Article written by Content Security team leader for incident response Clint Marsden.
While the end of a financial year is the time to tally the numbers and tidy up the books, it’s also the perfect time to cast an eye over your IT infrastructure. Supporting virtually every facet of business, this vital asset must be protected from a growing range of threats that can cause disruption and loss.
A regular review of IT security ensures all necessary protective measures are in place and operating effectively. While such reviews should be conducted throughout the year, undertaking a comprehensive audit now will ensure everything is on track as the new financial year unfolds.
The top five EOFY tips for better business IT security are:
Many vulnerabilities exist within business IT infrastructures due to software patches that have not been installed. By having a regular and consistent patching regime in place, the attack service is reduced significantly, making it much harder for attackers to gain access. While this has been the message from Security Vendors and Device manufacturers for many years, many breaches could be prevented from this fundamental step.
Patches should be deployed as soon as they are released by software vendors as any delay in doing so is leaving critical infrastructure at risk. In addition, the harder an attacker has to work on gaining access, it is more likely it is that you will detect them within your Security Information and Event Management (SIEM) system.
IT teams often rely on the fact that they have logs available but are not clear on how long logs exist on their systems until an incident occurs. They believe these logs will make it easier to spot unauthorised activity on a network and determine the source of an attack should one occur.
However, all too often, these logs are overwritten or deleted before an incident has been detected. From a forensic investigation perspective this makes it difficult to understand the initial entry point of the attack. Without this information, the ability to identify exactly how the adversary gained access to your infrastructure may be lost. Finally, lack of log data can prevent detection of what lateral movement has taken place Proper log retention and configuration is therefore vital.
If you don’t already have a SIEM in place, consider deploying one. Not only is this important when it comes to retaining all logs to prevent accidental or deliberate deletion, but using a platform to correlate logs from all systems within an infrastructure can greatly assist in the detection of a data breach, sometimes still in the early stages. By implementing a centralised logging system, an IT team can reduce the mean time to detect, and more importantly, ensure an accurate and efficient investigation can take place due to the availability of relevant forensic artefacts.
If the IT team doesn’t know what normal activity within their infrastructure looks like, it’s very difficult to spot Indicators Of Compromise. Take time to analyse day-to-day activity to develop a baseline of regular activity and actions. This should include recording normal processes and network connections from servers as a first step. Understand bandwidth on internal and external network interfaces, and finally what looks normal on your database servers – the crown jewels! Then, when an incident occurs, it will be much easier to spot as it will involve activity or data flows that have been flagged as interesting. This approach helps the team filter out noise and focus on the events that matter. When an incident occurs, many eyes are focusing on the infrastructure. It is at this time that everything can be perceived as interesting or ‘evil’. By understanding what is normal prior to an incident taking place, your team can more quickly look for anomalous behaviour.
Within many organisations, there are a number of staff who have higher levels of network access than they required to complete their jobs. For example, some staff members who have been with the business for many years may have been acquiring and retaining system access as they shifted from role to role. Consistent audits of group memberships can be time-consuming, but they reduce the risk of insider threats (Snowden 2013). Also, if an attacker does compromise an account, it will limit how far they can move within the network or resources that can be accessed.
Following these security recommendations will allow a business to be confident they have taken significant steps to secure their environment and ready to face the challenges of the new financial year. Taking the time now to review measures in place and close any gaps that might exist could save significant time and expense further down the track.
Security is a never-ending journey, but following these fundamental recommendations will reduce risk and make your network less vulnerable to compromise, and if a compromise does occur, empower Incident Responders to provide better investigation outcomes.