21 Security advices I gave to a mid-sized firm
Many years ago, a mid-sized firm asked me for advice on how they could improve their IT security posture after they had encountered something unexpected. The challenge with them, was that they did not have in-house IT security expertise and had no one dedicated to manage IT security. At that time, they also started to test waters in AWS which brought additional venues to protect.
Considering where they were at the time, I collected my thoughts and gave them some high level suggestions based on my past experience and observations in the IT security industry. Those high level advices were not meant to be a detailed guide book to tell them what to do step-by-step, but to be educational and to shed a light on the direction and various areas that they could possibly explore, investigate, prioritize and implement. This could help them gradually improve their security posture based on their own business priorities and limited IT security budget.
Here I recount the advices I provided and hopefully this can provide some value for reference to other organizations in similar situation.
An experienced information security lead can help you improve your information security programs and security posture. With a clearly defined information security role and clearly assigned information security accountability, responsibility and authority, the information security lead will be able to setup security programs, provide guidance and advices, prioritize security improvements, review projects and new initiatives, safeguard your data and information systems, and provide visibility and current security state to your executive team.
Information Security Frameworks such as ISO 27001/27002 and NIST 800-53 provides comprehensive guidance and best practices on information security programs and practices.
Typical information security functions include Security Governance, Threat Risk Assessment/Management and Security Operations. Security Governance defines security strategy, creates security policies/procedures/standards, and oversees the security programs of the company.
Threat Risk Assessment and Risk Management helps the company assess and manage potential threats and risks associated with business activities.
Security Operations deals with day-to-day security tasks such as vulnerability management, incident handling, threat monitoring and alerting, identity and access management, etc.
Starting with those three basic security functions, the information security lead can help improve your overall security posture.
To ensure projects and initiatives have proper security controls and are following security best practices, they should be reviewed by the information security lead. Deficiencies and risks identified by the information security lead need to be well understood and remediated or mitigated. If the identified risks can’t be completely remediated, your management needs to be aware of it and make an informed decision based on the residual risk level and business needs.
The information security lead should be involved and informed in every stage of the project development, through which he/she can ensure proper security controls are placed and insecure design or implementation can be rectified at very early stage to avoid much bigger cost later on. Project team can also proactively seek advice and guidance from the information security lead when projects move along.
One of the most important assets you need to protect is the data. Having a clear data classification standard defined can help everyone understand the type of data they are dealing with and what security controls are required based on the classification of the data. This will also make it easier for the information security lead to determine whether proper and sufficient security controls are put in place to protect the data or not.
Properly evaluate a potential vendor’s security posture can go a long way if your data or systems are accessed, processed, or managed by the vendor. Based on the assessment of the vendor’s security posture, you can decide what kind of services this vendor can provide, without compromising your security interests.
3rd party’s environments should be carefully and properly segregated from your environments. This will not only prevent 3rd party from impacting your environment, but also help clearly define a security boundary and responsibility boundary between 3rd party and you.
Identity and Access Management is the foundation to ensure your secure access to your systems. Proper procedures and processes should be set up to onboard and remove users to the systems. When granting permissions to users, carefully review the permissions requested. Use the “least privilege” principle when setting up user permission. User permissions should be reviewed, updated or revoked when the user changes job duty or leaves the company.
If possible, consider only allow your users access cloud services from your corporate public IP addresses. This will significantly reduce the attacking surface. Also consider enforcing multi-factor authentication wherever possible to further protect the accounts.
Consider setting up a log management system. Logs from critical systems should be incorporated into your log management system where they can be aggregated and monitored. Proper monitoring procedures, anomaly detection rules and alerting should be established to help you detect, investigate and react to security events of interest. Your staff should be assigned to investigate and react on the alerts and detected anomalies.
Network Access Lists, Next Generation Firewalls, Intrusion Detection/Prevention Systems, Web Application Firewalls, Anti-Malware protection etc should be carefully designed and placed. Systems should be properly hardened and patched.
Place proper access controls around the data that you need to protect. Encrypt the data both at rest and in transit where appropriate.
Establish an incident response and handling plan. What to do when an incident happens? Who to call? How to isolate the compromised system? How to investigate? How to cleanup and recover? Who to report to? Do you need to bring in external help? Do you have contacts of them?
Periodically test incident response and handling by simulating a security incident and verify its correctness and effectiveness.
No matter whether it is in a traditional data center or in the cloud, every server that is reachable from the public Internet is constantly scanned by malicious entities to discover and exploit vulnerabilities. Therefore it is very important for you to consider establishing a vulnerability scanning and management program. Once a vulnerability is reported by your vulnerability scanner, it should be quickly fixed to avoid exploitation by the attackers.
When you start to deploy custom applications to allow access from the public Internet, you should consider taking small steps. For example, making a small, less important application accessible from the Internet first and then use it to build up your security skills and test the effectiveness of your security controls and operations. Once your security controls and operations become mature enough and you have gained full confidence in the effectiveness of the security controls and patterns deployed, you can gradually introduce more services into this public space.
If you plan to allow employees to access your web applications directly from anywhere on the Internet to avoid forcing employees to connect through corporate VPN, you will need to evaluate carefully. Securing an Internet reachable application requires much more effort than an internal only application. This is not to say that you shouldn’t make anything accessible from the public Internet. This is to suggest you take a risk based approach and weigh the potential cost and rewards before deciding which application should be allowed access from the public Internet. For those applications that make absolute sense to be accessible from the public Internet, take proper steps to ensure it is properly designed, tested, protected, hardened, monitored and segregated (firewalled off) from your systems that aren’t accessible from the public Internet. It is easier to protect 5 applications than 20 applications. Similarly, it is easier to secure and control 5 entry points than 10 entry points. The less the better.
Developing a secure web application is not an easy task. It requires knowledge, experience and diligence. Consider providing training to software developers on secure software development methodologies and techniques. One popular resource that most enterprises leverage is the Open Web Application Security Project (OWASP, https://www.owasp.org/index.php/Main_Page ).
Consider using security tools to scan future web applications before they are deployed. There are two commonly used types of software security scanning tools in the market: Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
SAST scans through application’s source code and generate a report of findings. DAST scans a running application instance and also generate a report of findings. Your development team can work with the information security lead to review the findings and develop fixes or mitigation plan accordingly.
Consider having a well-established, reputable third party to perform penetration tests on new applications and applications that have gone through some major changes, if those applications are accessible from the public Internet. Your information security lead and development team should work with the penetration testers to review and understand the findings, develop a plan and remediate the issues based on set priority. You should also confirm with the vendor that their penetration tests include both automated tests and manual tests, and covers web application security as well.
Consider having your Internet facing applications go through an annual penetration testing exercise, and subscribe to periodic online security scanning services offered by many security providers.
Consider setting up a security testing/auditing program to periodically verify the effectiveness of your security programs and security controls. This is to ensure that the security programs and security controls are continuously executed, measured and improved