How Secure is your Data?
Who owns security?Let’s start with a simple question: Who is responsible for security in your business?Not sure? Well, then it could be you…. Sweating yet? Even if it isn’t you, whatever your role, you have a part to play in keeping your business safe.
I should also be very clear. Security is not a "cloud thing". This is an "Internet/connected systems thing". In fact, as I’ve previously argued, I passionately believe a strong public cloud is one of the safest places for your data.
I see bad people
The world is a shady place. Get used to it - it’s only going to get worse as everything comes online and even your toaster becomes a potential hacking vector. The continuing stream of "hacks" that you’ve seen over the past 12 months will only get more prolific. In the past week, we’ve seen hits on BA, GitHub and Slack. Sony took an absolute beating on more than one occasion last year. Poor old Target gets wheeled out as the example of 'how not to do it' on a regular basis.
Groups like the Syrian Electronic Army and Lizard Squad have started to become household names (at least if you live in a household with people who work in IT...). They’re just the tip of the iceberg. Did you know Hacking as a Service is now a thing? And not even a thing you have to look very hard for? If not, have a browse here.
So, what’s the point of all this? Without sounding too much like a scaremongering American voiceover from a crime show: "They will come for you", you have got to be proactive. Hiding just isn’t an option.
I’m scared, what can I do?
- Two factor, two factor, for the love of god, two factor
Is that clear enough? It’s not enough to enable multi-factor authentication on just root accounts or "admin" accounts. Put it on all accounts used by humans. Imagine if just one account in your enterprise gets compromised - how much damage could be done?
The most common excuse I hear for not doing this is that there’s user training impact to consider. That’s correct, there is. But how much worse is the impact of your accounts getting compromised? Just do it. Please. Don’t just think about your ERP data being compromised, think about the damage done to your brand by a simple Twitter account being taken over. If your vendor won’t support MFA, then don’t buy from them. They probably keep your payment details in a Word document.
- Educate your users
Not just about how to use the MFA you’ve just enabled after reading my previous point, but about basic things like connecting to wifi points when in public. Do they just connect to any access point which says [Name of place]_FreeWIFI ? Probably.
I spoke to a client this week who had engaged a third party consultancy to try and test their users by sending dubious phishing emails. The results were due to be announced, including naming and shaming, at their annual meeting…..great idea.
- Independent reviews
Along the same lines, get someone independent to assess the architecture you’re using. The fact that something was secure when it was designed and built, does not make it so any more. Has someone opened up ports to the world since then?
Consider using a service like Nessus to check for common vulnerabilities, alongside some "human" driven penetration testing.
- Patch, patch, patch
Do you apply security patches to your operating systems and applications? How quickly?
What about end user machines and the client side apps they’re running?
As soon as the hacking community knows of a vulnerability, they will be out looking for people who haven’t patched their systems yet. Don’t let it be you.
- Policies, you love them
Ok, maybe you don’t. But you still need them and should implement them. As some simple, but effective examples, how about:
- actually changing your passwords
- enforcing a degree of password complexity
- rotating your private keys
- limiting system/network access by IP range or geographic location
- Backup securely
Make sure you’ve got encrypted backups. Make sure they’re held safely somewhere else, so that if your main accounts are compromised, you can still get your data back. Remember, some attacks aren’t about stealing data or just embarrassing you, they might actually try to put you out of business by deleting your data and your backups. Poor old Code Spaces found this out.
- Implement active threat management
At Cloudy Towers we’re fans of the offering from AlertLogic in this space. Whichever solution you decide to use, actively monitoring network traffic to identify incidents and vulnerabilities is something that anyone with public facing web apps cannot ignore.
Remember that many hacks will not be known for some time - once your system is compromised, the aforementioned bad people may well hang around for months observing and probing further to see how much havoc can be wreaked.
I could go on for some time, but in the interests of letting you eat your Easter eggs, I’ll stop there.
Feels like a summary would be useful
Ok, well here it is: Bad people want to damage your business. Don’t make it easy for them.
It’s easy to make security an afterthought - but the potential damage to your business of doing so is huge. What’s the worst IT problem you could face? It’s "data loss" isn’t it.
Remind me again - who is responsible for security in your business?
Want to find out more? Watch Cloudreach and AlertLogic's deep-dive cloud security webinar - check it out below: