Cyber security tips and self-assessment for business

Similar documents
Web Cash Fraud Prevention Best Practices

Education Network Security

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

SECURITY & PRIVACY DOCUMENTATION

A practical guide to IT security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CYBERSECURITY RISK LOWERING CHECKLIST

Information Security Controls Policy

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

A company built on security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

ISO27001 Preparing your business with Snare

2017 Annual Meeting of Members and Board of Directors Meeting

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NEN The Education Network

Juniper Vendor Security Requirements

SECURITY PRACTICES OVERVIEW

Take Risks in Life, Not with Your Security

Cybersecurity The Evolving Landscape

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

10 FOCUS AREAS FOR BREACH PREVENTION

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

THE ESSENTIAL GUIDE TO CYBER SECURITY FOR OFFSITE EVENTS

ACM Retreat - Today s Topics:

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Critical Hygiene for Preventing Major Breaches

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Vendor Security Questionnaire

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Best Practices Guide to Electronic Banking

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Getting Started with Cybersecurity

CS 356 Operating System Security. Fall 2013

Locking down a Hitachi ID Suite server

BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

IPM Secure Hardening Guidelines

AUTHORITY FOR ELECTRICITY REGULATION

Payment Card Industry (PCI) Data Security Standard

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

SFC strengthens internet trading regulatory controls

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

How NOT To Get Hacked

SONICWALL SECURITY HEALTH CHECK SERVICE

Ransomware A case study of the impact, recovery and remediation events

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Projectplace: A Secure Project Collaboration Solution

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

PCI DSS and VNC Connect

SONICWALL SECURITY HEALTH CHECK SERVICE

MigrationWiz Security Overview

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Octopus Online Service Safety Guide

Nine Steps to Smart Security for Small Businesses

Disaster Recovery Self-Audit

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

ISSP Network Security Plan

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

WHITE PAPER- Managed Services Security Practices

SONICWALL SECURITY HEALTH CHECK PSO 2017

CIS Controls Measures and Metrics for Version 7

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

K12 Cybersecurity Roadmap

Cyber Security. Our part of the journey

Intrusion Attempt Who's Knocking Your Door

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

CIS Controls Measures and Metrics for Version 7

External Supplier Control Obligations. Cyber Security

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Cyber Essentials Questionnaire Guidance

Checklist: Credit Union Information Security and Privacy Policies

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Selling network security. A partner guide to getting more business. // Partner Guide. Kerio Technologies

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Crash course in Azure Active Directory

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Daxko s PCI DSS Responsibilities

FFIEC CONSUMER GUIDANCE

Bring Your Own Device (BYOD)

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cyber Security. Building and assuring defence in depth

ANATOMY OF AN ATTACK!

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Transcription:

Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this Cyber security selfassessment, to help you reduce the chance of an incident occurring. What can you do? There are a range of security measures that can provide enhanced protection, and enable easier detection and investigation of common attacks. We recommend working with your IT provider (where practical) to improve network security and enforce IT security controls that reduce the entry points for an attacker and allow you to investigate incidents.

Accessibility User account controls Using default user names for administrator accounts makes it easier for an attacker to guess user names to perform brute force (password guessing) attacks. Username doesn t consist of only numbers. Remove any unused or idle user accounts. Remove or disable any user accounts with standard (default) user names e.g. admin, administrator, guest. Don t share accounts between multiple employees. Remove domain/local administrator access for accounts that don t require privileged access. Implement Windows User Access Control (UAC) for standard user accounts to prevent users from executing applications and executable files that aren t legitimate business requirements. Review user accounts every month to see whether they are still required. Confirm whether any additional user accounts have been added. Use a standardised naming convention that contains a mix of numbers and letters. Enforce group policies for passwords to force users to set a password of a minimum of 10 characters using alpha-numeric and special characters. Force users to change their passwords every 90 days. Enable auditing and logging for user accounts to help keep a track of user activity. Wherever you use credentials in your organisation apply two factor authentication. Password controls Weak password complexity requirements allow staff to set passwords that an attacker can easily guess or brute force. Change passwords for all users immediately if there s been a recent breach. Passwords should contain at least 10 characters, using at least three of the below groups: Lower case characters (a-z), Upper case characters (A-Z), Digits (0-9), Special Characters (e.g. * &). Change passwords every 90 days. Prevent ability to use previous passwords immediately. Prevent users from changing passwords more than once a day. Disable password auto-complete on all web browsers and do not save passwords locally on the machine. Do not code passwords into your business software. Use an API based solution to retrieve them, as this will help you if you need to reset all company passwords. Remote access Attackers can get full control over a machine through Remote Access. Secure controls should be put in place to log and limit users who can access the network. Limit Remote Desktop Protocol (RDP) or Secure Shell (SSH) access to known IP addresses only and those employees who require this access for a business reason. Implement geo-blocking of IPs outside of New Zealand s range. Set up site-to-site Virtual Private Networks (VPNs) where applicable (and then limit RDP access to internal IPs only). The default port for remote access (e.g. 3389/ TCP for RDP) should be changed. Set up an individual user VPN with 2-factor authentication (suggest using a mobile token). Use company approved devices to access your business network. Brute force (systematic password guessing) prevention Even with strong user name and password controls, an attacker may still be able to brute force login names and passwords by using software to make millions of attempts at combinations. Turn on Windows Server brute force controls that automatically lock user accounts after a number of failed login attempts. This should be done for all accounts, but at a minimum the accounts with remote access enabled. Specify that accounts should be locked out for 10 minutes after five failed login attempts, before any re-attempts can be made. } } Enable SMART authentication to produce a more secure and simpler user experience.

