Last week, we released part 1 of a two-part series on the low-hanging security best practices companies can implement to improve their security posture. Since security is no longer just the domain of the security experts, it’s important that everyone within your organization feel empowered to uphold security best practices regardless of their role.
This series is designed to give organizations a “starting point” on the security journey by identifying low-hanging fruit that can be picked off to gradually improve security. In part 1, we explained the four security tools and services we recommend getting started with, and in this post, we uncover the next set of recommendations, which can take you from level one to level two, so to speak.
The Next Four Security Practices All Companies Should Implement
5. Security Training
It won’t do you much good to implement security protocols such as two-factor authentication and email encryption if your employees don’t understand how or why to use them. Without proper training, employees may knowingly or unknowingly skirt the precautions you put in place.
To be sure that your team is fully informed on the why and how of each security practice they’re expected to uphold, we recommend organizing a team-wide security training session to review what you’ve put in place up to this point. Keep it fun, interactive, and positive, and make sure to convey that you’re all in this together.
After the first meeting, decide on an ongoing training schedule that’s right for your team (we recommend either monthly or quarterly). It can be as inviting as a 30-minute brown bag lunch talk, or as elaborate as a half-day session. Just be sure you’re respectful of your team’s time and provide them only with what they really need to know and do — not the full gamut.
A great topic to begin with is phishing, an all-too-common threat these days. Explain what phishing is, what an attack looks like, how the tools you have implemented (e.g., 2FA and encryption) can help, and how employees can help uphold their end of the security equation.
6. Hardening Configuration Management
It’s rare to walk into a modern operations team and not see configuration management (CM) systems such as Puppet, Chef, or Ansible driving the infrastructure. As we explained in an earlier post, CM software directly enables the DevOps concept of treating infrastructure as code. However, with the great power enabled by CM comes great responsibility.
Since the very nature of CM is to execute arbitrary code on infrastructure, you need ways to harden the systems to protect sensitive data. You can use tools like chef-vault, which encrypts sensitive data using public keys, or file integrity monitoring, which allows you to see when unauthorized services touch a secret on the disk. If you already implemented this as recommended in Part 1 of this series, kudos and one more box checked.
7. Ensure Safe Access to Production
Teams that practice continuous delivery and agile development commonly give developers access to production in order to ship updates, features, and new products faster. In a trust-but-verify world, you need to implement certain security measures to ensure that vulnerabilities don’t go out in the wild and that developers are behaving as they should.
To do this, you should to be monitoring for events such as package installs and updates to ensure that only your CM system is managing your hosts. Tracking and monitoring the code that configures your systems is important to ensure that users are not manually installing packages on hosts, pulling in unknown security issues.
There are open source options such as OSSEC and auditd that do this if you have the time to configure and manage them. Better yet, a tool like Threat Stack can handle the configuration and ongoing monitoring for you. Either way, it’s critical to implement a system early on for monitoring activity across production servers, since this is arguably one of your most critical infrastructure levels.
8. Security Alerting
You need a system to alert you the moment something anomalous is detected. Whether it’s an unusual login to production at 2 a.m. from an IP based in Russia, or a vulnerability that was unknowingly released into production, you need to know, and you need to know fast.
Threat Stack will alert your team the moment it detects anomalous behavior. Threat Stack also helps teams to customize the severity of security alerts, so that only high-severity alerts go to your on-call developers at night, while lower-severity alerts are left to be handled during business hours.
Bringing the Security Pieces Together
If you’ve been following the security practices we’ve recommended in this two-part series, you can start to see how security builds on itself. At this point, you need a way to keep track of your security measures and system activity through a single pane of glass, rather than having to log into a variety of individual tools to then piece the information together.