Let's talk about checklists! Specifically, checklists of things information security professionals should complete between now and the end of the year. Slow period? What slow period?
The end-of-the-year is a very busy time for IT security. Last minute modifications and additions to next-year's budget are underway, as well as looking at this year's budget and figuring out what else needs to be done. There are still the fires to put out, from ongoing attacks, data leaks, and errors. Some industries, such as retailers, are under tremendous pressure to handle a larger-than-usual volume of transactions. And of course, you have less people to do everything, since many of them are taking some well-deserved time off.
We asked a few folks to weigh in with what kind of items should be on an end-of-the-year security checklist. Take a look, and share with us what you have on yours.
Clean up. We talk about spring and fall cleaning. Consider this a good time to do some housecleaning. Look through and find all technology which are no longer being used or supported, and get rid of them. Look at your software—do you have old versions of software that can be removed? How about plugins you are no longer using? Are there old servers and machines that are plugged in but no one is using it anymore? No need to keep them around.
Treat Potential Unwanted Software (PUS) as Malicious. Make sure your anti-malware defenses and your teams treat PUS as malware. PUS generate a lot of sneaky traffic on the network, making it harder to stop outright malicious activity. "The cleaner you keep your network and computers, the easier to spot serious attacks," says Chris Larsen, a senior malware researcher at Blue Coat.
Look at your requirements. “The big one is PCI,” says Jon Heimerl, senior security strategist at Solutionary. The new PCI 3.0 requirements went into effect in January, but businesses were given an extension to be compliant by January 2015. The time is now to make sure you know the new requirements. For the healthcare industry, the focus should be on the HIPAA Omnibus Rule, which went into effect September 2014. Formal audits come next year. “It would not hurt anyone in the healthcare industry to make sure they are on track for full HIPAA Omnibus Rule compliance,” Heimerl says.
“Conduct One Last Regular Risk Assessment for 2014,” says Lysa Myers, a security researcher with ESET. You should be doing regular security risk assessments throughout the year so that you know what you currently have in place and what kind of defenses you will need. Make sure to include mobile devices such as smartphones and tablets, as well as non-Windows machines in your assessment. Do one last assessment before you close out the year: it will help you get started come January.
Check your backups. Make sure you are doing effective backups that truly capture everything you need to capture, and that you are including all new servers and workstations which were added throughout the year, Heimerl says. Test your backups through a practice restoration to help make sure that your backups are actually restorable.
Train your employees. “Host a lunch-and-learn session for all employees on how to spot and report phishing emails,” says Ken Basore, senior vice-president of research and development at Guidance Software. Shore up your policies and communicate them to your employees so that they know what is expected. To host a good lunch-and-learn session should take about two hours to prepare, an hour to create an invitation and get approval, and an hour to deliver, Basore said. And if you record the session and make it available, they can be re-used as refresher sessions for other employees.
Check your physical security. Walk through your organization and see if there are unprotected network jacks where anyone could plug in and access the network. Take a good look at your physical workspace and consider potential events and company procedures that could put information at risk, says Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security. “What if a fire alarm went off, or the building had to be evacuated for another reason. How does the reentry process work? Would it be easy for an intruder to sneak in? It’s okay to get a little paranoid here–better safe than sorry.”
Plan your year. You are “more likely to meet your security goals if you plan out the necessary maintenance at the beginning of the year,” says Cowperthwaite. Figure out your penetration testing calendar and budget—for most organizations, that would be at least once a quarter and an internal network test once a year. If you already have it in your calendar, you are less likely to overlook it.
Thank your people. Remind your important employees that they are important and that you value them. Your key IT, security, and other staff keep your organization safe. If you don't treat these employees well, they can get disgruntled and become hostile insiders. “This is a good time of year for a little bonus or reward to help them feel appreciated. And, that does not always have to be a big raise. Even something as simple as a dinner for two goes a long way towards making that employee feel special. And that investment in their well being is priceless,” Heimerl says.