A good cybersecurity plan employs layers of protection to thwart access to the network and underlying data. It’s a strategy that revolves around identification, protection, detection, response, and recovery. Becoming aware of security best practices is a critical first line of defense.
When it comes to securing your home, the most vulnerable entry point is not the dead-bolted front door, it’s an unlocked window. Similarly, most hackers don’t attempt to gain entry by picking the lock to the front door. Instead, they look for an easier way, such as an unlocked window.
In a network environment, the devices employees use, such as computers, tablets and phones, are the “windows”. At the PC level, there are a variety of software agents that provide virus and malware detection and prevention. These endpoint agents actively scan email attachments, links, and website content. An attempt by a Bad Actor to surreptitiously download malicious software is detected and blocked. Symantec.cloud and Malwarebytes Endpoint Protection are products that provide this type of protection.
Network Authentication and Monitoring
At the network level, methods of protection include user authentication and access controls, activity monitoring, perimeter firewalls, patch management, and vulnerability scanning. So, what does all that jargon mean? Let’s break it down.
User authentication and access controls is the network login process. In Microsoft Active Directory, when a User enters their username and password, Active Directory checks their credentials for validity against the Security Accounts Manager (SAM) database. If the credentials check out, the User is successfully authenticated, and allowed to login to the network. In a Domain, a User’s network credentials dictate their level of access to various servers and shared data on the network.
Activity monitoring is achieved by using tools that integrate with Active Directory. One type of tool learns the behavior of individual users on the network over time. What time of day a User typically logs in and logs out, what servers they access, and what files they open, etc. If anomalies occur, the tool sends a notification to the IT Department. For example, if a User logs in remotely at 2 a.m. and attempts to connect to a server they have never accessed before, that event would be flagged and generate a security alert.
Patch management is process of applying security patches from Microsoft and other third-party vendors in a timely manner after they are released by the manufacturer. Generally, IT Departments use a tool to automate the process.
This is the process of scanning the network for Microsoft operating system and other third-party application security vulnerabilities. Tools from vendors, such as Qualys or SAINT, can be used to scan the IP addresses on both the internal network, and external IPs associated with the network. The scan provides a report of the security vulnerabilities discovered, and generally rates them by severity 1 to 5, wtih 5 being the most critical.
In the Cloud
At the cloud level, which runs outside, or “above” the local network, email filtering is often deployed to detect and block emails that contain spam, viruses, phishing attacks and malicious links. Email filtering provides an additional layer of protection in addition to the standard filtering performed by email system providers, such as Microsoft Office 365 or Google G Suite for Business. Mimecast and Solarwinds have market-leading products in this category.
DNS-based web traffic filtering and monitoring is another effective tool. This tool uses a DNS-based database to block known harmful websites and well as links within emails that connect to know harmful IP addresses. Cisco Umbrella, previously known as Open DNS, is a market leader in this space.
Backup and Recovery
Data backup and rapid recovery provide the final layer of protection. If data is destroyed or encrypted due to a successful hack, such as ransomware, the ability to quickly restore production servers and data in a timely manner is imperative. Daily or intra-daily backup images allow an IT Department to quickly recover a compromised server using a Restore Point prior to the security breach. Datto provides excellent solutions for image backup and recovery.