Businesses are often criticized for not having strict policies for information security. However, this criticism is not inaccurate. Important information security practices are often overlooked despite all the major hacks discovered in recent years. It is unfortunate that preventive measures are often adopted only after a crippling incident.
It is not only the hacks that threaten businesses throughout the world. Self-propagating malware is perhaps an even greater threat. The release of Eternalblue and Doublepulsar exploits from the NSA hacking toolset led to the worldwide Wannacry malware attack that took down several businesses. With an online presence becoming a necessity for even small businesses, malware creators have even greater incentives to launch attacks. As a result, businesses need to look into tightening their security policies before it is too late. With that in mind, let’s examine some important policies that businesses need to take into consideration in this regard.
Access control policy
Access control management is one of the most important policies that every business should implement. Knowing who should have access to what comes under this policy. This becomes even more important because the ‘human element’ is often from where the breaches occur. Social engineering is one of the biggest menaces businesses face today. Role-based access control is often employed in enterprises where various roles are required to have access to only the functionality that is relevant to their job.
Another important policy is single sign-on (SSO), which enables an employee to access all of their accounts (even third-party accounts) using only one username and password or key pair. This enables the system administrator to not expose direct credentials to systems and makes it possible to rotate passwords and keys periodically without depending upon the employees to do it themselves. Third-party authentication via SSO ensures that the credentials stay within the premises of the business. SSO is usually implemented using LDAP, but other authentication schemes like OAuth and OpenID Connect are also gaining ground.
Two-factor authentication policy
Illegal account access can almost be mitigated if all accounts are secured with two-factor authentication. It is important to note that SMS (text messaging) has been shown to be insecure in many cases. TOTP and HOTP are better alternatives for OTP-based two-factor authentication systems. Several applications that implement these schemes are available in the market. Another way to enable two-factor authentication is by using physical key cards like Yubikey, which can be programmed to enable various authentication schemes. Even internal email-based two-factor authentication is much better than not having any at all.
Periodic backups policy
Wannacry encrypted all the data on infected machines and deleted the key. Some security researchers managed to reconstruct the deleted key from memory, but this solution only works on older versions of Windows and even then not very often. For the ones who created periodic backups of their data, it was merely an inconvenience. But for others, it meant saying goodbye to that data forever. This is why automated, redundant, and periodic backups of all important documents and databases are a must. It is fairly easy to create backups to cheap cloud storage like Amazon S3.
Periodic security audit policy
For large businesses, it is advisable to have an in-house team that works only on security audits of all the systems. For smaller businesses, there are external auditors available for hire.
On-premises installation policy
Various external systems provide licenses for on-premises installation of their products. Enterprises are often particularly interested in this kind of arrangement because they don’t want their data to leave their territory. On-premises installations are not suitable for all businesses, especially the ones that operate on a small scale, because of the overhead of maintenance involved. It should only be considered when the system has critical information.
Automated updates policy
Microsoft released a security patch a few days before Wannacry started spreading. Those who applied that patch were not affected by the malware. Automated updates are an important step in that regard. It does not mean that the sysadmin needs to install all the available updates, just that they can install any updates on all the systems at once without having to manually configure anything. Tools like Puppet and Chef have provisions for rolling out such automated updates.
Incident reports policy
Incident reports come to the rescue in disaster management. Each business should make detailed policies about writing incident reports so that employees know how to handle a particular situation if it arises ever again. Over the course of time, a valuable repository of information builds up.
Bug bounty program policy
Bug bounty programs are a win-win for everyone. They allow a business to use the expertise of outsiders to point out flaws in their applications and also give an incentive to security researchers to hunt bugs. Several companies run bug bounty programs that include monetary prizes. Each business should have a bug bounty program policy and a responsible disclosure guideline for security researchers. This has been made even easier by platforms like Hackerone that bring both sides together.
Neglecting information security today is akin to keeping your data out in the open. If you are not actively protecting it, someone will somehow get access to it. It is safe to assume that businesses are under attack from malicious actors at all times today. It is up to them how they mitigate these attacks.