Unfortunately, IT security is still an area where, above all, the organizations’ leading decision-makers lack sufficient knowledge and prefer to leave (push) security issues down in the organization. To finally land with the IT department, which often in practice consists of a small team of one to a few people.
In this blog post, we have therefore created a stripped-down “IT security manual” in which we briefly describe the 9 most important steps needed to build competent IT security in the organization.
The 9 steps form the very basis of IT security work and are the same regardless of the size of the organization. The difference in size instead determines the choice of technology, the required level of security and the size of the budget for the security work.
The 9 steps are not a complete manual but should only be seen as an introduction. All organizations have their unique needs and requirements and should build their IT security according to these.
The blog post is primarily aimed at decision-makers, but should also be interesting for those who want to know more about how comprehensive IT security is built in the right way.
We have extensive experience in this and are happy to help where needed, get in touch for a discussion about how we can help you and your organization in particular!
1. Security Policies and Procedures
Policies and procedures are the cornerstones of IT governance and strategy. This means, among other things, creating an organizational model that fits the business’ overall goals, defining processes for handling IT issues in the short and long term, and continuously monitoring that the IT organization delivers the right quality in the right way.
By creating and documenting solid policies and procedures, the organization gets a comprehensive and cohesive IT and security blueprint for the IT environment, infrastructure, maintenance, management, troubleshooting and development. This document also prepares the environment to operate within all frameworks and meet compliance requirements.
The IT manager, often a Chief Information Officer (CIO), is ultimately responsible for IT governance and is also the one who draws up all policies and routines in consultation with all stakeholders. Which is then anchored in and approved by the organization’s top management. This is extensive work that is often carried out as a project with the support of external consultants.
Policies and routines must follow a changing business and everyday life and should be revised regularly.
2. Gateway Security
Good gateway security (Security Gateway, Data Guard, Information Exchange Gateway) is essential to keep unauthorized persons out of the internal IT environment. There are today a plethora of different gateways and firewalls with different functionality. Actual needs, not persistent salespeople, should determine which gateway and firewall work best for the organization’s IT environment.
For example, an IT environment with high throughput to a large network with a large number of internal IP addresses may need an NGFW (Next Generation Firewall) that only runs a few services locally and reserves the majority of its resources for inbound-outbound traffic. In an IT environment that requires a very high level of security but has limited external bandwidth, perhaps a UTM (Unified Threat Management) firewall running a large number of services is a better option.
Regardless of the solution, it will require significant resources to maintain services such as DPI (deep packet inspection), DLP (data loss prevention), gateway antivirus, web filtering, email filtering, and other advanced security services.
Here, too, external expert help should be taken when choosing a solution and also when implementing it. At the same time, the organization’s IT department should receive such thorough training in the solution that they can then handle it independently.
3. Endpoint Security (EDR)
EDR (Endpoint Detection and Response) is an additional layer of protection beyond the local firewall in computers, servers, mobile, IoT and other related equipment that uses real-time threat intelligence feeds to actively remove malware based on heuristic data. There are also solutions that use analysis of user behavior. An EDR solution must therefore be more than traditional antivirus and anti-malware protection.
4. Identity and access management (IAM, MFA)
Identity and access management IAM (Identity and Access Management) is an IT discipline with software solutions that manage access rights to sensitive company resources such as databases, apps, systems, devices and physical resources such as buildings and rooms.
IAM has 2 main areas;
- Identity management where you create, assign and administer user identities throughout the user’s entire life cycle in an organization.
- Access management where one defines, assigns, manages and administers access rights to the organization’s resources and authenticates users when they use the resources.
These services range from Active Directory and LDAP (Lightweight Directory Access Protocol), Cloud LDAP and authentication services such as AWS IAM-tservices, Microsoft Azure Active Directory services and Google Directory services. Today there are many IAM services to choose from, the IT environment must decide which type of IAM services should be used.
An important part of IAM is MFA (Multi Factor Authentication). Here, the MFA solution (step 2 of the login) is itself secure and is separate from the login with username and password (step 1 of the login). For example, the MFA system should not send one-time codes via SMS, as SMS systems themselves are insecure when SMS are sent in clear text.
IAM and MFA are probably the most important aspects of your security solution because they not only control ingress authentication from the WAN, but also validate and authenticate internal users requesting access to various resources.
Zero Trust security is a relatively new security model which, briefly described, means that no one is trusted by default, neither inside nor outside the network, and that verification is required of everyone (people, devices and services) trying to access resources on the network. Zero Trust is becoming increasingly important as external cloud services are embedded in the internal IT environment and when it comes to protecting external access when working remotely, for example.
IMPORTANT! Zero Trust is gaining in popularity and there is a growing plethora of software and services incorrectly labeled as “Zero Trust”. But Zero Trust is a framework containing many different customized solutions.
5. Mobile Protection, Remote Access and Virtual Private Networks (VPN)
Mobile devices are today common in the workplace and create a slightly different situation than in the traditional networks for the security personnel tasked with securing the IT environments.
One of the most important measures is MDM (mobile device management) which implements wireless networks that prevent devices from joining the network if they fail authentication and scanning to ensure that the mobile device meets the preset requirements. For example, many do not allow any third-party downloads outside of the prescribed manufacturer’s store. MDM also ensures that antivirus and anti-malware are installed and updated, and that mobile operating systems and apps are updated.
Many EDR solutions have special versions that fit most mobile operating systems.
Remote access via VPN (Virtual Private Network) enables connection to the organization’s network and IT assets but at the same time, incorrectly implemented, leaves a window wide open for attackers to sneak through.
WARNING! A commonly used remote access solution since ancient times is to implement simple VPN connections to the firewall or gateway router which, with a simple handshake and a GRE tunnel to all remote endpoints to send traffic through the open VPN ports, provides access right into your IT environment. This is risky and not recommended!
A better solution is for the firewall or gateway router to handle VPN tunnels leading to a special VPN concentrator. Which then handles VPN connections created using IPSec (using AES256 or higher encryption over TLS) instead of GRE.
IPSec connections are unfortunately complicated to implement with a lot of work involved because they rely on security certificates. But this extra work is important to create a secure handshake and connection between the two devices. Feel free to hire an external expert for the implementation and train the IT staff in handling.
However, modern alternatives to VPN such as SSH tunnels (Secure Shell), SD-WAN (Software-Defined Wide Area Network) and SASE (Secure Access Service Edge) are increasingly used due to the weaknesses of VPN where, for example, the use of Zero Trust becomes complicated.
6. Wireless network security
There are many aspects to WiFi security but the most important are:
- Always use WAP2 or WAP3 with AES256 encryption.
- Use long passwords (at least 12 characters) that contain random(!) characters, numbers and letters. Do not use a sentence as a password in contexts where many people must use the same password.
- Enter a unique SSID and use the same one for all bands used. Different SSIDs can be used for access with different permissions, but should then have their own access points.
- Use separate guest WiFi with mandatory authentication (never let a guest into the production WiFi network!) and limited access. This will prevent/deter guest network spoofing and provide the ability to collect information about each asset that connects.
- Other things to look at are authentication types; 802.1x, Active Directory, LDAP, AAA services are some of the more popular authentication types.
- Regular scanning for malicious access points (Rogue AP Detection). A “Rogue AP” is a wireless access point that broadcasts internal SSIDs but for a different network. Through this hacking technique, the malicious access points can access clients’ data, which threatens network security.
- Update the software in all access points! Unfortunately, this is often forgotten with the result that serious security holes are introducedte is corrected and, for example, can be used for overload attacks (DDoS) etc.
7. Backup and Restore (BDR)
Backup and Disaster Recovery (BDR) services are essential to keeping an organization’s incident planning up and running in the event of a major disaster.
Regardless of whether you choose to manage BDR internally or purchase it as an external service, you must always ensure that the chosen BDR strategy and solution meets the organization’s needs 100%.
Don’t forget that BDR must exist for all external services! Here it is also important to ensure that you always have full access to your own data. E.g. through the ability to download backups or you can take a backup yourself with your own BDR system. Many cloud providers, e.g. Microsoft 365, today offer backup via 3rd parties to external storage, which can provide extra protection against e.g. ransomware attacks.
The SLA (Service Level Agreement) for BDR must always, regardless of whether it is an internal or external supplier (of BDR or e.g. cloud services), have at least 99.999% reliability.
BDR must be managed in a separate system outside the usual production environment, preferably in another data hall/room with special access, and of course have a special focus when it comes to maintenance. Recovery must be tested regularly in its own environment completely separated from the production environment.
8. Environmental visibility
A good Security Information and Event Management (SIEM) system provides the security team with detailed network and asset visibility, aggregation and analysis of all log files in the environment, the ability to organize and search the log files in an organized manner, and enable forensics (forensic investigation methods) when needed .
Most SIEM systems provide very detailed functionality and require a very high level of technical skills to deploy, configure and maintain. Feel free to hire external help initially with this and don’t forget the training of the security team.
9. Education and training
The development in IT and digitization takes place at a very high pace with constantly new knowledge requirements even for the “ordinary user”. In terms of security, this creates a major problem as the vast majority of security incidents occur through user errors, mistakes and direct attacks from even one’s own employees.
The level of education of all employees in the organization must therefore correspond to their tasks and responsibilities in the day-to-day operations. Education and regular further training are thus an important investment in safety. Here it also applies that the top management receives adequate security training so that you understand that part of the business and can make the right decision!
IMPORTANT! The organization’s security is no longer a matter for the IT department, but must be based on the highest decision-makers, where one must be the responsible IT security manager.
