What is security hygiene? It is essentially how well you are managing your network security and the activities your employees are doing on a day to day basis that may compromise the security of your network, opening your company/agency up to exploit.
Most exploits occur due to non-malicious users letting bad actors into the enterprise unknowingly… The security industry calls this the Unintentional Insider Threat problem (more here).
Some examples are:
- Employees running old vulnerable software such as Flash or Java versions that are littered with exploitable problems. (here is a good article on what the FTC thinks of Java). Here is another example how an old version of Flash might exploit the enterprise…
- Employees running risky software such as BitTorrent and Tor.
- Employees sending Personally Identifiable Information (PII) data such as passwords or credit card numbers over the internet in clear text.
- Employees going to nefarious websites.
- Employees clicking on phishing messages.
As you can see from the latest 451 Research study User Behavior (14%) is the leading internal IT security pain point.
With NetWatcher each week by default (configurable) all users get an email with the security posture of the network. The email has the widget, seen in figure 1, that provides you a score (out of 100, normalized over the number of assets on the network), and how many violations have resulted in open alarms, of various priorities, over the last 2 weeks. Executives like this email because it can tell them very quickly if their score is going up or down and what is driving the score in one direction or the other. They can also click on each item in the grid to see the exact issue and what user/asset on the network is causing the potential risk.
If you navigate over to the NetWatcher dashboard you can also install many widgets like the two you see in figure 2 related to the number of users running risky software or vulnerable software.
It’s important to deal with these hygiene issues as they arise. You can either:
- Upgrade the software if necessary
- Remove the software if it is too risky
- Train the user on why the activity or software they are using exposes them and the company to exploit
- Update employee policy documents to include what a user can and cannot do on the network
- Block the software at the firewall/router &/or use web gateways to block the users for visiting bad sites &/or use email phishing services to force users to be smart about what they are clicking
You also want to keep an eye on what’s getting through your firewall, especially from countries like Iran, China and Russia. With NetWatcher, one of the widgets we provide is to show you all the countries that have triggered anomalous events once they made it through the firewall. If you click on any country in the widget in figure 3 you will be taken to the corresponding events and can review all the detail including downloading the ‘pcap’ or look at related events by the hour or day that occurred on the same asset allowing you to see if the bad actor may be migrating.
You can even set “Trip Wires” to send you an SMS message if one of these events (or any other event for that matter) occurs. For example, here is a SMS trip wire set for any event from China, Iran or Russia.
You also need to keep a close eye on what network “Scanning” is making it through your firewall. NetWatcher provides, widgets for this as well. Here is an example of multiple scans taking place on 2 different corporate assets.
With all of these Security Hygiene items it is up to you to determine if they are normal and safe or do you need to blacklist IP addresses or entire countries at the firewall/router so they can never enter the organization. Do your users do business in those countries? Do your users do business with the organizations that own the IP address of those scanning you? These are just a couple of the questions you will need to ask to determine the steps you need to take to take the action necessary to increase your organizations security posture.
This is just a small glimpse of what you can do with NetWatcher with just the simple IDS/Correlation engine. There are many other things you can do if you install the Secure Information & Event Management system, the End Point technology, the Active Scanning components or the Netflow analysis engine. Have fun!