3 security best practices you should be following (but probably aren't)
by Kevin Haley, Symantec - "Don't forget to floss regularly." It's something we hear every time we visit the dentist's office, and it really is good advice. But how many of us are actually doing it? Perhaps some of us are, but I would venture to guess that the majority of us simply aren't doing it as often as we know we should.
[ How to write a security policy your users will read (and follow) ]
I'm sure there are many things that fall into this same category: things we know we should be doing because they're good for us, but that we simply don't do as often as we should. One that always comes to the forefront of my mind -- go figure, right -- is following the basic security best practices that get shouted from the rooftops every time an Internet security professional is asked what organizations should be doing to protect their data and infrastructure.
We've all heard these best practices before, but I'm consistently surprised by how many organizations -- both large and small -- I hear of that have fallen victim to cybercrime because they just aren't "flossing." So, here are the 3 most common security best practices companies should be following as part of their security regimen.
Keep Systems Up-to-Date with the Latest Security Patches
Software vulnerabilities provide attackers with access points onto computers and networks. Such vulnerabilities can be found in virtually anything, from operating systems down to the smallest media or Web browser plug-ins. And they're no small problem: According to Symantec's Internet Security Threat Report (ISTR) XV released in April of this year, Symantec documented a whopping 4,501 vulnerabilities in 2009. That's a lot of unlocked doors waiting to be opened without permission.
Out of all security vulnerabilities, those in Web browsers are perhaps the most serious due to their role in online fraud and in the propagation of malicious code. Web browsers are a particular security concern because they are exposed to a greater amount of potentially untrusted or hostile content than most other applications. In 2009, Symantec documented 374 new vulnerabilities in web browsers and 321 vulnerabilities in browser plug-ins. It is especially important to keep these plug-ins patched since they make a system vulnerable no matter what browser is being used.
Oh and by the way, remember Conficker? It was a big nasty worm that spread far and wide over the course of the first half of 2009 and actually still sits on somewhere around 6 million computers. In case you haven't heard, its historic spread was due in large part to the worm's ability to successfully take advantage of a software vulnerability in the Microsoft Windows operating system. Sadly, there was actually a patch for the vulnerability made available relatively soon after the worm's discovery and before it started its meteoric rise, that would have mitigated the risk of infection for many organizations. However, because many systems were simply not kept up-to-date and the patch not installed, the worm eventually infected somewhere in the neighborhood of 11 million computers.
With so many vulnerabilities out there it can seem a bit overwhelming, and perhaps this is why some IT departments have a hard time following this best practice. If the task seems daunting, try implementing an automated patch management solution. Doing so can not only alleviate the stress of keeping systems up-to-date, but can reduce man hours and the subsequent costs associated with security updates as well.
Keep Security Software Updated
Ok, perhaps we should back up a little bit. Why don't we start with simply having security software! Believe it or not, some organizations, usually smaller ones, still don't see the value in having security software. In today's threat landscape, not having security software is like playing Russian roulette with your data and infrastructure. And in all honesty, your odds of not falling victim to cybercrime probably aren't even as good as they would be if you were actually playing the lethal game of chance with a loaded revolver.
Nearly as treacherous as not having security software is not keeping what security software you do have updated with the latest definitions. To illustrate how many threats are out there and the rate at which they are being created, consider that in 2009, Symantec identified more than 240 million distinct new malicious programs, a 100% increase over 2008. To address this malware explosion, in 2009 Symantec created 2,895,802 new malicious code signatures, according to the ISTR XV. This was a 71% increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. As a result, Symantec security solutions were able to block an average of 100 potential attacks per second last year.
Allowing security software updates to lapse even for a day can result in a system being potentially exposed to thousands of new threats. Thankfully, organizations have help in keeping their security software up-to-date through automated utilities found in all major, legitimate security software solutions.
Maintain and Enforce Strong Data Loss Prevention and Security Policies
Data breaches and the resulting threat of identity theft are major concerns for enterprises. In fact, Symantec's State of Enterprise Security Report, found that 65% of U.S.-based poll respondents said that they were either "very concerned" or "extremely concerned" about identity theft. To add insult to injury, 100% of enterprise-level respondents surveyed said they had actually experienced loss or theft of data.
However, it appears many organizations are still not implementing or enforcing strong data loss prevention (DLP) and security policies, which go a long way in preventing these dreaded data breaches and thefts. According to the ISTR XV, in 2009, insecure policy was the second most common cause of data breaches which could lead to identity theft, accounting for 26% of the total, and also the second most common cause of data breaches which did in fact lead to identities being exposed, accounting for 36% of the total. (As a side note, the ISTR says a data breach is considered to be caused by insecure policy if it can be attributed to a failure to develop, implement and/or comply with adequate security policy.)
So, what is a company to do? First of all, develop strong policies and regulations around employees' authorized use of the organization's digital resources, including laptops, removable media, e-mail and the Internet. Keep in mind that a new frontier in security policy is social media, as social networking is becoming more common in professional environments. Organizations need to address technological advancements and set policies for employee usage in the workplace.
Finally, organizations should consider implementing a data loss prevention (DLP) solution from a legitimate vendor. DLP solutions are like turning on the light in a dark room. They allow organizations to finally see what they are protecting -- i.e. what's confidential and what's not, in terms of data -- and apply appropriate security measures based on what they see.
There you have it -- the top security best practices organizations should be following, but all too often are not doing so as closely as they should. It's important to remember that these aren't theoretical concepts pulled out of thin air, but are proven tactics that will help ward off cybercriminals. Just as the right amount of flossing can help ward off cavities.
Kevin Haley is director, Symantec Security Response.