flags. Suspend these accounts while you look into them to see if they’re authorized. In many cases, such accounts often go undetected for months and months.
Next, run a daily report to show all new administrative accounts created in the past 24 hours. Double check them to ensure that they’re valid and have the proper authorization – particularly administrator accounts and accounts with elevated privileges.
Finally, run a monthly report to analyze and reconcile all accounts with elevated privileges. Because administrative privileges are used to install/run ransomware and kill programs in your environment, you can never be too careful in regards to these accounts.
3. Check Server Patching
When servers and desktops aren’t running critical security patches, vulnerabilities turn into breaches. A patch can’t work unless it’s been installed. Because of this, your IT team needs to have a way to check that all servers are included in your monthly patching program. Run a monthly report on all servers and their patch levels to ensure that all critical patches have been applied.
4. Take Spam-Blocking to the Next Level
While spam-blockers are great, Cosgrove says that they’re not enough. End-users clicking on suspicious links results in a high percentage of malware being introduced.
“For best results,” he says, “take your spam-blocking one step further to block phishing messages that may get through.” He suggests blocking any outbound connection that isn’t white-listed, has no reputation, or a bad reputation. If a valid business link gets blocked, a quick call to the service desk can resolve the problem.
5. Ensure Desktop AV Is Up-To-Date
Every attached desktop and laptop should be running an up-to-date AV, but does your organization have a way to monitor and validate that? Your AV and client should support real-time reporting that can validate whether a client machine is up to date. It should also be able to alert when a virus/attack is occurring and automatically disable network access and open a ticket. Network access should also be blocked if a client machine isn’t running the AV with a current signature file.
“Protecting the network from infected rogue machines outweighs the inconvenience of a single end user,” Cosgrove says.
6. Tighten Up Edge Security
All entry points into your network infrastructure need to be secured with firewalls and IPS. As CIO, you must have your team present the current situation and discuss any missing pieces/outdated projects, Cosgrove suggests. Discuss the process for updating products and firmware so that they’re all current. If products get too far behind on versions, it will leave them without the new features and capabilities that protect them from current threats.
7. Utilize an Event Correlation Solution
Because a huge number events occur on any given infrastructure, it’s important to send logs of events on your network, server, SAN, etc. through an event correlation solution.
“This allows what looks like small events to be correlated into an alert because, in actuality, it’s a much larger event,” Cosgrove says. Such services are available as cloud-based solutions, but you may also develop an in-house capability by using a trusted vendor or consultant to do so. Event correlation solutions can help you make sense of a deluge of information and know when it’s important to act.
8. Use Two-Factor Authentication
When is two-factor authentication necessary? According to Cosgrove, “Two-factor authentication should be put in place for remote access to all resource that would normally only be accessible if you were at a corporate location.” Some examples of this are VPN and VDI. You should also strongly consider two-factor authentication for the local machine and network logins for end-users that perform tasks that involve the moving of money.
You can also have the fund transfer application require a second authorization to prevent criminals from gaining access and initiating unauthorized wire transfers.
9. Take Steps to Avoid Social Engineered Attacks
Because social engineering and email phishing attacks are becoming more common, take precautions to prevent your system administrators from becoming targets. Have them use generic job descriptions on all their social media accounts. For example, instead of being listed as “System Administrator” or “Systems Engineer,” have them use something non-specific such as “Office of Technology Associate” or “Enterprise Services Technician.”
10. Be Serious About Granting Administrator Privileges
“End-user and service accounts should not be running with administrator privileges,” says Cosgrove. “The only accounts with administrator privileges should be trained professional system administrators. Period.”
Being highly selective about granting these privileges can prevent end-users unknowingly installing malware on their machine by granting the standard user access. It’s a fairly straightforward process to remove administrator privileges from a local user account – and one that can save you major headaches down the road.
Also, keep in mind that service accounts running with administrative rights can pose a threat. Ensure that your team has a secure practice and naming convention for service account management.
Putting together a comprehensive security program doesn’t happen overnight. By following Cosgrove’s tips, however, your organization will be taking the steps necessary to ensure that your program is soon running smoothly and effective at mitigating a whole host of threats.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles