Policies and Best Practices Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> After talking in the last section about
00:00
the importance of diagrams, change management,
00:00
and configuration management in your workplace,
00:00
we're now going to look at
00:00
>> some other policies and best practices.
00:00
>> Starting off, we want
00:00
>> to talk about our privileged users.
00:00
>> In Unix, we have root and in Windows,
00:00
we have administrator.
00:00
>> Those are two all-powerful accounts,
00:00
>> or at least they can be.
00:00
What we want to do is monitor
00:00
these accounts and limit administrative privileges.
00:00
We don't want a single individual to be all powerful.
00:00
Rather than having a single admin,
00:00
we want to split administrative efforts
00:00
across multiple administrators.
00:00
We want to make sure that, for instance,
00:00
if someone can lock user accounts,
00:00
somebody different can unlock them.
00:00
That goes in with separation of duties as well.
00:00
We always have to talk about password policies
00:00
>> because passwords are really the weakest link
00:00
>> in most environments today.
00:00
It really needs to be stressed that passwords alone
00:00
are no longer providing
00:00
the amount of security that we need.
00:00
Any eight character password
00:00
>> can be compromised in a matter of days.
00:00
>> If we're going to use passwords,
00:00
we want to bring in
00:00
>> some other factor of authentication.
00:00
>> Smartcards, biometrics, tokens,
00:00
any additional security
00:00
>> and multi-factor authentication is best.
00:00
>> For passwords, we do want to include rules
00:00
>> and make sure that we're
00:00
>> securing our passwords and encouraging
00:00
our users to use strong passwords.
00:00
What's very interesting is this list at
00:00
one in time was thought to be
00:00
the best practice for passwords.
00:00
NIST has actually now come out
00:00
>> and said, the zoos suggestions
00:00
>> that we gave you for passwords,
00:00
>> we were wrong.
00:00
>> Take some time to Google NIST passwords revised
00:00
>> or password policy revised.
00:00
>> Basically what NIST is saying
00:00
>> is that we've traditionally accidentally
00:00
>> made passwords easier for attackers
00:00
to guess and harder for us to remember.
00:00
Most of the software that attackers are going
00:00
to use already scans for upper and lowercase
00:00
>> and Alphanumeric and non-Alphanumeric characters.
00:00
>> Just by adding these and making these more
00:00
complex does not make them more secure.
00:00
It's important to understand complexity
00:00
>> does not equal security.
00:00
>> What NIST's recommending now
00:00
>> is to force people to have longer passwords
00:00
>> rather than more complex passwords.
00:00
>> Ultimately, that was what adds the entropy
00:00
>> to the password cracking
00:00
>> which makes it more difficult.
00:00
>> If possible, get away from making
00:00
these passwords so difficult
00:00
>> that people write them down,
00:00
>> tell users to pick up four words.
00:00
>> Those four words together are your password.
00:00
>> I'm going to get something like
00:00
30-some characters just on average.
00:00
That makes it very difficult for
00:00
an attacker to compromise passwords.
00:00
We need to get away from
00:00
these single factor authentication.
00:00
We need policies for onboarding and offboarding,
00:00
bringing people into our environment,
00:00
but also handling it professionally
00:00
when people leave our environment as well.
00:00
We've got to have a process.
00:00
For onboarding, we want to make sure that
00:00
we check references, certifications,
00:00
meet with employees, have them sign
00:00
non-disclosure agreements and that
00:00
we go over the employee handbook.
00:00
When people are leaving,
00:00
whether voluntarily or through termination,
00:00
we also need a professional process
00:00
>> that's documented to make sure
00:00
>> we retrieve any company material.
00:00
>> We revoke credentials, remind
00:00
employees of their non-disclosure
00:00
agreement that was signed,
00:00
and conduct any exit interviews and necessary.
00:00
We have to be aware in an organization about licensing.
00:00
At one in time there's a lot
00:00
of funny business in organization,
00:00
is about software licensing
00:00
>> and only took so many disgruntled employees
00:00
>> before organizations realize the importance of
00:00
>> making sure that their software is properly licensed.
00:00
Vendors will come in and conduct audits
00:00
>> and confine you quite substantially in the event that
00:00
>> the licensing isn't handled properly.
00:00
We want to make sure
00:00
>> that we keep track of our software licenses
00:00
>> and there's a process in place to guarantee
00:00
>> we're not using unlicensed software.
00:00
Data loss prevention systems are very helpful tools.
00:00
The purpose here is to detect and possibly
00:00
prevent extra filtration of data from the network,
00:00
also known as data loss.
00:00
You may also hear it called data leakage.
00:00
>> What these systems do is they look for
00:00
>> certain types or formats of data.
00:00
>> They can prevent those data types
00:00
>> from being printed, emailed, or extra filtrated off
00:00
>> the network and sent through the Internet.
00:00
>> The types of information they would look for
00:00
>> specifically would be things
00:00
like Social Security numbers,
00:00
credit card information,
00:00
>> or any other information
00:00
>> that we really want to keep on tabs
00:00
>> and to make sure it doesn't leave our network.
00:00
>> We have to think about mobile devices policies.
00:00
People want their devices brought into the network.
00:00
I want to use my tablet,
00:00
my smartphone, bring my laptop from home, and so on.
00:00
What we have to consider is the fact that
00:00
>> when these systems are not under our control,
00:00
>> we don't really know what happens with them
00:00
>> or what they're used for
00:00
>> outside of our work environment.
00:00
>> Even though this is becoming very prevalent,
00:00
there are certain ways that are better than others
00:00
>> to address the idea of bringing your own device.
00:00
>> For one, we can isolate BYOD devices
00:00
>> to their own subnet.
00:00
>> We create a view land for bringing your own devices.
00:00
People can come in and access the Internet,
00:00
but can't interface with the corporate network.
00:00
That's really good for Wi-Fi clients
00:00
>> where people just want to come in
00:00
>> and browse the Internet on their phone or tablet.
00:00
>> There are some other implementations,
00:00
like personally owned corporate enabled.
00:00
Essentially it's enabled for use in the workplace,
00:00
but it is your device.
00:00
Whereas corporate owned, personally enabled,
00:00
the company owns the device.
00:00
But unless you take it home, for instance.
00:00
Here's your laptop.
00:00
>> You can take it home.
00:00
>> You can use it for personal use,
00:00
>> but the company remains the owner of it.
00:00
Sometimes organizations will let you
00:00
>> choose your own device, CYOD.
00:00
>> There are all variations on this.
00:00
Whatever it is, we need to realize
00:00
that there is an additional threat that comes
00:00
>> from allowing systems on our network
00:00
>> that aren't controlled
00:00
>> from a corporate policy to some BYOD.
00:00
>> Another important policy, acceptable use policy, AUP's.
00:00
The purpose of an acceptable use policy
00:00
is how we allow the rules
00:00
that we place on end users in
00:00
relation to company resources.
00:00
Can you print to the company printer for personal use?
00:00
Can you make long distance phone calls
00:00
>> on the company dime?
00:00
>> They should all be
00:00
>> clarified in the acceptable use policy.
00:00
With NDA's non-disclosure agreements,
00:00
we want to make sure that
00:00
>> our employees have committed
00:00
>> in legal binding writing to not
00:00
>> disclose any company secrets.
00:00
Or that's unilateral one direction,
00:00
or the company can expose
00:00
the secrets of the employee and vice versa.
00:00
That might be in an environment
00:00
where an employee is bringing copyrighted material
00:00
>> or providing some additional expertise.
00:00
>> Multilateral means that non-disclosure agreement
00:00
implies to multiple resources within the organization.
Up Next