Blog / CYBERSECURE CANADA Part III… An In-Depth Look at Security Controls 7 to 9
In the last two newsletters, I covered plenty of information regarding the CYBERSECURE CANADA Certification. In this newsletter, I’ll explain numbers 7, 8 and 9 of the Security Controls, in detail. There’s only three this time, not due to their complexity, but because of the sub-points for these controls. If I did all of the remaining ones, the newsletter would wind-up being too long, so the last four of them will be coming next time.
7. Backup and Encrypt Data
This is a requirement that many businesses are (or should) already be following. Any and All business-critical information should be backed up and stored in an external location. Those backups should be securely encrypted. In the event the backups are stolen, it should not be a trivial matter for an attacker to read the information. Not only is it important to store them, but it’s also important to ensure that there are effective procedures in place to restore information as quickly as possible, should the need arise.
While not strictly essential, storing backups off-site should be considered. The reason is to protect your organization from a disaster that completely levels and destroys your primary location (Fire, Flood, Earthquake, Etc.)
8. Secure Mobility
This means the organization needs to have a complete view of the Security for mobile devices. This implies that not only do you need to be taking active measures regarding portable devices owned by the organization, but you also need to recognize that staff have portable devices of their own on them. So, you should act accordingly.
This means deciding on an ownership model for devices like Smart Phones. To that end there need to be proper policies in place regarding employee conduct with their personal devices (also know as BYOD), as well any devices owned by the organization.
I) Separation of Work and personal devices is recommended.
This doesn’t appear to be a requirement, but a strong recommendation. Depending on the model of ownership adopted by your organization, there are different ways/tools to support it. The simplest option is to provide work equipment (like Smart Phones) that are managed with Mobile Device Management (MDM) software. While this means that some staff may carry two phones on the job, it provides a clear line on who’s in charge of the device.
II) Apps should only be downloaded from approved sources.
Generally, this would be official locations like the Apple or Google stores (depending on the hardware being used.) There are lots of places to download Apps from, since many legitimate developers do not like the business model for big ones. Preventing this from happening should be enforced through use of policies, as well as MDM software.
III) Mobile devices should store sensitive data in an encrypted format.
This isn’t limited to just smart phones, as it includes Laptops and tablets as well. It’s easier to ensure that all mobile devices have some form of encryption enabled on the files. Trying to encrypt just some data is tedious and ultimately a waste of time.
IV) MDM software is highly-recommended.
While much of this can be done with a secure initial setup that doesn’t prevent against tampering, not only does MDM software allow for the bulk configuration of devices, it also tends to have some monitoring and tracking capabilities that go along with it. If the organization is not going to make use of MDM software, the reason for this decision should be documented.
V) Mobile devices should not automatically connect to open networks.
This should be enforced by the configuration, as well as through policy and (if necessary) End User Education. Wireless networks do not use directional communications. Information is broadcast in all directions. That’s how the default Antennae work on all devices (unless they are specialized to begin with.) With an Open Network there are no restrictions on who can connect, so you have no way of stopping anyone from listening to your network traffic.
9. Establish Basic Perimeter Defenses
This Security Control is exactly how it sounds. Make sure your perimeter is secure. The good thing (from my perspective) is that it goes into a lot more detail than you may expect.
A) Have a dedicated Firewall between your Corporate Network and the Internet.
The keyword here is “dedicated.” Sometimes, networks grow to large proportions; to the point that it makes sense to have a Firewall positioned between different internal networks. In a situation like that you’re generally enabling some light traffic inspection or port restrictions, but not to the extent that you would enable for traffic to or from the Internet. Having a Firewall dedicated to filtering Internet traffic, helps ensure you’re protected from possible misconfigurations that could disable important traffic inspection options by accident.
B) Organizations should implement a DNS Firewall for outbound DNS requests to the Internet.
DNS traffic to the Internet should be inspected and limited. Monitoring DNS traffic can provide key alerts regarding Botnets and other malign activity. Historically, this sort of traffic tends to be unrestricted, providing a possible vector for infection. Most Firewalls can handle some DNS inspection level. Restricting devices from sending DNS traffic to the Internet can be easily enforced via Firewall Policy.
C) Activate any software Firewalls included on devices within their networks or document the alternative measures in place, instead of these Firewalls.
An example of this is Windows Firewall. At the same time, some Security Software includes Firewall Software as well. Multiple Software Firewalls stacked on top of each other on the same device usually result in big problems. Not enabling a Software Firewall on a device intended for use without a corporate network is a bad idea, as it only serves to facilitate an attacker’s movement through your network.
D) Organizations should require secure connectivity to all corporate IT resources and require VPN connectivity with Two-Factor Authentication for all remote access into corporate networks.
If you have some sort of resource (like a database), then any method for accessing it should use encrypted protocols (like HTTPS, LDAPS, Etc.) wherever possible. Plain text protocols should be avoided, whenever possible.
Any sort of remote access to the network should be properly secured through a VPN use of some form. This means not being able to directly connect to services like RDP, without first logging into a VPN that makes use of some form of Multi-Factor Authentication.
E) Use secure WiFi; preferably WPA2-Enterprise.
There are multiple options for WiFi networks to use, for Device Authentication purposes. All networks should use WPA2, or better.
F) Never connect Public WiFi networks to their Corporate networks.
This SHOULD go without saying, but it’s also not an uncommon mistake to make. A person that does not have good network skills, may believe that the only way to have the public network access the Internet, would be to do this.
G) Follow the Payment Card Industry Data Security Standard (PCI DSS) for all Point-Of-Sale terminals and financial systems, and further isolate these systems from the Internet.
For an outfit accepting any form of plastic as payment (Credit Card, Debit Card, Etc.), PCI-DSS compliance is not optional. The exact rules we should follow depend on the methods for which we accept payment. Those guidelines can be found on the PCI-DSS website.
H) Implement DMARC on all the organization’s email services.
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.” It was created to help prevent an unauthorized individual from sending fake emails that appear to come from your organization.
There were a variety of different points in this section. At the same time, you should realize that even if you are unaware of them (I.E.: DMARC), none of these are complicated, so they do fall under “Basic Perimeter Defense.”
If you have any questions about CYBERSECURE CANADA Certification, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-man.