By Craig B. in Security | 22/07/2011
In the previous post we talked about some of the reasons why having a clearly defined ICT Acceptable Use Policy enforced within your business should be of top priority. However, we highlighted that even with such a policy in place, your employees may be ignorant towards it. In this post we aim to give you some pointers for combating this ignorance and ensuring that your valuable data remains as safe as possible.
A basic starting point to ensure that data on your servers is kept secure is to use NTFS permissions. NTFS allows you to lock down access to any file or folder on an NTFS disk to user accounts or groups (domain or local). Users or groups of users can be assigned read-only, read/write, or special permissions to that file. Try to keep your permissions as simple as possible to avoid confusion and mess when you need to make changes. For example, it is best practice to use groups rather than individual users where possible. User accounts can easily be added or removed from groups and their access to specific items will be revoked automatically, saving you as an administrator from having to find every folder that the person had access to and remove their permissions.
Next, let’s assume that you have locked down your file servers but one of your users has the need to take their files outside of your organisation to work on. How would you protect that data?
One of the most effective ways to combat this is to use encryption. For instance, encrypting a USB memory stick for data in transit will protect it if the USB is lost or stolen. In addition to this, several Windows group policy templates and third party products exist which will help you to lock down the USB ports on your client computers so that only trusted encrypted devices can be used on them. Similarly, company laptops can be locked down so that data cannot be saved locally and must be saved back on to the encrypted disk.
Another option for encrypting laptop data, depending on which operating system you are running, is to use a product such as BitLocker Drive Encryption. This allows you to encrypt your entire system, and can require you to use a password or a smartcard to access the system.
If your company uses a VPN connection for home working, protecting your systems can be a little more difficult since we cannot always be certain that a user’s personal machine is patched correctly or has an up to date antivirus solution. Without going into detail here about protecting your VPN from unauthorised access, it is worth mentioning that there are an increasing number of products on the market that will sit in front of your VPN gateway and check the computers that try to make connections to it for compliance. They can check for (amongst other things) up to date virus definitions on the remote computer. If the client does not have up-to-date virus definitions, then access will be denied.
The final thing mentioned in part 1 of this article was social engineering. There is no fool-proof way of preventing this, and all that you can do is advise people to be vigilant. The problem can be likened to a knock on the door to be confronted by a person claiming to be from the Gas Board – most people would ask them to provide identification before letting them inside their homes. In my opinion there is no substitute for user training and education. Make your users aware of the rules and why it is important to stick to them, and they will be more inclined to do so. This of course will not work on its own. Some preventative measures such as the ones mentioned should be put into place to help you achieve your end goal.
To find out more, or to arrange a confidential meeting to discuss your security concerns, simply click here contact us.