Security Resolutions for 2019

New Year’s resolutions are a way to make improvements in areas that might have been neglected in the past. As 2018 comes to a close and we approach the new year, here are 5 New Year’s resolutions you can make in 2019 to improve your organization’s overall security posture.  

Patch within 30 days of new security releases.

Patching a system involves installing any new security updates released by the system’s manufacturer. A best practice, patch management system involves testing the patch on a small number of devices to confirm functionality, then deploying the patch to all systems in your environment. Security updates happen monthly, so it’s best to integrate patching into a regular process and install all updates within 30 days of release, if not sooner. While it’s easy to neglect the maintenance process of patching, known vulnerabilities are easily exploited by attackers. Equifax’s infamous data breach in May 2017 was caused by a web application vulnerability that had a security patch available in March of the same year. Had Equifax patched their systems in a timely fashion, the company would have been immune to the vulnerability used to enter its network. 

If you struggle to with staying up-to-date, United States Computer Emergency Readiness Team (US-CERT) has a  critical alert, vulnerability, and patch release website  and an active Twitter that covers updates for a variety of common platforms.  

Limit the number of admin accounts in your environment.

Admin accounts can install programs, access and change system files, modify security controls, and add accounts to the system. What may be the most concerning component of admin account privileges is debugging rights, in which the account is able to access the system’s memory. Using this capability, an attacker can steal plain text passwords of all users logged into the machine from the system’s memory. To prevent this memory dumping attack, use local user accounts as much as possible, and secure admin accounts with Multi-Factor Authentication. 

Use Multi-Factor Authentication.

Without Multi-Factor Authentication (MFA), an account can be accessed by simply knowing its password. Users are susceptible to falling for phishing attacks and other credential harvesting campaigns, unknowingly handing over their password to an attacker. With MFA, an extra layer of security is in place by sending an extra code or verification request to a trusted device to verify the login.  

Implement a formal security training program.

Employees utilize information systems daily, so it’s important to give users the knowledge they need to avoid being a security risk to your organization. Teach your users about phishing attacks, password hygiene, how to detect dangerous links, and avoiding risky downloads. Technical controls have limitations, so you need educated users that follow safe computing practices.  

Prepare your incident response plan.

The security community now views security incidents as a matter of when, not if. Attackers are becoming increasingly sophisticated, new vulnerabilities are discovered each month, and users can be tricked into leaking passwords or other sensitive information. The proper time to create an incident response plan is before an incident even occurs. Make sure you’ve considered which stakeholders need to be informed, how you intend to communicate about the incident, and what steps you need to take to get your organization back on track. A well thought out plan can help your organization minimize damage in the event of a cyber incident. In addition to creating your plan, make sure you test it out with tabletop exercises that are designed to challenge your plan and identify any gaps that may exist.  

As we enter the new year, ensure your organization is off to a good start by prioritizing these security practices that you may have previously neglected. Security takes effort, but the return on your investment is ensuring the confidentiality, integrity, and availability of your data and maintaining your customers’ trust.