Developing a Security Plan

In OATI’s recent blog, “Defense in Depth,” we focused on the prevention of cyber-attacks and data loss. To build on that blog post, we’ll explain how to develop a plan for ensuring your operating systems and applications are secure. We’ll cover three overarching categories of endpoint and user security: technology, policy, and training.

The first, and some of the most visible and discussed components of endpoint security, is technology. Antivirus, firewalls, content filters, and intrusion detection systems are the components working in the background to keep your users and data safe.

Antivirus solutions have been universal in IT security since its creation. Most anti-virus applications work by checking files the user accesses against known virus signature files. To stay current requires a constant update from the antivirus vendor, as new malware is created and malware writers develop tools to change the look of malware.

Products now use a newer approach to antimalware using heuristics and modeling file access and network behavior. They don’t rely solely on file checksums and signatures to detect malware activity, but the more general behavior of executables.

Another nearly universal piece of security technology is the firewall. Whether a network appliance or software is running on the endpoint, the basic purpose of a firewall is to block unauthorized network traffic. Running both a hardware and software firewall can give you extra granularity for rules allowing traffic. The attack surface of your network and endpoints can be significantly cut down by blocking connection attempts coming into unused ports.

For the policy aspect of endpoint and user security, implementing secure computing policies adds another layer to the security infrastructure by having official standards and practices for your users to follow. Some can be enforced through technology, but some can’t, and must be enforced by policy. Internet use policies define what sites are appropriate to browse at work. In conjunction with content filters, policies can decrease the risk of users accidently getting infected by malicious sites or divulging private information online.

Best practices for password policies are a debated topic. Until recently, it was common to have complicated passwords containing a mix of letters, numbers, and symbols. However, recent NIST guidelines lay out a different approach, which advocates for simpler, easier to remember passwords that don’t expire. When choosing a new password, it should be compared against a list that contains values known to be commonly-used, expected, or already compromised. So, no “hunter7,” or “password,” or even “p@ssw0rd.” One way to choose passwords is to take a sentence from a favorite book and take the first letter of each word and punctuation. So, a line from The Hobbit: “You have nice manners for a thief and a liar,” said the dragon.” Becomes “YhnMfaT&aL,stD.” That’s a fifteen character password that looks complex, has no dictionary words in it, and is fairly easy to remember.

The principle of least privilege should also be followed whenever possible. When bringing a new staff member into the organization, permissions should be granted only for the resources they’ll need. The same goes for termination, especially in instances of unexpected or sudden terminations. Shutting down user access should happen as soon as the business relationship has ceased. HR and management should have policies in place to notify IT or the account provisioning department to terminate access.

Our last topic is training. We’re living in an increasingly hostile cyber-world. Phishing and malware emails are at record highs. It’s estimated over half of all email is spam and the percent of those spam messages with malicious attachments is on the rise too. Users should be made aware of un-solicited emails from financial institutions, invoices for products not ordered, and bank emails asking for credentials. Increasingly, malicious parties have been sending malware-infected Office and Adobe documents that take advantage of unpatched software or zero-day vulnerabilities to infect corporate systems. Fake emails claiming to be due invoices are amongst the highest prevalence.

Ensuring user and endpoint security is a vital part of any security system. As we’ve seen in recent years, data breaches and malware infestations are big business for malicious actors. It’s important to have the right technology, policy, and training systems in place to help stay protected against the rise of security threats.

Check back for more blog posts on ways to keep your business secure. If you have any questions or would like more information, please contact