SC Infographic: How to be secure
Protecting a modern business is not easy. Our guide shows that even the best technology and tactics have limitations.
STAFF AND VISITORS
Iris scanning is performed at reception. All visitors wear RFID wristbands while in the building, which enable security to monitor their position at all times. They are automatically wiped on leaving the perimeter. All staff and contractors are given permanent ID dog tags. The cards also can be loaded with cash to purchase food and goods onsite.
A chief risk officer (CRO) reports directly to the board. Having someone responsible for overall risk assessment is commendable, but there can be a loophole between the facilities management and IT teams regarding building management systems (BMS), which are now being migrated on to IP networks, providing hackers with a backdoor to your systems and the ability to take control of the BMS itself. The CRO needs to address such gaps in security policy. A company-wide staff security training and awareness programme should be instigated by the CRO.
Barriers of any description are effective as they signal your commitment to security. However, this can have the effect of forcing an attacker to find other ways in. The next safest/easiest attack vector becomes the web-enabled attack. When your physical security is demonstrably improved, you run the risk of being subject to more attention from hackers.
Conducting e-commerce properly requires a secure server and communications channels. As with VPNs, SSL can be used to achieve this. It is essentially encryption at the transport layer and can be difficult, if not impossible, to crack. An attacker is unlikely to take on the "SSL challenge" but will gladly search out other routes.
Growing legislation and punitive industry-led initiatives such as PCI mean that all data and records must be perfectly in order when the auditors arrive. Secure storage and database systems have become paramount.
WEB CONTENT SECURITY SOFTWARE
Web filtering protects against threats such as spyware and phishing. It can also reduce the likelihood of breaching compliance frameworks, so P2P services and blogs can be blacklisted. The most obvious benefit is that employees can't access time-wasting sites or bandwidth-hungry services.
ID/ACCESS SECURITY MANAGEMENT
ID/access security management enables single sign-on. Any solution that amalgamates account directories, permissions, audit and administration is going to deliver ROI and win points with employees. Just make sure they don't leave those passwords lying around on post-it notes.
Gold dust to hackers, but protection can be provided in multiple ways: for the data, for queries and syntax. However, a database password can eventually be hacked and administration credentials used to access all other databases.
Firewalls can only perform to the commands they are given. These rule sets define how they handle information, and therefore how effective they are. Generally, too much access is given to a particular system, and the biggest problem tends to be default rules not being changed after install.
Wireless-enabled cafes can allow a hacker to place a Trojan horse to log on to the corporate network and then extract data over the air, or even over the wire, to the attacker's device.
VIRTUAL PRIVATE NETWORKS
The number one issue with VPNs is configuration. For example, SSL is only as strong as its cryptography, and some browsers and VPNs still support weaker ciphers. Adaptive profiles are a great way to address the balance between VPN security and functionality.
An ethically debatable overview of your employees or surveillance of sensitive areas such as server rooms. But hacked IP webcams enabling early alerts to intruders can also be used to orchestrate a social engineering attack or determine your security routines.
Darren has left his laptop in his car, which is then broken into. Laptop theft remains a significant issue, but provided the drive and all data is encrypted you should be safe.
- Technical advice and support for this feature was provided by Ken Munro of SecureTest.