Network Defense - Look at Policies and Training First

George Seerden
Oct 9, 2019 1:00:00 PM

I live in two worlds. The first is with Compass IT Compliance where most of our clients are small to medium businesses that don’t have their own security teams in house. The second is with the US Air Force where my only job is to help secure the entire enterprise. I am always blown away with how differently each handles network defense. In the Air Force, we have an entire suite of tools, systems, training, and personnel that allow us to monitor the entire network in real-time and see what processes are running and perform live forensics on any machine connected to the Air Force network world-wide. Couple that with 24/7 monitoring and the bad guys stand very little chance.

Then I come home and switch my uniform for my civilian clothes and… what? How can a small to medium business even HOPE to defend itself at the level of a major organization? This may sound corny, but it starts with good policies and training. All the technical defenses in the world are worthless as soon as one employee allows a bad guy in with a phishing email or weak passwords. Small organizations do have one distinct advantage; only minor criminals are targeting them. They rarely come under attack from an Advanced Persistent Threat (APT), so the standard required to defend themselves is much lower.

Ok, so the boring stuff. Policies and training aren’t flashy and security people run from seminars that focus on those topics like the plague. However, this is BY FAR the most important thing to your security. Any organization, no matter the size, can sit down and draw up a “Bring Your Own Device”, “Password”, or “Removable Media” policy (Compass IT Compliance has helped hundreds of organizations in establishing or improving IT policies). What may be even more important is a ROBUST AND CONTINUOUS training program that focuses heavily on phishing emails. Hands down the easiest way to breach any organization (yes, even major organizations) is with a cleverly crafted phishing email. They can be as simple and low tech as trying to get Accounts Payable to wire money somewhere all the way to as complex as targeting someone with access to an air gapped system to try and get malware to jump the gap.

The good news is that there are a few other simple practices that, when followed, dramatically improve your defenses:

  • Keep all your systems and software as up to date as possible
  • Segregate all your Internet of Things (IOT) devices onto their own network (virtual or physical)
  • Segregate your business network from guest network
  • Use VLANS to break up departments and don’t let them talk to each other directly
  • KNOW YOUR NETWORK! There should be an up to date map of EVERY SINGLE SYSTEM to include the ports, protocols, and services that are required
  • If you don’t need that port, protocol, or service… lock it down

None of the things I listed require a full-time security team. This can easily be handled with a third-party service provider. All these things are amazingly cheaper than paying fines or having your brand damaged when a breach occurs. Don’t be the low hanging fruit! Contact us today to learn more.

Subscribe by Email

No Comments Yet

Let us know what you think