This document provides guidance on implementing basic security essentials for organizations. It recommends starting with basics like policies, patching systems, antivirus, limiting privileged access, backups, incident response, and security awareness. Templates and resources are referenced for security policies, frameworks like ISO27001 and NIST, patching tools, antivirus options, incident response plans, and building security awareness programs. Reasons cited for organizations not investing in security include lack of funds, not seeing value, and other priorities, but implementing basics can help show business value.

1. SECURITY ESSENTIALS
https://au.linkedin.com/in/ashleydeuble

2. BAD STUFF HAPPENS ..

3. ORGANISATIONS CAN BE TIGHT ..
• There are many reasons why there is no cash for a security program
• We don’t have anything that anyone would want?
• We’ve never been hacked!
• What do we get in return?
• We have other pressing priorities .. Get back to work!

4. YOU CAN DO IT!
• Start off with the basics and show that it has some business value
• Implement policies – have a security position
• Patch you systems and applications regularly
• Run anti-virus
• Limit the use of privileged access
• Backups & recovery processes
• Incident response
• Security awareness

5. POLICIES/SECURITY POSITION
• Grab some template policies and modify them suit your organisation
• Have a security statement (e.g. “We take security seriously blah blah blah”)
• Have an acceptable use policy
• Refer to existing frameworks for guidance
• ISO27001/2
• IS18
• NIST
• COBIT
• PCI DSS

6. PATCH YOUR SYSTEMS
• According to CNN Money – In 2015, 90% of attacks leveraged old vulnerabilities
that already had patches available
• Use free tools to patch your Windows systems – Windows Server Update Services
(WSUS)
• Set Windows desktop machines to automatically install updates if you can’t use a
patching tool
• Java and Flash are evil!! Patch regularly or remove if possible

7. ANTI-VIRUS
• Anti-virus is dead ?!?
• Symantec reported 317 million new malware samples were seen in 2014
• Microsoft Security Essentials/Windows Defender

8. PRIVILEGED ACCESS
• Principle of least access
• Limiting access to the minimal level that will allow normal functioning
• Often user error is the cause of incidents & additional work
• Do you need to browse Facebook as an administrator to your organisation?
• 2016 Mandiant M-Trends report discussed a case where an attacker obtained admin
access and spread ransomware through Group Policy

9. BACKUP & RECOVERY
• Determine what your critical business systems and information are
• Back up regularly and test often
• Periodically review and ensure all critical business data is backed up
• Encrypt your backups if they contain sensitive data
• Think about business continuity and disaster recovery (short & long term outages)

10. INCIDENT RESPONSE
• Have a plan ready for when it all goes bad
• Your plan could be to have someone else do it!
• Keep regular contacts with law enforcement, AusCERT, Cert Australia etc.
• Maybe put a 3rd party on a retainer for IR & investigations

11. SECURITY AWARENESS
• We’re all human .. That’s why we’re targets
• Inform the users what security means to the organisation
• Relate it back to your security policies and guidelines
• Tell them what to do if they make a mistake or suspect a weakness
• Conduct it regularly and for all new users

12. RESOURCES
• Security Policy
• SANS - https://www.sans.org/security-resources/policies
• CSO - http://www.csoonline.com/article/3019126/security/security-policy-samples-
templates-and-tools.html
• Security Frameworks
• ISO 27001 - http://www.iso27001security.com/
• ISACA COBIT 5 - http://www.isaca.org/cobit/pages/cobit-5-framework-product-
page.aspx
• PCI DSS - https://www.pcisecuritystandards.org/pci_security/
• NIST Cybersecurity Framework - http://www.nist.gov/cyberframework/

13. RESOURCES
• Patching Systems
• Microsoft WSUS - https://www.microsoft.com/en-au/download/details.aspx?id=5216
• Red Hat Satellite - https://www.redhat.com/en/technologies/linux-platforms/satellite
• Antivirus
• Microsoft Security Essentials/Windows Defender - http://windows.microsoft.com/en-
AU/windows/security-essentials-download

14. RESOURCES
• Mandiant M-Trends 2016 report
• https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
• Incident Response
• Count Upon Security (with links to supplementary materials) -
http://countuponsecurity.com/2012/12/21/computer-security-incident-handling-6-
steps/
• SANS Incident Handlers Handbook Whitepaper - https://www.sans.org/reading-
room/whitepapers/incident/incident-handlers-handbook-33901

15. RESOURCES
• Security Awareness
• NIST: Building an Information Technology Security Awareness and Training Program -
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
• SANS Securing the Human (look in the resources area) -
http://securingthehuman.sans.org/
• PCI Best practices for implementing a security awareness program -
https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Imple
menting_Security_Awareness_Program.pdf