Love is purportedly in the air again, but is it being harnessed and channelled in the right direction?
This Valentine’s Day, are you doing all you can to lavish protective TLC on your apps? Do you have the right strategies and solutions in place to secure a mutually rewarding, long-term relationship with your apps and, by extension, customers?
Let’s explore the top recommended security controls for 2020 in order of urgency.
Use Strong Authentication to Limit Unauthorised Access
Since access control attacks are prevalent and often the tip of the spear for most cyber-mayhem, it makes sense that strong authentication be a pillar of security. Ideally, everyone would use multifactor authentication (MFA), especially for any system that connects to high-value services and data stores. When MFA isn’t feasible, strengthen the use of passwords. Key tips include regularly checking passwords against a dictionary of easy-to-hack credentials, using long passwords, and eliminating password hint mechanisms. Since a lot of password attacks are credential stuffing or brute force, your authentication system should have a mechanism to detect and throttle floods of login attempts.
Practice Regular Monitoring and Logging
Monitoring and logging are all about knowing what is going on in your environment. With a good logging and review regimen, it’s possible to catch breach attempts in progress before real damage can occur. When reviewing logging capabilities, remember the goal is to be able to determine how an attacker got in and what they did.
Take Inventory
Knowing what you have, where it is, what it talks to, and how it is configured is the foundation for all risk decisions, both strategic and tactical. Keeping up with an accurate inventory is not a trivial task. Fortunately, there are plenty of automation tools available to help, but be sure that they give you the complete picture.
Strategize and Practice Incident Response
No affordable defense is going to keep all the attackers out forever. Plan accordingly with a well-tested, detailed incident response plan. Incident response rests on the pillars of inventory and logging, so make sure those are well-honed. Each major threat should have response scenarios that include trigger definitions (when an incident occurs), activation plans (who and what jumps into action and when), intelligence collection (what logs and devices should be examined), containment (specific playbooks to activate additional controls), investigation (who analyses what and when), reporting (for legal and executive conversations), and recovery (of both data and system rebuilds).
Apply Crucial Patches
It’s unreasonable to assume that your average enterprise is going to patch everything. The highest priority is closing vulnerabilities with published, weaponised exploits, because even unskilled attackers will be pounding on your systems with these point-and-click attacks. Given that a lot of malware comes in via browsers and mail clients, those should also be kept up to date.
Enforce Strict Authorisation
Authorisation means taking a hard look at the permissions associated with any credential set. Once someone is logged in, what can they do? This is where least privilege should be used, so that users can only do exactly what they need to do. A good middle ground is to implement role-based access and broadly lock down authorised actions based on general job duties such as administrator, developer, office staff, and remote user. The number of administrators should be extremely limited. If possible, administrative usage should be partitioned to just the systems a given administrator is responsible for managing. The same goes for service accounts that run in the background.
Scan for Vulnerabilities
Vulnerability scanning is useful not only for gaining a “hacker’s eye view” of your systems but it is also a great way to double-check your inventory. Continuous vulnerability scans, preferably weekly, are advisable for both internal and external assets.
Detect and Block Malicious Bot Activity
It’s getting harder to determine who is a human being. Many bots can be identified by previously observed, unique patterns that have been encoded into signatures. However, newer and more sophisticated bots require complex scrutiny such as looking for irregular behaviour, illogical client configuration, and inhuman timing of actions.
Conduct Security Awareness Training
The F5 Labs 2018 Phishing and Fraud Report showed that training employees to recognise phishing attempts can reduce their click-through rate on malicious emails, links, and attachments from 33% to 13%. The key to effective training is to consider what decisions you want your users to make and what you can reasonably expect from them.
Use Web Application Firewalls
In our 2018 Application Protection Report, our survey of security professionals found that the primary application defense in use was web app firewalls (26% of respondents). This rose to 33% in the 2019 report. WAFs offer a level of application-layer visibility and control that can help mitigate a wide range of the web application threats mentioned above. Many WAFs also include the capability to inspect, validate, and throttle API requests.
Use SSL/TLS Inspection
Malware and phishing sites are increasingly being buried within encrypted SSL/TLS sessions, often using legitimate certificates. This traffic needs to be decrypted, inspected, and sanitized.
Use Antivirus Solutions
Antivirus is one of oldest security controls and is still a powerful tool for detecting and stopping malware infections. It should always be configured to update its signatures without intervention and alert when it stops functioning.
Love, actually
Get to know and love your apps, wherever they are. Always make sure your controls are fit for purpose and running smoothly. In our 2019 Application Protection report, we saw how specific threats can vary based on industry. However, in general, the aforementioned controls should cover the majority of the risks faced by a typical organization.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.