What are your top 3 suggested security changes companies should make?

If you were talking to a broad group of companies, what 3 things should those companies do to increase their security?

I’m purposefully making this question broad to see what different kinds of answers we get.

What are your big three tips for companies in 2015?

How about I answer a question with a question – how many business share the same business model, plan, threats, employees, markets, etc? So – really the only thing that you can say to a broad group – that would be pertinent and meaningful is “don’t be stupid”, “protect your stuff”

I disagree @geekspeed. There have to be things you’ve repeatedly seen in multiple companies that you end up giving the exact same advice on, whether they are big, small, financial, healthcare, manufacturing, education…

I know I beat the 3rd party library drum all the time, but OMG the number of times I’ve seen companies make the same universal mistakes here. They use 3rd party libs but don’t monitor those libraries for updates or have a regular update schedule, so when a major vulnerability hits they are way out of date. Worse still they may have no idea all the systems they need to patch in an emergency. There are tons of best practices I would recommend around adopting a Security Development Lifecycle or securing a network, but my top piece of advice for companies in 2015 is the same as it was in 2014.

Get proactive about vulnerability management in your third party libraries.

How?

• Implement network and/or source code scanning to catalog what libraries are in use where.
• Choose libraries wisely, know their vulnerability trends so you know what you’re getting into.
• Do threat modeling and identify ways to harden or sandbox the libraries to minimize the impact of exploitation if possible.
• Proactively update libraries on a regular cadence, don’t wait for emergency response situations. If you end up several versions out of date on a library, getting up to current in the face of a critical vulnerability can be a major undertaking.
• When you have pen tests done, actively include the third party libraries you have implemented in the scope.

1. Two-factor authentication for all internal network administration access and all external remote access.
2. Properly segment the internal corporate network leveraging firewalled-VLANs to restrict lateral movement.
3. Enforce encryption on all removable media (either via hardware or software) and on all employee laptops.

These three changes will help prevent many initial breaches, contain attackers if you do get breached, and limit accidental data loss. These also happen to be three areas that many companies I work with don’t currently do and changes that have a high value of return with little day-to-day overhead if you pick good vendors and plan strategically for success.

For me it’s the following.

1. Stop using shit passwords. Implement a password policy and stick to it, regularly try crack them to make sure they are up to scratch. I’ve come across this so often and it’s something most bounty programs won’t allow the testing of for obvious reasons. Make sure to change default passwords for switches/routers/applications/panels

2. Properly Manage your development and test environments. Realistically this shit doesn’t need to be publicly accessible. It’s for testing and development, developers always leave stupid shit lying around while they try to force something into working on time. The information that can be leaked from development servers can and is often used against your main services. The first point I made is especially relevant for this, devs use terrible passwords when testing stuff.

3. Ensure your customers are protected by using Transport layer security wherever you can. People are very lazy about addressing their SSL issues. These are also something you need to actively keep an eye on, it’s easy to forget about certificates you generated a year ago.

Other than that, the 3rd party stuff Kym pointed out it is ace, also the strict network segmentation ^ All good points

I can answer from the perspective of the research we did in the 2015 DBIR.

First: 2FA the heck out of everything on the perimeter. Our data clearly showed that adversaries are walking through the front door with simple usernames & passwords they’ve obtained from phishing campaigns/malcode installs (or from the cybercriminal marketplaces). Even a simple “math captcha” can dissuade opportunistic attacks.

Second: Patch the heck out of everything on the perimeter. Again, our data demonstrated that opportunistic attacks abound and when not walking through the front door, adversaries are identifying vulnerabilities and exploiting them at-will and at-speed.

Third: Enable your employees to be “co-defenders”. Attackers overwhelmingly used phishing to turn employees into victims in this year’s corpus. They aren’t “users”. They aren’t “stupid”. They are busy, distracted and task-focused humans. Setting up engaging awareness programs, giving them tools to help defend (e.g. “Report phishing” button) and showcasing great human behaviour can go a long way in preventing employees from becoming victims. This is not limited to phishing campaign training. It applies all the way from enabling Developers to write more secure (and overall less buggy) code, helping Ops streamline deployments with (secure) automated configurations & deployments and even Procurement by giving them one more set of negotiating templates to drive up capability, stability and functionality while also driving down costs.

Realize all programs, all code have flaws and take these steps to help defend yourself.

1. Any code you didn’t write yourself is 3rd party code that you need to be updating all the time. Audit all code before using it, especially open source code. You will be surprised by all the security holes they contain.
2. The code you wrote yourself is probably insecure, but you don’t know it. You need a team of people to audit your code for mistakes. Even the best companies make mistakes, even those who focus on security.
3. Watch out for people who try to trick your employees via phone, email, dumpster diving, etc. to get sensitive information on your company. If someone is crying for half an hour on the phone and having a melt-down trying to get into their account, DON’T bypass your security measures and think you’re being nice by resetting their account without any authentication. You’ve just been socially engineered, which is just manipulation to get you to do things you shouldn’t do.

You shouldn’t trust random devices you find lying around on the street as malicious and don’t pick them up. Think of them as rabid stray animals and stay as far away as possible.

Sorry, all the advice we have is quite long, but that is a small portion of it.

1. Educated risk management
2. Patch and prepare
3. Secure defaults