Policies and Best Practices Part 1
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
9 hours 49 minutes
After talking in the last section about the importance of diagrams, change management and configuration management in your workplace, we're now going to look at some other policies and best practices.
Starting off, we want to talk about our privileged users. In UNIX. We have root and the windows we have administrator.
Those are two all powerful accounts, or at least they can be.
What we want to do is monitor these accounts and limit administrative privileges.
We don't want a single individual to be all powerful. Rather than having a single admin, We want to split administrative efforts across multiple administrators.
We want to make sure that, for instance, if someone can lock user accounts, somebody different can unlock them.
That goes in with separation of duties as well.
We always have to talk about password policies because passwords are really the weakest link in most environments today,
it really needs to be stressed that passwords alone are no longer providing the amount of security that we need.
Any eight character password can be compromised in a matter of days.
If we're going to use passwords, we want to bring in some other factor of authentication. Smart cards, biometrics tokens, any sort of additional security and multifactor Authentication is best
for passwords. We do want to include rules and make sure that we're securing our passwords and encouraging our users to use strong passwords. It's very interesting is this list at one point in time was thought to be the best practice for passwords,
and I s t as actually now come out and said, You know the zoo's suggestions that we gave you your passwords? We were wrong.
Take some time to Google N I S T passwords revised or password policy revised. Basically, what N I s T is saying is that we've traditionally accidentally made passwords easier for Attackers to guests and harder for us to remember.
Most of the software that Attackers are going to use already scans for upper and lower case and alpha numeric and non alpha numeric characters.
Just by adding these and making these more complex does not make them more secure,
it's important to understand complexity does not equal security.
What n I s T is recommending now is to force people to have longer passwords rather than more complex passwords.
Ultimately, that is what adds the entropy to the password cracking, which makes it more difficult,
if possible. Get away from making these passwords so difficult that people write them down.
Tell users to pick out four words. Those four words together are your password.
I'm going to get something like 30 some characters, just on average. That makes it very difficult for an attacker to compromise passwords. We need to get away from these single factor authentication.
We need policies for on boarding and off boarding, bringing people into our environment, but also handling it professionally. When people leave our environment as well,
we've got to have a process for on boarding. We want to make sure that we check references, certifications, meet with employees, have them sign nondisclosure agreements and that we go over the employee handbook.
People are leaving, whether voluntarily or through termination. We also need a professional process that's documented to make sure we retrieve any sort of a company material.
We revoke credentials, remind employees of their nondisclosure agreement that was signed and conduct any sort of exit interviews and necessary.
We have to be aware in an organization about licensing at one point in time. There is a lot of funny business and organizations about software licensing.
It only took so many disgruntled employees before organizations realize the importance of making sure that their software is properly licensed.
Vendors will come in and conduct audits and confine you quite substantially. And in the event that the licensing isn't handled properly,
we want to make sure that we keep track of our software licenses. And there's a process in place to guarantee we're not using unlicensed software.
Data loss prevention systems are very helpful tools. The purpose here is to detect and possibly prevent extra filtration of data from the network, also known as data loss.
You may also hear it called data leakage.
What these systems do is they look for certain types or formats of data.
They can prevent those data types from being printed, emailed or extra fill traded off the network and sent through the Internet.
The types of information they would look for specifically would be things like Social Security numbers, credit card information or any information that we really want to keep on tabs on. To make sure it doesn't leave our network.
We have to think about mobile devices policies
people want their devices brought into the network. I wanna use my tablet, my smartphone, bring my laptop from home and so on.
What we have to consider is the fact that when these systems are not under our control, we don't really know is what happens with them or what they're used for outside of our work environment,
even though this is becoming very prevalent, there are certain ways that are better than others to address the idea of bring your own device. For one, we can isolate B Y O D devices to their own sub net.
We create a V land for bringing your own device. Is people can come in access the Internet but can't interface with the corporate network.
That's really good for WiFi clients, where people just want to come in and browse the Internet on their phone or tablet.
There's some other implications, like personally own corporate enabled. Essentially, it's enabled for use in the workplace, but it is your device, whereas corporate owned personally enabled the company owns the device. But as you take it home, for instance, here's your laptop. You can take it home. You can use it for personal use, but the company remains the owner of it.
Sometimes organizations will let you choose your own device. C Y O. D.
There are all sorts of variations on this. Whatever it is, we need to realize that there is an additional threat that comes from allowing systems on our network that aren't controlled from a corporate policy stand boy.
Another important policy, acceptable use policy, a ups the purpose of an acceptable use policy is how we allow the rules that we place on end users in relation to company resources.
Can you print to the company printer for personal use? Can you make long distance phone calls on the company dime?
They should all be clarified in the acceptable use policy
with India's nondisclosure agreements. We want to make sure that our employees have committed in legal binding writing to not disclose any company secrets or that's unilateral one direction. Or the company can expose the secrets of the employee and vice versa.
That might be in an environment where an employee is bringing copyrighted material or providing some additional expertise and multilateral means. That nondisclosure agreement applies to multiple resources within the organization.