When you get paid to assess computer security practices, you get a lot of visibility into what does and doesn’t work across the corporate spectrum. I’ve been fortunate enough to do exactly that as a security consultant for more than 20 years, analyzing anywhere between 20 to 50 companies of varying sizes each year. If there’s a single conclusion I can draw from that experience, it’s that successful security strategies are not about tools -- it's about teams.
With very good people in the right places, supportive management, and well-executed protective processes, you have the makings of a very secure company, regardless of the tools you use. Companies that have an understanding of the importance and value of computer security as a crucial part of the business, not merely as a necessary evil, are those least likely to suffer catastrophic breaches. Every company thinks they have this culture; few do.
The following is a collection of common practices and strategies of the most highly secure companies I have had the opportunity to work with over the years. Consider it the secret sauce of keeping your company's crown jewels secure.
Focus on the right threats
The average company is facing a truly unprecedented, historic challenge against a myriad of threats. We are threatened by malware, human adversaries, corporate hackers, hacktivists, governments (foreign and domestic), even trusted insiders. We can be hacked over copper wire, using energy waves, radio waves, even light.
Because of this, there are literally thousands of things we are told we need to do well to be “truly secure.” We are asked to install hundreds of patches each year to operating systems, applications, hardware, firmware, computers, tablets, mobile devices, and phones -- yet we can still be hacked and have our most valuable data locked up and held for ransom.
Great companies realize that most security threats are noise that doesn’t matter. They understand that at any given time a few basic threats make up most of their risk, so they focus on those threats. Take the time to identify your company’s top threats, rank those threats, and concentrate the bulk of your efforts on the threats at the top of the list. It’s that simple.
Most companies don’t do this. Instead, they juggle dozens to hundreds of security projects continuously, with most languishing unfinished or fulfilled only against the most minor of threats.
Think about it. Have you ever been hacked using a vector that involved SNMP or an unpatched server management interface card? Have you even read of such an attack in the real world? Then why are you asking me to include them as top priorities in my audit reports (as I was by a customer)? Meanwhile, your environment is compromised on a near daily basis via other, much more common exploits.
To successfully mitigate risk, ascertain which risks need your focus now and which can be left for later.
Know what you have
Sometimes the least sexy stuff helps you win. In computer security, this means establishing an accurate inventory of your organization’s systems, software, data, and devices. Most companies have little clue as to what is really running in their environments. How can you even begin to secure what you don’t know?
Ask yourself how well your team understands all the programs and processes that are running when company PCs first start up. In a world where every additional program presents another attack surface for hackers, is all that stuff needed? How many copies of which programs do you have in your environment and what versions are they? How many mission-critical programs form the backbone of your company, and what dependencies do they have?
The best companies have strict control over what runs where. You cannot begin that process without an extensive, accurate map of your current IT inventory.
Remove, then secure
An unneeded program is an unneeded risk. The most secure companies pore over their IT inventory, removing what they don’t need, then reduce the risk of what’s left.
I recently consulted for a company that had more than 80,000 unpatched Java installations, spread over five versions. The staff never knew it had so much Java. Domain controllers, servers, workstations -- it was everywhere. As far as anyone knew, exactly one mission-critical program required Java, and that ran on only a few dozen application servers.
They queried personnel and immediately reduced their Java footprint to a few hundred computers and three versions, fully patching them across most machines. The few dozen that could not be patched became the real work. They contacted vendors to find out why Java versions could not be updated, changed vendors in a few cases, and implemented offsetting risk mitigations where unpatched Java had to remain.
Imagine the difference in risk profile and overall work effort.
This applies not only to every bit of software and hardware, but to data as well. Eliminate unneeded data first, then secure the rest. Intentional deletion is the strongest data security strategy. Make every new data collector define how long their data needs to be kept. Put an expiration date on it. When the time comes, check with the owner to see whether it can be deleted. Then secure the rest.
Run the latest versions
The best security shops stay up on the latest versions of hardware and software. Yes, every big corporation has old hardware and software hanging around, but most of their inventory is composed of the latest versions or the latest previous version (called N-1 in the industry).
This goes not only for hardware and OSes, but for applications and tool sets as well. Procurement costs include not only purchase price and maintenance but future updated versions. The owners of those assets are responsible for keeping them updated.
You might think, “Why update for update’s sake?” But that’s old, insecure thinking. The latest software and hardware comes with the latest security features built-in, often turned on by default. The biggest threat to the last version was most likely fixed for the current version, leaving older versions that much juicier for hackers looking to make use of known exploits.
Patch at speed
It’s advice so common as to seem cliché: Patch all critical vulnerabilities within a week of the vendor’s patch release. Yet most companies have thousands of unpatched critical vulnerabilities. Still, they’ll tell you they have patching under control.
If your company takes longer than a week to patch, it’s at increased risk of compromise -- not only because you’ve left the door open, but because your most secure competitors will have already locked theirs.