Data protection Backups (data and configuration) Backups can help rebuild a system after an attack; however, there are often damaged or missing files when an incident occurs. Attackers can also modify or delete an unsecured backup, making recovery impossible. All important information and systems should be backed up regularly. Backup the database dump file and server image in multiple locations. Turn on notifications to confirm that backups have been successful. Regularly backup/transfer files on to a storage facility that is not attached to the internet. Backups should be kept for 90 days before being overwritten. Important data (e.g. Database files) and configurations should be backed-up daily and verified weekly. Backups should be verified at least once a month (verification should include file size, file integrity and date stamp). Patching/Anti-virus protection A patch is a piece of software designed to fix holes or improve vulnerabilities in existing software and systems. By not patching, the network is left vulnerable for an attacker to exploit with ease using already defined scripts. Ensure Anti-virus updates, exclusions, scheduling of regular scans, and device coverage is in place and appropriate. Confirm Windows patching is automated and/or performed regularly and reliably if using a manual process. Critical security patches should be deployed as soon as they are released. Regularly check that anti-virus and operating system patches have been successfully installed. Regularly update your business applications (including web browsers) to address security vulnerabilities.

Incident response and recovery Logging Without logging, investigating an incident can be challenging and can make it difficult to investigate the extent of damage and/or data loss, and determine the cause of an attack. Ensure that all Windows Security Event Logs are turned on, enable log archiving and keep logs for as long as possible for all Windows servers. If you are using Microsoft Office 365 for email, the mailbox audit logs should be enabled. Extend logging retention on the firewall to three months or the maximum the firewall device can support. Implement centralised log collection and/or check logs regularly for: failed login attempts, remote access from unknown/ international IP addresses, unknown actions by privileged accounts, port scanning of sensitive services, and unusual network traffic flows. Regularly archive/transfer logs on to a secure/offline server. Implement a Security Incident and Event Management (SIEM) platform or a modern machine-learning security monitoring platform to alert if any unusual and suspicious activity takes place. Confirm the following logs (Security, Remote Connection Manager, RDP, Local Session Manager) are functioning correctly for all Windows servers. Disaster recovery Without a disaster process, it can be hard to resume business operations and recover data. Establish formal security expectations with IT providers and agree on roles and responsibilities. Establish an incident response process plan that includes who within your business can make decisions and a requirement to preserve data in the case of a security incident. Arrange to be supported if an incident occurs, which may include a cyber insurance policy backed by a strong incident response partner and/or a security and incident specialist who is on call. } } Practice your incident response plan with tabletop exercises, as it s vital that the response team knows what to do if an incident happens.

Employee awareness and education Staff awareness Humans are often the weakest link in IT systems. By raising staff awareness, common social engineering/attack techniques can be avoided, as staff are able to better identify threats. Raise staff awareness about common social engineering techniques by sending out emails periodically reminding them to be vigilant. Outline steps that staff should follow if they detect a cyber incident or social engineering attempt. Establish a mailbox (possibly supported by your IT provider) for them to send suspicious emails to so they can be checked by an expert. Implement and communicate an acceptable use policy so staff are clear on the use of your business technology and information. Conduct regular cyber security training sessions for new and existing staff to keep staff up-to-date on common attacks and trends. Consider a phishing simulator that regularly sends staff fake phishing and malware emails to test and report on their awareness (gamify the learning). Assessing vulnerability Vulnerability audit Even after regular security upgrades, patching, and testing, new and existing vulnerabilities may appear over time. It is important to test the controls that are in place, and to regularly check for vulnerabilities. Perform an automated vulnerability scan every 12 months. Undertake a penetration test by an independent third party. A penetration test is a process by which security experts will attempt to hack your systems and identify vulnerabilities. Run tools to inspect processes running on workstations and servers (e.g. Windows Process Explorer to determine whether they are legitimate). Proactively identify and check for new and emerging cyber security threats and vulnerabilities. Your IT provider may be able to assist in implementing controls to prevent identified threats. These tips and self-assessment guidelines are of a general nature only. They are not intended to be a comprehensive list of suggestions of all the risk management steps you should consider taking to reduce the risk of cyber-attack, nor is it intended to be legal advice.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback