Introduction to security and privacy
Security and privacy is a frequent topic of discussion nowadays. With ever increasing IT infrastructures at the service provider and enterprise level as well as with increasing IT knowledge among the average knowledge workers and home users, being aware of security and privacy fundamentals is of paramount importance for ensuring smooth operations of IT systems involved at all levels.
It is true that security threats, almost exclusively including threats from the Internet, also known as cyber threats have evolved over the years and have become increasingly complex, encompassing various fields of IT operations and a wide range of systems and applications. It is a fact that security threats are multi-dimensional and therefore being a security professional requires possibly the broadest and also deepest level of knowledge and expertise in the industry. Also due to the dynamic nature of security, new types of threats are emerging each day, thus making the real time monitoring of the global cyberspace threat landscape and the big data analysis of threats more relevant than ever.
This article does not attempt to dig deeper into the security professional side of things nor assess any aspects of security incident monitoring, security vulnerability analysis, breach analysis and forensics. The article addresses the less specialized audience, covering most modern knowledge workers and home power users. In the following sections we will provide an overview of items to keep in mind when organizing security of your IT systems in an attempt to keep up to date and protected from imminent threats which could compromise your systems and your online and offline activities.
Security as per the ISO OSI model
As per the ISO OSI model, all layers of a computing system must be secured to an acceptable level.
This includes the physical security of the systems itself, including protection from malicious user physical access as well as protection from natural and power disasters. For this reason, the usage of at least a good UPS and a good PSU is very important for any computing system.
Perimeter and network security
Apply the following recommendations for securing your perimeter and network appliances and systems:
- Baseline your network and deploy tools to keep an up-to-date view and monitoring of the status of your network. This includes tools like nmap and IP scanners.
- Always know the architecture of your network and be prepared to troubleshoot network traffic flow.
- Apply latest firmware and security patches to all network appliances.
- Apply whitelist and blacklist logic to all traffic.
- Make use of a trusted IAM (Identity and Access Management) system to centrally apply AAA functions (Authentication, Authorization and Accounting). This refers to usage of network directories which can be on-premise or cloud, such as for example Active Directory and Azure Active Directory.
- Make use of a hardware firewall with ACL and maybe IPS/IDS and Web content filtering features.
- Design a multi-layered architecture, in which you isolate traffic in a DMZ network zone and have provisionings for cutting off parts of the network in case of a breach or security attack.
Apply the following recommendations for securing your endpoint:
- Make use of an integrated antimalware system which includes the following:
- Identity theft protection
- Family content filtering and online activity monitoring for underage children
- Make use of secure DNS and Web content filtering systems. OpenDNS is a good example, other relevant services are available as well.
- Make use of an advanced firewall application. In the case of Windows, staying with Windows local firewall is never sufficient.
- Be aware of emerging mobile threats. Do not underestimated the backdoors which could open from your mobile devices. Ensure that you keep all systems patched with latest security updates and apply all security measures to your mobile devices as you would normally do with desktop PCs.
- Do not forget that a lot of threats come in through the email/SMTP door. Ensure you are using all malicious email protection techniques (patched email clients, antispam, antivirus, antiphising, encryption).
Apply the following recommendations for securing your operating system:
- Make use of SSL/TLS certificates for securing your servers, your client devices and your applications. Deploy PKI infrastructure or make use of a public Certificate Authority (CA).
- Digitally sign your software and make use only of software which has been digitally signed by its vendor/developer.
- Make use of file and email encryption based on public private keys or other architecture.
- Make use of file integrity algorithms (SHA, MD5) whenever you download any file or application.
- Ensure you have policies in place for securing the distribution and usage of mobile and removable media in your organization (usb sticks, etc).
- Ensure you have ways to minimize the possibility of data leaving your computer without your knowledge. Having a DLP (Data Loss Prevention) system in place is a good way to accomplish that. Modern public cloud SaaS and IaaS systems such as Office 365 offer this functionality.
Apply the following recommendations for securing your operating system:
- Minimize the number of installed applications and services (minimize security attack surface). Make use of security hardening techniques to minimize the exposed applications and services.
- Do not expose your machines to the Internet if not required.
- Apply latest security updates to your OS.
- Make usage of Controlled Folder Access feature in Windows 10.
- Make usage of local security policy and group policy for securing various security aspects in your organization.
- Make usage of AppLocker and Software Restriction Policies via Active Directory Group Policy.
- When assigning permissions to users (SMB, NTFS, SQL, Active Directory, etc) always make usage of RBAC when possible as well as apply the principle of least privilege.
- Change the default admin password in your appliances and devices.
- Keep all your installed applications up to date.
- Make use of secure browsers with security plugins. You can get ideas and free tools for increasing security and privacy in your system by visiting https://www.privacytools.io/.
It is recommended to follow the tips below for increasing the levels of your privacy online:
- Investigate your credit report and ensure that all financial and medical data are stored by companies you trust or better yet, store this information only offline in at least two backup locations.
- Use strong passwords (lowercase and capital letters, numbers and special characters). The best passwords are long ones which are relatively easy to remember because they correspond to a unique phrase (slighly changed) which only the owner of the password could know.
- Ensure that you maximize the usage of Multi-Factor authentication (MFA). New trends in security are increasing this requirement level not only to what you know (password) and what you have (token) but also to what you are (biometrics). Make use of smart cards or tokens for logging into on-premise and cloud applications.
- Do not make use of a local administrator account to avoid elevation and malicious code execution.
- Enable User Account Control (UAC).
- Beware of social engineering attacks. Never disclose your password or other sensitive data to anyone pretentind to be a technical support engineer or have other related technical authority.
- Use a password manager to keep all your strong passwords secure.
- Never disclose your personal passwords to anyone.
- Never disclose your email to recipients you don’t trust.
- Check for traces you leave while you browse the Internet (cookies, IP addresses).
- Make use of identity theft tools, such as LifeLock (https://www.lifelock.com/).
- Use a VPN for more anonymous browsing.
- Make use of sandboxed virtualized systems to access the Internet.
- Make use of a private search engine. Startpage.com is a good place to start.
- Look for GDPR and ISO 27001 notices, privacy notices and cookies in all sites which you visit.
Backup and restore
No matter how well you have organized your security, there is always the possibility of a breach you cannot have control of. Therefore make sure that you always keep redundant backups of all valuable assets and data and that you have documented procedures for restoring your data in case of an emergency or security threat. Utilizing the cloud is a good way to ensure you will have access to your data. There are further concerns about whom you trust your data with, but that’s another (very long) chapter to discuss.
Security documentation and training
Make sure that you document all security tools and procedures you follow and the tests you apply and make sure that you keep yourself and colleagues up to date with emerging security threats and trends on a regular basis. Having a regular newsletter with latest threats and exploits is a good idea. MS-ISCA from CIS security is a good place to start: https://www.cisecurity.org/ms-isac/
There are many security layers which you can work to optimize and protect. However keep in mind that the only truly secure system is the offline system. Any system which connects to at least one network is by definition susceptible to various threats. Another security fact is that any system which can be locked also can and will be unlocked at some point. Always remember that security is a long journey without an end but with a clear target in mind. Keep it simple, cut off what is not absolutely required for operating your system and apply whitelist of blacklist logic to everything. Security is also about trust and more specifically whom you trust with your data, identity, services and applications. In order to have good security in your systems you should investigate your applied web of trust.
Keeping an eye on latest developments is always key for becoming more proactive and for attaining a more holistic approach to security and privacy.