Training Patching and Security Updates
Access Control Policies
Remote Access Policies
Answer: Gaining Access
Password Policies: Passwords are a critical defensive tool, but bad passwords might not protect anything. Passwords should be long: different organizations recommend different minimum lengths, but most will agree that twelve characters is a decent minimum. Passwords should be unique: if one of your accounts is compromised, and you use the same password, all of your accounts have potentially been compromised. Strong password policies can be a bit inconvenient, but they offer far more in security.
Account Lockout: One of the most common ways that hackers navigate through networks is by using compromised accounts. When suspicious activity is logged on an account, that account can be deactivated, frustrating the hacker’s attempts. It can be inconvenient to the user in the event of a false alarm, but if an account lockout prevents a major breach, it’s worth it.
Anti-Spam: Nobody likes receiving spam, and I’m not talking about the canned meat. Spam isn’t just annoying: spam can contain attachments or links to malware that can infect your device. Anti-spam techniques aim to filter out as much spam as possible. However, anti-spam is not perfect, and can accidentally flag real emails as spam. Some sites or domains are known sources of spam, and can be blocked. The actual content of the emails can also be scanned for suspicious wordage which may indicate that it is spam.
Mantraps: A common social engineering technique is piggy-backing: following a user through a security door and going through before the door is closed. Mantraps are the security solution to this: a mantrap is a small space in-between two security doors which traps the person entering the space until they authenticate their identity. After the person enters the first security door, it will close behind them, trapping them in until they use their key to open the second door. The walls are usually see-through or glass: if someone gets stuck in a mantrap, its going to be obvious to everyone around.
Multi-Factor Authentication: Passwords are just one way to verify a user’s identity. Authentication can be broken down into three categories: something you know, something you have, and something you know. Passwords are an example of something you know. Keycards and phones are an example of something you have. Your fingerprints are an example of something you are. By combining different methods of authentication, account security increases exponentially.
Vulnerability Assessments: Vulnerability assessments are all about identifying and understanding the risks in a system. The more important the system, the more important it is to perform a vulnerability assessment. Consider a power plant: consider how many people rely on that power plant’s systems for power. A vulnerability assessment would involve figuring out all the things that could go wrong in that power plant, and all the different consequences that could happen as a result of those risks. Once risks have been identified, quantified, and prioritized, it is time to implement security controls to manage with those risks.
User Awareness Training: One of the most common ways that hackers gain access to a system is through mistakes made by uninformed users. Every year, countless employees fall for social engineering techniques, such as phishing emails, and download malware onto their system. By training users to be aware of common pitfalls and tactics used by hackers, the risks of getting owned can be drastically reduced.
Patching and Security Updates: Software needs to be updated, and when it is updated, there are usually update notes included called patch notes. Patch notes often include security updates about the vulnerabilities that were fixed, which can indicate to hackers that the software had a weakness to exploit. Suddenly, the software is a lot more risky for users who have not yet downloaded the new patch. Leaving your software unpatched leaves you open to major security risks. Update and patch software regularly.
Anti-Malware: There are many different types of malware including viruses, worms, trojans, spyware, adware, and more. The ideal anti-malware tool would be able to detect it all, perfectly, without ever generating a false positive or using up too many system resources. Unfortunately, the perfect anti-malware tool doesn’t exist, so we as users have to make due with what we’ve got. Most consumer antivirus uses signature-based detection to find identify malware, which won’t work against new malware. Big companies have access to new anti-malware tools which utilize machine learning to identify malware patterns. In this way, never-before-seen malware can be detected and stopped before it does damage. The new cutting-edge machine-learning antivirus software tools are not perfect, but they are constantly improving.
Access Control Policies: It is important for a company to make sure that only authorized users are logging in and users their systems, and that each user only has exactly amount of power on those systems they need to do their jobs. Access control policies might include how user accounts are created, updated, and deleted. For example, if Bob is a system administrator leaves the company, there should be company policy that states that his account should be deactivated before the day he officially leaves the company.
Remote Access Policies: These days, more and more employees are telecommuting to work instead driving down to the office. How do these users access the company network from home? Usually, they use a VPN, a virtual private network, which allows them to access the company network from home as if they were actually there.
However, a VPN raises immediate security questions: who can use the VPN, what users can do through a VPN, and how to prevent hackers from abusing the VPN. Remote access polices are meant to answer all these questions and define how the VPN is to be configured and used.