Information Security Tips
TOP SECURITY TIPS
Creating an effective information security policy is critical to the survival of any organization. We’ve compiled a helpful list of all our best information security tips to help protect businesses against growing cyber threats. Be certain these guidelines are included in any information security program implemented by your company to ensure the best chance of defending yourself from malicious attackers.
Social Engineering Tips
- Do not open suspicious emails
- Look for phishing red flags
- Out of Character greeting or tone
- Grammar and spelling errors
- Email addresses, links, and domain names don’t match up
- Suspicious Attachments
- Unusual Requests
- Vague emails with links or email attachments
- You didn’t initiate the conversation
- Landing pages in emails
- Hover over links before you click
- Don’t open unexpected attachments
- Train employees against Social Engineering
- Know the different categories of Social Engineering techniques
- Reciprocity
- Commitment/Consistency
- Social Proof
- Authority
- Liking
- Scarcity
- Identify and report threats immediately
Network Security Tips
- Keep all Software and Operating Systems patched and up-to-date
- Encrypt all hardware (data at rest)
- Encrypt all communications (data in transit)
- Use an Anti-Virus and Anti-Malware Software (endpoint protection)
- Avoid using Public Networks for Business Activities or utilize a VPN for secure access.
- Establish a secure BYOD or Acceptable Use policy regarding personal devices.
- Ensure your Back Ups are up-to-date
- Ensure you have a secure website by utilizing https and up-to-date 3rd party libraries
- Keep an active inventory of all devices and hardware in your network
- Use firewalls to block unauthorized access to your networks and establish a DMZ.
- Secure all mobile devices accessing business data on your network.
Ensuring your networks are protected and your employees are trained to recognize social engineering is critical to any effective cybersecurity policy. However, there is a lot more to protect than just your networks. Hackers target systems based on vulnerability. When organizations create their cybersecurity program, they need to pay special attention to less obvious, more vulnerable attack surfaces. These attack surfaces include physical critical infrastructure and web applications. Review the tips below with your security team to determine if you are vulnerable to attack.
Physical Security Tips
- Encrypt all hardware and physical storage devices
- Protect your physical perimeter by securing critical infrastructure such as doors, elevators, access points, card readers, etc.
- Watch for social engineering tactics like impersonating vendors or tailgating
- Empower employees to bring up questions about suspicious behavior/devices
- Structure your security teams so your physical security and IT security leaders are working together to maximize security across the organization.
Application Security Tips
- Use both DAST and SAST to assess your web application
- Identify and eliminate vulnerabilities before production
- Integrate security processes into the development lifecycle, such as DEVSECOPS
- Understand the OWASP Top-10 6 and Application Security Verification Standard (ASVS) 4.0
- Utilize secure codebases & repositories throughout the application’s lifecycle
Other Security Tips
- Create an effective Cybersecurity Policy with your Information Security officer/manager. Be certain your policy includes these main goals of any cybersecurity program:
- Protect the Confidentiality, Integrity, and Authenticity of your systems (CIA Triad)
- Identify risk
- Protect assets, networks, data, and systems
- Detect and Respond to threats
- Recover from cyber incidents
- Disclose the event
- Restore Normal Operations
- Define information security roles and responsibilities, honoring the principle of Least Privilege between users.
- Conduct quarterly Risk Assessments, or monthly depending on your company’s security needs
- Conduct annual Penetration Testing, or quarterly Red-Teaming engagements depending on your company’s security needs.
- Assess security controls with a third-party auditor
- Implement a Secure System Development Life Cycle (SDLC) program
- Implement an Incident Response Plan, addressing business continuity and disaster recovery.
- Utilize authoritative federal resources like NIST’s cybersecurity framework, & CISA’s catalog of known vulnerabilities.
Password Security Tips
- Use Multi-Factor Authentication
- Use secure passphrases instead of passwords
- Use a third party password manager to generate and save secure passwords
- Be aware if your account was subject to a known breach.
- Keep your Browser up-to-date
Ready to learn more?
References:
- https://cofense.com/knowledge-center/signs-of-a-phishing-email/
- https://www.cde.state.co.us/dataprivacyandsecurity/socialengineeringeducation#:~:text=Social%20Engineering%20relies%20heavily%20on,Authority%2C%20Liking%2C%20and%20Scarcity.
- https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/draft
- https://www.whitesourcesoftware.com/resources/blog/dast-dynamic-application-security-testing/
- https://www.devsecops.org/
- https://owasp.org/www-project-top-ten/
- https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf
- https://meraki.cisco.com/blog/2021/06/merging-physical-security-and-cybersecurity/#:~:text=Physical%20security%20protects%20cybersecurity%20by,are%20common%20targets%20for%20hackers.
- https://haveibeenpwned.com
- https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cia-triad/
- https://securityintelligence.com/the-system-development-life-cycle-a-phased-approach-to-application-security/
- https://www.cisco.com/c/en/us/products/security/incident-response-plan.html#~how-to-create-a-plan
- https://www.nist.gov/cyberframework
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/uscert/resources
- https://www.nist.gov/standardsgov/resources
- https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources
- https://www.govtech.com/blogs/lohrmann-on-cybersecurity/data-breach-numbers-costs-and-impacts-all-rise-in-2021
Related Blog Posts
The Levels of CMMC 2.0 Compliance
Previously, we covered a brief history of the Cybersecurity Model Maturity Certification (CMMC 2.0 Levels) and touched on a few details of what it actually is. For this entry, we will be getting deeper into the internals of CMMC to begin breaking it down into its...
What is CMMC 2.0?
At this point, especially if you ever have contracted or subcontracted with the Federal government, you have probably at least heard the letters CMMC thrown about. There may have even been a twinge of trepidation surrounding the letters. But what do these letters...
Crypto Scams and What to Look For
First, standard disclaimer that this post is opinion and we are not licensed financial professionals, nor is anything meant to be taken as official financial advice. However, we have both direct and indirect experience with cryptocurrency and would like to share our...
How to Remove Metadata from Word Documents
What is Metadata? According to Britannica: Metadata, data about informational aspects of other data. For example, the date and time of a text message is metadata, but the text of that message is not. The term metadata is a portmanteau of data and meta- (in the word’s...
Newsletter
Subscribe To Our Newsletter
We've been creating some excellent webinars and local events. Join our mailing list for the latest on industry trends and strategies for cyber defense.
Need Immediate Assistance?
Give us a call (405) 771-6399
Headquarters
3841 E Danforth Rd, Ste 106, Edmond, OK 73034
110 E. Houston St, 7th Floor, San Antonio, TX 78205
Copyright 2024 - Critical Fault, LLC. | Privacy Policy
