What has happened in the last couple of years is that breaking into systems has become both big business and international espionage. If you want a tour of this rabbit hole, I recommend Marc Goodman’s book, “Future Crimes.”
Perhaps as a result, hackers have gotten a lot more sophisticated. The consequence is that our former set of defenses, firewalls and anti-virus, are no longer doing a very good job. Firewalls aren’t helping because the bad guys are getting end users to let them in. Anti-virus isn’t working very well because it depends on recognizing the signatures of viruses and then quarantining them. Hackers have gotten very good at creating viruses with new signatures, then switching to yet newer ones when the old ones are identified. The same is true of patches, the name of the hacking game is to get in between the time a vulnerability is discovered and when it is patched.
What this means is that the old tools aren’t enough. What is to be done?
Comprehensive systems for information security management exist, such as ISO 27001 and its various components. The problem with these, however, is that they are labor intensive, require meaningful participation by top management and ask for a lot of policies, procedures and documentation. There are also a lot of things to worry about, if you’re being really thorough, enough to stop your being really thorough.
Also, since CGNET mostly serves nonprofits and foundations, most of whom have staffs of less than 100 and one or two IT people, only so many resources are available to address the problem. So what’s realistic? Here are my five suggestions:
- Keep doing what you’re doing, only do it better. There’s no point in giving up on anti-virus and firewalls, for example. They’re still much better than nothing. What you can do better is to make sure all your patches are up to date as soon as possible.
- Do an external vulnerability scan. It’s remarkable how many vulnerabilities always show up. Consultants are a good way to get this done.
- Educate your end users. Various sources estimate that between 60 and 90 percent of all break-ins are enabled by careless users. Make sure they are up to date on not downloading malware, phishing, malware from websites, scams, strong passwords, multifactor authentication, clean desk/clean screen and mobile device security. Try to persuade them to accept a little inconvenience to help you protect their network.
- Harden your endpoints. The Australian Signals Directorate, which is in charge of computer security for Australia, studied all the advanced persistent threat attacks they found and discovered that 85 percent of them could be avoided by doing only four things:
- Use application whitelisting to help prevent malicious software and unapproved programs from running
- Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- Patch operating system vulnerabilities
- Restrict administrative privileges to operating systems and applications based on user duties.
Two of these, application whitelisting and restricting admin privileges, may incur the ire of end users. This is why the end user education to encourage understanding is so important.
Finally, number 5, do a risk assessment. After you’ve covered the basics, the rest depends on your particular situation. You need to look at your information assets and rank them on the severity of the consequences of their compromise and the probability that such compromise may occur. One you know what you need to protect, you can go through a list of controls like ISO 27000 or the Critical Security Controls and decide which to do next.