ORGANISATIONS CAN BE TIGHT ..
• There are many reasons why there is no cash for a security program
• We don’t have anything that anyone would want?
• We’ve never been hacked!
• What do we get in return?
• We have other pressing priorities .. Get back to work!
YOU CAN DO IT!
• Start off with the basics and show that it has some business value
• Implement policies – have a security position
• Patch you systems and applications regularly
• Run anti-virus
• Limit the use of privileged access
• Backups & recovery processes
• Incident response
• Security awareness
• Grab some template policies and modify them suit your organisation
• Have a security statement (e.g. “We take security seriously blah blah blah”)
• Have an acceptable use policy
• Refer to existing frameworks for guidance
• PCI DSS
PATCH YOUR SYSTEMS
• According to CNN Money – In 2015, 90% of attacks leveraged old vulnerabilities
that already had patches available
• Use free tools to patch your Windows systems – Windows Server Update Services
• Set Windows desktop machines to automatically install updates if you can’t use a
• Java and Flash are evil!! Patch regularly or remove if possible
• Anti-virus is dead ?!?
• Symantec reported 317 million new malware samples were seen in 2014
• Microsoft Security Essentials/Windows Defender
• Principle of least access
• Limiting access to the minimal level that will allow normal functioning
• Often user error is the cause of incidents & additional work
• Do you need to browse Facebook as an administrator to your organisation?
• 2016 Mandiant M-Trends report discussed a case where an attacker obtained admin
access and spread ransomware through Group Policy
BACKUP & RECOVERY
• Determine what your critical business systems and information are
• Back up regularly and test often
• Periodically review and ensure all critical business data is backed up
• Encrypt your backups if they contain sensitive data
• Think about business continuity and disaster recovery (short & long term outages)
• Have a plan ready for when it all goes bad
• Your plan could be to have someone else do it!
• Keep regular contacts with law enforcement, AusCERT, Cert Australia etc.
• Maybe put a 3rd party on a retainer for IR & investigations
• We’re all human .. That’s why we’re targets
• Inform the users what security means to the organisation
• Relate it back to your security policies and guidelines
• Tell them what to do if they make a mistake or suspect a weakness
• Conduct it regularly and for all new users
• Security Awareness
• NIST: Building an Information Technology Security Awareness and Training Program -
• SANS Securing the Human (look in the resources area) -
• PCI Best practices for implementing a security awareness program -