11 Tips IT Managers Need To Stop Breaches

Few fears keep pro techies awake at night more than breaches. We’ve heard the stories. Entire IT departments removed after either a breach or ransomware attack. IT Managers and Directors sued or indicted. Even a strong employee contract can’t protect you in some states. How can you protect yourself and your systems from breaches?

The first step is knowing which data to protect. Obviously, you must protect confidential corporate data and personally identifiable information (PII). What about your video surveillance or key card access networks? Or data on connected networks, like the CEO’s home computers? Would she want to find the contents of her iPad search history online? Read our Dark Web article.

Realize that when a threat actor gains access, they are searching for useful data, not simply to drop in ransomware. They want to know how much insurance will pay, private activities of owners, executives, and top employees, and any corporate or personal secrets. They are looking for leverage to guarantee payment.

Most Advance Persistent Threats are active over six months before a ransomware event. Those who have suffered through them know the only secure way forward is a scorched earth approach. Delete everything, reinstall every device, and change all IP addresses, names, and passwords. A lack of proper remediation always leads to secondary and tertiary attacks since attackers never lose access from the system. Later attacks may not include a ransom.

The goal then is to prevent the initial foothold, or see it when it happens, remove it, and remediate. I know you’re short on time, so I made this one short and to the point. Here are 11 security enhancements that will prevent nearly all breaches – in under 5 minutes!

1. Everywhere You Want To Be – Congratulations! You fought budget constraints and user complaints to implement multi-factor authentication (MFA) on all logins in the office and remote. SalesForce, internal servers, and Office365 also require MFA, but it’s not a magic shield. What about those devices that do not support MFA? Segment those devices to limit access if breached.
   
   
2. Device Lockdown – Do you have a device with terabytes of local drive space, physical connection to the same network as your workstations and servers, and unimpeded access everywhere? No? What about your printers? Out of the box, printers are accessible from anything within their WiFi and Near-Field reach
   • Lock them down to a restricted firewalled VLAN that only speaks to a print server
   • Permit only servers to communicate with them; no more direct printing
   • Use a certificate-based authentication between device and server or Identity Access System
   • Disable USB and direct physical ports
   • This goes for your IoT, SCADA, and legacy equipment also
   • And please, please, PLEASE, update their firmware regularly
     
     
3. Password Policy
   • Require at least twelve (12) characters
   • Forced to change every three (3) months
   • Cannot reuse last twelve (12) old passwords
   • Must use uppercase, lowercase, numbers, and special characters
   • Force lockout after three (3) failed attempts
   • Limit login times and geographic locations
   • Require MFA for all system logins
   • Force admins and contractors to do the same
   • NO EXCEPTIONS, especially for management
   • Never give a service account more privilege than it needs
     
     
4. Block Untimely Access – Why is that user logging into SalesForce at 3AM? Good question! This one gets pushback from management but never from users. Disable access for users to log into the system or particular services outside their normal operating hours. Some people work all hours, but most do not. This also forces users to get the most accomplished during the time they have. Shift workers are easy to limit. IT support, not so much.
   
   
5. Who Really Needs Access? – All user accounts should have limited access. Separate admin accounts with administrator privileges, but only use them when needed for temporary, escalated access. Every administrator login should create a ticket that is logged and verified!
   
   
6. Maintain A Schedule – Most admins shouldn’t have login access outside of their work schedule, either. Most breaches come from those with inside access. Job rotation, forced vacations, and regular system checks should be required of all admins. Oh, and everyone in IT should have a background and credit check completed annually. It keeps honest people honest and dishonest people out.
   
   
7. Local Storage Is Passe – Don’t you pay for Cloud services? Use them! Sure, there are times when you must swap files with outside vendors, but sending emails with attachments over insecure, unencrypted links is not good! Let’s go further. Why do desktops and laptops need functional USB ports? Hasn’t technology advanced beyond those deficiencies? And no files on mobile devices! How many “databases” have been lost or stolen by sheer negligence? Too many and not yours!
   
   
8. Certify This! – Consider an outside certification for your systems, like CMMC Level 1 (read about the guidelines here). It gives your team something to work toward and forces you to think like an attacker. Better yet, bring in a vetted outside security specialist to perform Penetration Testing. Check their references and credentials, but be willing to listen to an expert. Do you do your own taxes? You shouldn’t. Would you also represent yourself in court? Didn’t think so.
   
   
9. Update Regularly – I know it’s a struggle, but dedicate people to the task or rotate it quarterly. Make a list. Get on the manufacturers’ update emails. Microsoft has been known to push out an update a day! It’s the only way to avoid exploits. Don’t forget your printers and IoT devices!
   
   
10. Don’t Touch That! – Breaches rarely come from a faulty firewall. It’s usually something someone clicked on they shouldn’t have. Train users as often as they will allow. Don’t wait for HR to tell you. If something new comes along, tell everyone to watch out for it.
    
    
11. Monitor, monitor, monitor – Building a whitelist of acceptable external sites and blocking everything else will ensure users aren’t sticking their browsers where they don’t belong. And it might just alert you to an Advanced Persistent Threat trying to call home. So many new technologies and services exist to help with this, if you can afford them.