Officially, you should test patches before applying, but testing is hard and wastes time. To be truly secure, apply your patches and apply them quickly. If you need to, wait a few days to see whether any glitches are reported. But after a short wait, apply, apply, apply.
Critics may claim that applying patches “too fast” will lead to operational issues. Yet, the most successfully secure companies tell me they don’t see a lot of issues due to patching. Many say they’ve never had a downtime event due to a patch in their institutional memory.
Educate, educate, educate
Education is paramount. Unfortunately, most companies view user education as a great place to cut costs, or if they educate, their training is woefully out of date, filled with scenarios that no longer apply or are focused on rare attacks.
Good user education focuses on the threats the company is currently facing or is most likely to face. Education is led by professionals, or even better, it involves co-workers themselves. One of the most effective videos I’ve seen warned of social engineering attempts by highlighting how some of the most popular and well-liked employees had been tricked. By sharing real-life stories of their fallibility, these co-workers were able to train others in the steps and techniques to prevent becoming a victim. Such a move makes fellow employees less reluctant to report their own potential mistakes.
Security staff also needs up-to-date security training. Each member, each year. Either bring the training to them or allow your staff to attend external training and conferences. This means training not only on the stuff you buy but on the most current threats and techniques as well.
Keep configurations consistent
The most secure organizations have consistent configurations with little deviation between computers of the same role. Most hackers are more persistent than smart. They simply probe and probe, looking for that one hole in thousands of servers that you forgot to fix.
Here, consistency is your friend. Do the same thing, the same way, every time. Make sure the installed software is the same. Don’t have 10 ways to connect to the server. If an app or a program is installed, make sure the same version and configuration is installed on every other server of the same class. You want the comparison inspections of your computers to bore the reviewer.
None of this is possible without configuration baselines and rigorous change and configuration control. Admins and users should be taught that nothing gets installed or reconfigured without prior documented approval. But beware frustrating your colleagues with full change committees that meet only once a month. That’s corporate paralysis. Find the right mix of control and flexibility, but make sure any change, once ratified, is consistent across computers. And punish those who don’t respect consistency.
Remember, we’re talking baselines, not comprehensive configurations. In fact, you’ll probably get 99 percent of the value out of a dozen or two recommendations. Figure out the settings you really need and forget the rest. But be consistent.
Practice least-privilege access control religiously
“Least privilege” is a security maxim. Yet you’ll be hard-pressed to find companies that implement it everywhere they can.
Least privilege involves giving the bare minimum permissions to those who need them to do an essential task. Most security domains and access control lists are full of overly open permissions and very little auditing. The access control lists grow to the point of being meaningless, and no one wants to talk about it because it’s become part of the company culture.
Take Active Directory forest trusts. Most companies have them, and they can be set either to selective authentication or full authentication trust. Almost every trust I’ve audited in the past 10 years (thousands) have been full authentication. And when I recommend selective authentication for all trusts, all I hear back is whining about how hard they are to implement: “But then I have to touch each object and tell the system explicitly who can access it!” Yes, that’s the point. That’s least privilege.
Access controls, firewalls, trusts -- the most secure companies always deploy least-privilege permissions everywhere. The best have automated processes that ask the resource’s owner to reverify permissions and access on a periodic basis. The owner gets an email stating the resource’s name and who has what access, then is asked to confirm current settings. If the owner fails to respond to follow-up emails, the resource is deleted or moved elsewhere with its previous permissions and access control lists removed.
Every object in your environment -- network, VLAN, VM, computer, file, folder -- should be treated the same way: least privilege with aggressive auditing.
Get as near to zero as you can
To do their worst, the bad guys seek control of high-privileged admin accounts. Once they have control over a root, domain, or enterprise admin account, it’s game over. Most companies are bad at keeping hackers away from these credentials. In response, highly secure companies are going “zero admin” by doing away with these accounts. After all, if your own admin team doesn’t have super accounts or doesn’t use them very often, they are far less likely to be stolen or are easier to detect and stop when they are.
Here, the art of credential hygiene is key. This means using the least amount of permanent superadmin accounts as possible, with a goal of getting to zero or as near to zero as you can. Permanent superadmin accounts should be highly tracked, audited, and confined to a few predefined areas. And you should not use widely available super accounts, especially as service accounts.
But what if someone needs a super credential? Try using delegation instead. This allows you to give only enough permissions to the specific objects that person needs to access. In the real world, very few admins require complete access to all objects. That’s insanity, but it’s how most companies work. Instead, grant rights to modify one object, one attribute, or at most a smaller subset of objects.
This “just enough” approach should be married with “just in time” access, with elevated access limited to a single task or a set period of time. Add in location constraints (for example, domain admins can only be on domain controllers) and you have very strong control indeed.
Note: It doesn’t always take a superadmin account to be all powerful. For example, in Windows, having a single privilege -- like Debug, Act as part of the operating system, or Backup -- is enough for a skilled attacker to be very dangerous. Treat elevated privileges like elevated accounts wherever possible.