Call Us: 888-387-5670
Business Security Guide and Lexicon
Alliance Technologies knows that business network security can be a difficult and complicated subject to tackle. That's why we wrote this business security guide. It should provide you with some quick tips to improve your business network. It's not comprehensive, but it's a great start for any business looking to improve network security. If you have any questions please let us know. We'd also be happy to come to your business location and perform a security review for you.
Segmentation – Isolate by Level of Risk
· Users should have the minimum permissions required to do their jobs
· Accounts should be reviewed regularly (at least quarterly) to enforce Separation of Duties
· If using device authentication, make sure that all devices are included in the reviews below
· Segmented systems should still be maintained (patching, antimalware updates, etc)
· Consider using passed authentication to avoid attack vectors, but maintain user controls
Authentication – Use Two or More
· What You Know – Passwords, Access Codes, Secret Questions
· What You Have – Secure Tokens, Access Cards, Text Message Verification, Digital Signatures
· What You Are – Fingerprints, Retina Prints, Palm Prints, Voice Prints
Authorization – Control What Can Be Done
· Use timeout technology for sensitive accounts and authorized systems and processes
· Automated systems should not be authorized to transfer data without human verification
Auditing – Review Accounts Regularly
· Identify orphaned accounts and make sure that they are disabled
· Engage in entitlement reviews to make sure that privileges are properly set for current needs
· To ensure that these reviews occur, set accounts to auto-expire if not periodically renewed
· Prevent automated account generation from being leveraged in information-gathering attacks
· Remove all shared accounts as prevent you from tracking activities at a user level
Unusual Activity – Create Triggers for the Unexpected
· Look for transfers outside of normal, such as international transfers for a local company
· Look for transfers that are larger than usual or are increasing in size
· Look for transfers that occur more frequently than normal or after hours or holidays
Data – Protect It Wherever It Is
· Sensitive data in transit should be encrypted to prevent snooping by attackers
· Sensitive data at rest at either point should be encrypted unless each point is 100% trusted
· Sensitive data in process should be protected against alteration
Change – Be Aware Of It
· Detect changes to systems and approve them before they may be utilized in production
· Implement rollbacks for each major change, so that operations problems can be minimized
· Detect absence of alerts, as a failure in the notification system could indicate an attack
Beyond The Technical – Security Is Broken By People, Not Technology
· Nothing breaks a well-crafted technical system like putting users on it – train them in security
· Set expiration dates on everything and honor them – legacy systems and applications kill
· Engage in formal risk assessments regularly, to react to today's threats, not yesterday's
· Join security groups and participate – information is one of your key assets
Business Security Lexicon
Here is a quick lexicon of network security words. We've provided them to help you better grasp network security concepts.
Data in Process – Data that is actively being read and acted upon. Example: The monthly billing data as it is being prepared and processed to send out billings.
Data at Rest – Data that is not in current use. Example: Financial data that is only used once per quarter or is being held for future reference.
Data in Transit – Data that is being moved from system to system. Example: An ACH file that is being transferred from a bank to the Fed.
Device Authentication – User accounts on sensitive systems instead of the directory/network. Example: Internet-facing systems may create security problems if attackers can use those accounts to leverage access on internal systems.
Orphaned Accounts – Accounts that are no longer in regular use. Example: An account that belongs to an administrator who is no longer employed by the organization. It may be required for automated processes, but should not allow logins.
Passed Authentication – Authenticate to internal systems to gain access to segmented systems. Example: A read-only directory service allows users to login to sensitive systems in an isolated zone only if they have already authenticated to a system using a read-write directory service.
Separation of Duties – No one person should have the ability to both create and use an account.Example: No one should be able to create a vendor account and also initiate and/or approve a funds transfer to that vendor.
Timeout – The ability for a system to be automatically logged out by a central system. Example: To prevent an attacker leveraging an “always on” connection, the connection should be torn down after it hasn't been used for a period of time.
· Users should have the minimum permissions required to do their jobs
· Accounts should be reviewed regularly (at least quarterly) to enforce Separation of Duties
· If using device authentication, make sure that all devices are included in the reviews below
· Segmented systems should still be maintained (patching, antimalware updates, etc)
· Consider using passed authentication to avoid attack vectors, but maintain user controls
Authentication – Use Two or More
· What You Know – Passwords, Access Codes, Secret Questions
· What You Have – Secure Tokens, Access Cards, Text Message Verification, Digital Signatures
· What You Are – Fingerprints, Retina Prints, Palm Prints, Voice Prints
Authorization – Control What Can Be Done
· Use timeout technology for sensitive accounts and authorized systems and processes
· Automated systems should not be authorized to transfer data without human verification
Auditing – Review Accounts Regularly
· Identify orphaned accounts and make sure that they are disabled
· Engage in entitlement reviews to make sure that privileges are properly set for current needs
· To ensure that these reviews occur, set accounts to auto-expire if not periodically renewed
· Prevent automated account generation from being leveraged in information-gathering attacks
· Remove all shared accounts as prevent you from tracking activities at a user level
Unusual Activity – Create Triggers for the Unexpected
· Look for transfers outside of normal, such as international transfers for a local company
· Look for transfers that are larger than usual or are increasing in size
· Look for transfers that occur more frequently than normal or after hours or holidays
Data – Protect It Wherever It Is
· Sensitive data in transit should be encrypted to prevent snooping by attackers
· Sensitive data at rest at either point should be encrypted unless each point is 100% trusted
· Sensitive data in process should be protected against alteration
Change – Be Aware Of It
· Detect changes to systems and approve them before they may be utilized in production
· Implement rollbacks for each major change, so that operations problems can be minimized
· Detect absence of alerts, as a failure in the notification system could indicate an attack
Beyond The Technical – Security Is Broken By People, Not Technology
· Nothing breaks a well-crafted technical system like putting users on it – train them in security
· Set expiration dates on everything and honor them – legacy systems and applications kill
· Engage in formal risk assessments regularly, to react to today's threats, not yesterday's
· Join security groups and participate – information is one of your key assets
Business Security Lexicon
Here is a quick lexicon of network security words. We've provided them to help you better grasp network security concepts.
Data in Process – Data that is actively being read and acted upon. Example: The monthly billing data as it is being prepared and processed to send out billings.
Data at Rest – Data that is not in current use. Example: Financial data that is only used once per quarter or is being held for future reference.
Data in Transit – Data that is being moved from system to system. Example: An ACH file that is being transferred from a bank to the Fed.
Device Authentication – User accounts on sensitive systems instead of the directory/network. Example: Internet-facing systems may create security problems if attackers can use those accounts to leverage access on internal systems.
Orphaned Accounts – Accounts that are no longer in regular use. Example: An account that belongs to an administrator who is no longer employed by the organization. It may be required for automated processes, but should not allow logins.
Passed Authentication – Authenticate to internal systems to gain access to segmented systems. Example: A read-only directory service allows users to login to sensitive systems in an isolated zone only if they have already authenticated to a system using a read-write directory service.
Separation of Duties – No one person should have the ability to both create and use an account.Example: No one should be able to create a vendor account and also initiate and/or approve a funds transfer to that vendor.
Timeout – The ability for a system to be automatically logged out by a central system. Example: To prevent an attacker leveraging an “always on” connection, the connection should be torn down after it hasn't been used for a period of time.
