By Philip Alexander, CEO, Data Privacy Network
CISSP, ISSMP, CHFI, MCSE, MCT
Large companies have scores of data security professionals working for them. A staff of professionals dedicated to helping them manage their data security program. Small to medium sized companies, have similar data security needs. The challenge of course is that they are not in a position to have scores of dedicated personnel to manage their security program. They need to make the most of what resources are available to ensure that they have an appropriate data security posture.
Areas of Opportunity
Most companies can realize a must stronger security posture by focusing on the following areas:
- Proper use of assets (hardware and software) that you already have
- Proper training for support engineers
- Increase security awareness for employees and management
Let’s look at these areas one at a time.
Proper use of assets (hardware/software)
You have firewalls, are they properly configured? Properly written firewall rules should be as granular as possible, allowing access that is required, while blocking everything else. Firewall rules that are overly broad, provide unnecessary access putting your network at risk. The last rule in any firewall should always be Deny All. That what is not expressly approved is denied.
Another tip is to block streaming audio and video, at a technical level, UDP. Streaming audio and video consume a lot of network bandwidth. By blocking UDP, your business critical applications will work faster, because they’re not competing for network bandwidth with streaming music and videos.
The vast majorities of networks are using Microsoft Windows, and thus are also using Microsoft’s Active Directory. I strongly recommend making your end-user accounts domain accounts. This will allow your support staff to manage numerous aspects of user accounts at a centralized (domain) level. This is opposed to giving users specific accounts on their workstations. Your support staff will be able to manage issues such as password complexity, account lock-up for failed login attempts, password re-use and more, all at a domain level, rather than having to login to each employee workstation one at a time. It provides for consistency, and is a great time saver.
Least Privileged Access
While on the topic of user accounts, the concept of least privileged access is a cornerstone to effective data security. End users do not need administrator rights to their workstations. In fact, there are several benefits to only giving end-users ‘regular’ user rights to their workstations.
It will make their workstations more resistant to viruses and malware, since most of them require an administrator account to be fully effective, or perhaps destructive would be a better term.
By not having administrator rights, your end users won’t be able to install unapproved applications on their workstations. You don’t want your support staff wasting their time trying to fix issues caused by unapproved applications installed on work computers.
Data Loss Prevention
If you don’t want your employees copying sensitive data to thumb drives, you can simply block it. It’s a configuration setting native to the Windows operating system for several years now. Your employees will still be able to charge their smart phones using the USB port, but won’t be able to copy data to, or install information from, a thumb drive.
Note that all of the above suggestions didn’t entail purchasing any additional equipment or software. By properly using assets you already have, your network will be; more secure, more responsive, and easier for your engineers to maintain. Done properly, data security can be eloquent.
Proper training for support engineers
In the data security profession, there is a term called C-I-A. In this context, it stands for Confidentiality – Integrity – Availability. Is your data, available when needed, is it accurate (integrity), and can it only be accessed by those with a legitimate business need, (confidentiality).
An unfortunate truth is that most engineering classes focus primarily on availability. So, if an engineer wants to make sure customers can access an application that’s behind a firewall, they can simply write a rule that opens a huge gaping hole in it. So while the application is available to the customer, the entire network is at risk because the firewall is no longer functioning as a firewall.
Part of any effective security program needs to include proper training for your engineers. There are a lot of excellent training courses available. What is most appropriate for your company may well depend on the specific technologies you’re using. With that said, CISSP training by (ISC)2 provides an excellent overview of many different facets of data security.
Increase security awareness for employees and management
In order to have an effective data security program, there needs to be executive support. To be effective, data security must not be from the bottom up. Make the protection of your sensitive data part of your business culture. If protecting your electronic assets is the security guy’s job, you’re looking for trouble. Protecting sensitive data, whether it’s; your client list, your business plan, your personnel files, or credit card data from electronic payments, protecting sensitive data means protecting your company. That is everybody’s job.
About Philip Alexander:
Hackers, thieves and predators; you’ve been forewarned. Philip Alexander might appear to be a mild-mannered professional and father, but inside burns the heart of a data security ninja.
CEO, consultant, author, speaker, entrepreneur and husband & father, Philip Alexander’s passion for securing proprietary data first ignited during his 6-year stint in the U.S. Army. The culture he absorbed protecting classified data stuck – and later he transferred those skills across the private and public sectors. Spanning two decades, he honed his craft, serving in the financial and wireless technology industries and also at the Arizona Department of Transportation.
Distilling his expertise and passion, Philip launched Data Privacy Network to empower business owners, entrepreneurs and non-profits to protect intellectual property and sensitive data. Since technology never remains static, neither does Philip. He adapts to emerging trends by logging continuous hours of training and certification, including these: CISSP (Certified Information Systems Security Professional); ISSMP (Information Systems Security Management Professional); CHFI (Certified Hacking Forensic Investigator) MCSE (Microsoft Certified Systems Engineer); and MCT (Microsoft Certified Trainer).
On a mission to raise awareness about the perils of unsecured data and the dangers of online predators, Philip has authored three books and numerous articles on the topics. He writes a popular blog, and expresses his zeal as the nation’s data security evangelist, speaking to business and parenting groups. He’s enjoyed guest spots on Good Morning Arizona’s T.V. broadcast, and radio show host Steven Pomeraz’, On the Money, which appears on NPR. Visit http://www.dataprivacynetwork.com/ to learn more.