Fully Embracing the Responsibility of Information Security…Where to Start? 

April 16, 2018 Security

Information SecuritySecurely protecting an organization’s network from unauthorized access and while ensuring that the information or data within is preserved can be a daunting task. Organizations that have not fully embraced the responsibility of information security among all the different lines of service have difficulty knowing where to start. The following are key areas that are commonly found in an organization’s initial strategy in helping prepare for today’s information security threats.

Asset Discovery: What devices are out there and who is connected to my network? The core or base of any assessment is to discover or catalog any and all endpoints that are currently connected to the networks within an organization’s edge. The following are base tools or applications to gather that information and should be scheduled on a regular basis:

  • IP Address or Network Scan – regular scans of an organizations network should be done on a weekly basis until a base or core average of devices is established.
  • NMAP Scan – monthly scans using an NMAP tool is a next level asset cataloging tool and part of a base security assessment strategy. More information can be found at NMAP’s website: www.nmap.org
  • DHCP Audit – Monthly audits of an organization’s DHCP scopes and reserved addressing is a crucial part of ensuring that IP address allocation services are accurate.

 Digital Certificate Management: Managing an organizations Private Key Infrastructure (PKI) or digital certificates is becoming more and more prevalent as organizations implement more secure ways of handling transactions and authentications. The following are key decision points or areas that an organization needs to formulate a strategic plan around certificate management.

  • Certificate Authority (CA) – Organizations need to make a decision on whether or not their environment warrants the creation or build-out of a proper Certificate Authority infrastructure. One of the key factors in hosting an internal CA is the ability to internally sign requests from hosted services (ex. internal websites that use SSL).
  • Public SSL Certificates – Security assessment and posture optimization efforts all recommend that an organization choose a single vendor for certificate trust and signing of all public facing certificates. Entrust is a global leader in PKI and certificate trust and provides an all-encompassing guide on choosing the correct public certificate authority solution.More information and access to the guide can be found at Entrust’s website: entrust.com/wp-content/uploads/2013/05/6334-Entrust-PKI-Buyers-Guide-WEB.pdf

Back-up Everything 

When building any security strategy or just when considering IT management best practices, backing up all IT resources and information assets is crucial. The following are areas that should be part of any critical assets or information back-up list:

  • Passwords and Credentials – Any and all credential information should be first identified and then recorded and backed up to a secure location. Once the first good back-up of all credential information is confirmed, a strategy for changing the passwords on a regular basis should be formulated.
  • E-mails – This is probably the most important set of information to back-up given the recent threat of ransomware. Having current and full back-ups of an organization’s e-mail is the best protection in case there is a need to roll back to a date before being compromised.
  • Cloud Storage – All back-up strategies should include a transitioning the full-time storage, application or back-up of live data to repositories hosted in the cloud. Security strategies should now contain a process for moving critical applications (i.e. E-mail) to the cloud as the responsibility of protecting that service internally has become too difficult.

This should at least be a good starting point for organizations when addressing their strategy for information security.

 

Senior Solutions Consultant, Lee Berdick, has been passionate about the IT industry since he was 17 years old. Today’s technology concerns has molded Lee into quite the Security expert!