Security Experts:

Three Security Must-Haves for 2013

It’s easy to feel uncertainty about where to start to properly cover all the bases when it comes to securing your infrastructure. Evolving security threats are demanding that protective solutions develop just as rapidly – or faster. It’s not enough to stick to the same generic security measures you’ve always assumed were working, and hope for the best. Hackers are becoming smarter and scrappier, so you have to beat them in both departments too.

The New Year is always a good time to check in with your organization’s security policies and see where updates can be made. If one of your New Year’s resolutions is to stop threats before they hit your environment, here are three security must-haves for 2013.

Three Security Must-Haves for 2013 Take inventory of your assets and vulnerabilities

Many companies are lacking a solid grasp on what assets they have and where their weakest security areas are, either due to uncertainty on how to begin the process or having too few resources to allocate to it. Whatever the cause for your slipshod hold on your areas of weakness, you must create a risk profile over time in order to take your data protection to the next level.

• Identify each of your assets and classify them, so you can then pinpoint exactly what risks exist and what assets they affect.

• Determine what version of your software each of the assets run on, where that is on your network, and how it’s deployed.

• Assign a value to each of those assets. Figure out how much risk is truly constituted within each one based on the business impact if the assets’ security was compromised.

Approach it this way, and you’ll have what you need to prioritize all of your risks over time so they can be mitigated proactively and eliminated as much as possible.

More emphasis on mobile management

There is no doubt that we will see both breakthroughs in mobile security and severe mobile breaches this next year. More consumers and businesses alike rely on their mobile devices for transactional work, the transfer and/or storage of data, and innumerable other actions that will only escalate with time. With this in mind, it’s imperative to strategize for heavy protection of every facet of your site’s mobile security. Here again, asset and risk management is crucial to handling your management of mobile data, so you need to treat it as if it’s information worthy of protection like it would be on any other platform.

Ensure that any sensitive information entered into a mobile device is immediately sent and stored elsewhere, ideally on storage and services located in a more controlled environment. The data should also be tokenized by your payment gateway if your company accepts mobile payments. Don’t underestimate the power of strong encryption ciphers. An intermingling of sensitive data and an overlap of information boundaries is often a by-product of the increased interconnectivity provided by mobile devices, making encryption all the more critical.

Rely on heavy hitters like certificates, memory isolation, and sandboxing as additional layers of mobile protection and keep server roles isolated for optimal protection. For instance, you don’t want a vulnerable Web application running on the same server that your sensitive database information is stored on. Mobile security still needs to be proven quite a bit before it reaches the trustworthy status of the cloud, so take it a step at a time, but be diligent about staying ahead. Make sure all of your security layers are wrapped around every piece of data in your organization, and on every device from which it can be accessed.

Develop an inclusive and relevant information security program

This year, resolve to look beyond just focusing on physical security and the network, and aim to protect against the multiple other avenues where exploitations occur, such as Web applications and social engineering. You can’t be too careful when it comes to your own employees, and an inclusive security program will account for protective measures that rely on staff being trained and accountable. This means mature password policies, regular software updates, and frequent company-wide security training.

Begin by establishing (or updating) a comprehensive high-level security plan that includes the areas most in need of protection, along with overarching protocol that must be followed in order to maintain the highest defense from compromise. Then create a business-wide security policy that is shared among all members of your team, and implement training procedures. This will ensure widespread awareness of possible security threats, ways to combat them, and proactive measures that can be taken by each team member to avoid falling prey and putting the business at risk.

The last step is to develop contingency, business continuity, and disaster recovery planning. You can’t afford to have downtime or to lose valuable business hours due to a crack in your preparation. It’s cliché, but if you fail to plan in these areas, you can most surely plan to fail. Work on your security program from every angle, encompassing user authentication measures, network infrastructure components (like firewalls and intrusion detection systems), and tightly guarded physical and logical access.

Finally, you probably have spent time and resources on industry-accepted best practices and required regulatory requirements such as PCI DSS. However, if you have the resources you should also seek certifications and accreditations that are applicable to your industry but may not be required. Customers are becoming hyper-aware and concerned about security of the companies they do business with. Taking this extra measure will show your commitment to your customers while gaining stamps of approval from industry peers and security organizations. If you approach your inclusive information security plan from every direction possible, you will guarantee a holistic, solid security program for 2013.

Overall, options for new security measures and technologies will continue to get stronger and more affordable. If you choose to develop a powerful infrastructure security program you’ll do well to and you focus on these three areas, you’re already leaving your competitors in the dust. Continue to uphold a commitment to your customers and their sensitive data, and be that provider who is always a step ahead in protecting their information. Cheers to a more secure 2013.

Subscribe to the SecurityWeek Email Briefing
view counter
Chris Hinkley is a Senior Security Engineer at FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.
view counter