If you’re an infosec professional, you probably know a ton of security tips and best practices; use a firewall, update antivirus, patch regularly, adhere to the least privilege principle, don’t click unsolicited attachments, and so on. Chances are, you probably have implemented most, if not all, of those important best practices already.
However, in my experience there is another, smaller subset of InfoSec tips and practices that offer great security benefits, but which few people actually apply in real life. So here are my top five rarely- implemented security practices that I think you should reconsider:
1. Egress filter on your firewall. Everyone understands the primary purpose of firewalls. We use them to prevent external actors from accessing internal resources. In short, we tend to block all incoming traffic, unless it’s specifically to some asset we want to allow the public to access, like a Web or mail server.
However, you can also use your firewall to control your internal users’ access to the outside world, which is what we call egress filtering. Unfortunately, many of the organizations I’ve visited don’t egress filter. They allow their internal users full access to the Internet, regardless of the port, protocols, or applications with which the users connect. To egress filter, you start by blocking all external access by default. Then you slowly add policies to allow the specific types of external communication to which you want users to have access, , such as DNS, the Web, Skype, FTP, etc..
Egress filtering realizes the benefits of the least privilege principle. There is no reason your users should have access to things that aren’t specifically necessary for your organization to do business. More importantly, egress filtering can limit what attackers can do if they are able to gain access to one of your computers. Malware and Trojans often communicate on non-standard ports and attackers can use protocols like TFTP, SSH, or telnet—which your users may not need—to grab more malicious files. If you are egress filtering, you will block these communications, making it a bit more difficult for attackers to get out.
So if egress filtering is so useful, why don’t people do it? My simple guess is because it’s difficult at first. When you start egress filtering, you will surely get a handful of helpdesk calls. Even if you do a good job of creating policies for what you think your users need, you’ll probably miss some network communications and applications you didn’t know your employees used. While it may seem like a temporary hurdle for you to discover and add these additional policies, it actually gives you the opportunity to make a business decision on whether or not that communication is necessary.
2. Encrypt sensitive email. This one seems like such a no-brainer, and yet so many organizations send sensitive emails — some containing confidential documents — over the Internet without encryption.
I’m sure everyone in the InfoSec industry understands SMTP traffic is completely clear text, unless you take specific measures to encrypt it. There are a number of functional and good cryptography standards or products that allow us to encrypt email, such as lS/MIME, TLS, Pretty Good Privacy (PGP) and many proprietary options.
So what’s the problem? It’s two-fold. First, until the industry as a whole agrees on one standard, email encryption will never be widespread. Second, it needs to be easy to use. Personally, I think it comes down to the “it’s hard” problem again. PGP has been around for ages, and works well if you know how to use it, but few people do. However, with the NSA and other government bodies snooping on our communications, and easier Web-based email encryption options popping up on the market, more organizations may start taking email encryption seriously.
While we’re talking about good email encryption practices that no one follows, here is an extra one for you. If you use PGP, validate the public key fingerprint manually, before accepting it. Just because John Smith sends you a public key that seems to match his email address, doesn’t mean it’s the key he actually generated. Unless you call him or contact him through some back channel to validate the proper fingerprint to match that key, you don’t really know it’s him.
3. Use a different password everywhere. Security professionals like me have been giving this advice very regularly lately, but I still believe a fraction of normal users actually implement it. You should have a different password for every web site or organization you log in to.
The logic for this advice is simple. One day, an attacker will get one of your passwords, either through sniffing, key logging, or a breach on some organization, as we’ve seen happen so often recently. If you use the same password everywhere, then that one password leak gives the attacker access to every resource you visit. If you use a different password everywhere, the attacker can only use that password for one thing.
In this case, I understand why average users don’t follow this tip. It’s just not humanly possible to do it well, without some sort of automated help. It’s already difficult for humans to make up and remember strong password that are ideally long, complex and somewhat random. So to then ask them to remember tens if not hundreds of strong passwords is not going to happen if they have to rely on their memory alone.
The good news is, they don’t have to rely on their memory. Over the past few years, password vaults have become readily available and are quite effective. They make it very easy for you to use different, long and totally random passwords at every site you visit. They even make it easy for those passwords to get used across multiple platforms and devices. So this tip is really twofold. That is, it’s time for users to start using different passwords everywhere and setting up a password vault is the best way to make this a reality.
4. Segment your internal network by role. Our networks tend to have a hard crunchy shell, but a soft and gooey center. We use perimeter devices to block out the outside world, but do little to restrict internal users or groups from accessing each other. This needs to change!
All modern network-security appliances allow you to segment internal networks from one another and monitor traffic going from one user to another. If you take the time to segment your internal network by department or employee role, you can then write policy that prevents certain internal users from accessing certain internal resources. For instance, if Target did more to segment their POS devices from other internal users or servers, attackers may not have been able to use the partner portal as a foothold to infect the POS devices. Forrester Research calls this the Zero Trust model and more organizations should adopt it.
5. Patch your hardware. I’m sure all administrators today realize software patching is a critical aspect of your information security policy (even if some still don’t patch everything as regularly as we think they should). However, despite the industry’s software patching adoption, I still see many organizations not patching their hardware nearly enough.
Today, we live in the Internet of Things (IoT). Whether it’s a printer, router, IP telephone, webcam, or game console, we have many devices in our organizations that don’t look like computers, but really are. These stealthy computers run embedded software, except we call it “firmware.” Firmware suffers from programmatic security vulnerabilities just like any other software. So you need to patch it.
Unfortunately, these devices are easy to forget, because they don’t look like traditional computers, or they are very important production devices (like routers), where uptime is critical. In those cases, many IT folks adopt the attitude of, “If it ain’t broke, don’t fix it.” The problem is, attackers are seeing the value in the IoT and are starting to target it. You need to take the time to patch hardware more regularly, even if it is an important production device.
Consider the health industry. It is extremely profitable because everyone wants a quick fix that makes his or her life easy. We all know that to stay fit and healthy we should choose foods carefully, not eat too much and exercise regularly. Yet, you don’t see thousands of fitness models walking the streets everyday, since it actually takes significant work and effort to follow that good health advice.
These information security tips are the same. People don’t follow them because they take work and discipline to implement, yet doing so could give your network the security six-pack it needs to withstand the next cyber punch. If you’re not following any of the practices above, consider trying at least one this year.