Networks need regular cleaning just like your home, car or garage. Why? The answer is simple – poor security hygiene can lead to major data breaches. If you don’t regularly review your network, potential weaknesses and vulnerabilities will stack up. As we enter into spring cleaning season, now is as good a time as any for IT administrators and security professionals to catch up on yearly security maintenance.
Here are several tasks that should be completed once a year to refresh and revitalize any organization’s security posture:
1. Review third-party access and policies
Network admins and IT workers should have a formal system in place for reviewing and removing access and credentials they have issued to contractors and third parties, but somehow a few of these always slip through the cracks.
At least once per year, make a point to review which contractors and third-party services have access to your network or VPN, remove ones that are no longer active, and ensure the ones that are active are completely locked down. For example, if you set up a temporary account giving a consultant privileged access but forgot to remove it when their contract ended, you’re leaving a weakness in your organization’s security. Whenever possible, use the principle of least privilege.
This also applies to firewall policies. Many administrators will add temporary policies for legitimate reasons, but then forget to remove them. For instance, if a contractor needs to transfer files regularly with a remote cohort at his headquarters, IT might spin up a temporary FTP server and sets a policy to let the contractors reach it remotely through their firewall. A month later, the administrator has forgotten about the FTP server and policy. Six months later, the forgotten server hasn’t been patched and is now vulnerable to several new exploits.
The good news is many firewalls and UTMs have features that will show which policies are used often, and which have remained unused for weeks or months. These features can help administrators to quickly purge outdated policies.
2. Take inventory of network upgrades
As your network grows, your technical security controls need to grow with it. Once a year, look at how your network has changed and assess if your current security hardware and software is still adequate. As employees bring in more IoT devices like Fitbits or as connected lightbulbs and IoT sensors make their way into the office, they increase the workload on endpoint security solutions.
As network speeds increase, firewall appliances need enough power to process that increased volume of traffic while still performing all of its security scans. A five-year-old UTM won’t be able to process the amount of HTTPS traffic present on today’s networks without slowing down network performance or skipping important security services. Make sure your network isn’t outgrowing its security controls.
3. Test a new phishing baseline
Just about every company should be conducting regular phishing training for all employees. Once a year, do a company-wide test to get a baseline for how well your employees can identify phishing messages and whether or not they respond correctly. This will let you know if these trainings are paying off, and where to focus in the next year.
Also, consider ways you can augment or improve your phishing training program. Does it teach employees how to identify the latest spear-phishing threats? Will they be able to identify a fake bank login page if they see one? Does your training tool give immediate feedback when users click a malicious link? Keep your employees well-trained and they will be your greatest security asset.
4. Catch up on irregular patching
Infosec and IT professionals should already have a regular monthly patch cycle for normal desktops and servers, but every network has a few problematic servers or devices that do not get patched regularly. Perhaps these are legacy servers running old operating systems for a custom application or a collection of Internet of Things (IoT) devices that aren’t updated regularly. Whatever the case, be sure to take inventory of them once per year. Check the firmware updates on all hardware devices and bring them up to date, and consider a plan to replace any dangerously old servers hanging around.
Remember that vulnerability and patch management software don’t always know about your IoT devices, which are becoming a larger and larger percentage of many businesses’ endpoints. Yearly or bi-yearly check-ins are a good method to ensure these devices are not forgotten.
5. Change passwords and consider MFA solutions
Strong passwords (long random strings of characters that are unique for each online account) don’t need to be changed frequently, but setting aside time each year to review and update your organization’s password practices is an excellent idea.
This year, encourage employees to use password managers and multi-factor authentication tools. Password managers make it easy to change passwords, and often have a feature that will automatically change all of a user’s passwords at once. Also, if your organization doesn’t have a company-wide multi-factor authentication solution in place, consider investing in one.
The number of data breaches caused by stolen or simple passwords continues to grow and adding MFA is one of the best ways to significantly reduce the risk of these breaches. Many new, cloud-based MFA services are significantly more affordable than the old key fob models of the past and have become viable options for mid-market and small companies.
Use that newfound energy you get from these longer days and better weather to do some security spring cleaning. If you follow these five best practices, your organization’s security posture will be in much better shape for the rest of the year!
Author: Marc Laliberte, Sr. Security Researcher, WatchGuard
The Cloud Consultancy provision, migrate and support Office 365; Office 365 Backup, Recovery and Business Continuity; Office 365 security solutions to protect against Phishing, Viruses and Malware; Design and Build Great Websites;Document Management solution for small business; Interim IT Director services