Organization Hardening

This article is written for security specialists working at cloud-native companies. On-prem systems will have different requirements around physical security than ones which don’t have infrastructure hardware on site. Device security for employees will be covered, along with other physical and employee risks.

Authentication best practices, including MFA, and (actually) good password policies are in scope.

Finally, we’ll look at strategies organizations can pursue in order to have a security-first mindset. Proactive knowledge sharing around risks and best practices can have a multiplying factor across an organization.

Physical Security

Physical security has a reputation for not being as sexy as security engineering. Device inventories, policies & procedures, audits. Electronic doors and locks, security cameras, secure enclaves within the office.

Perimeter Security

Don’t overlook office perimeter security. Electronic doors and locks, and security cameras are critically important in securing any office, and provides audit-ability if the need arises.

Doors will never accidentally be left unlocked if a keyless locking system is in place. It’s small, but significant.

Documents And Devices

Sensitive documents and devices with sensitive data (laptops, thumb drives, etc) must be stored within a secure enclave in the office. This can consist of a room or closet with a solid door and tamper-proof lock. A safe within the secure enclave for the most sensitive documents & devices is perfectly reasonable.

Encrypt all hard drives. It’s easy to do these days and provides a big win.

Password Hygiene

There is a lot of misinformation out there about passwords and what makes for good policy. Fortunately, we do have some fairly objective ways to measure the effectiveness of various password practices and policies.

To start out, we must acknowledge the current state of password-based security: the password is dead.

Having minimum, or no requirements, around passwords is not acceptable. However, burdensome policies can actually make password hygiene worse among users. So what policies are proven to work?

Forced Password Changes

Forced password rotations, somewhat counter-intuitively, lead to worse overall password hygiene. So when should passwords change? According to LastPass:

After a service discloses a security incident.

There is evidence of unauthorized access to your account.

There is evidence of malware or other compromise of your device.

You shared access to an account with someone else and they no longer use the login.

You logged in to the account on a shared or public computer (such as at a library or hotel).

It’s been a year or more since you last changed the password, especially if you don’t have multi-factor authentication enabled.

Additionally, if HaveIBeenPwned reveals an account compromise, that password should be changed (as well as any accounts re-using that password).

Password Managers

According to a report by LastPass, the average person has 191 passwords. Without a password manager it’s literally impossible to have strong, unique passwords that are never re-used. Do some research, and propose one to use company-wide.

Multi-Factor Authentication

Multi-Factor Authentication is an authentication system, which combines something you know (your password) with something you have (your generated MFA code, bound to a physical device). In order to successfully authenticate, a user must have both their password and their device’s current MFA token. Tokens are dynamic, changing regularly.

MFA is increasingly moving from a smart recommendation to a requirement, and for good reason. Google reduced the effectiveness of phishing among its 85,000 employees to zero, by requiring MFA across its organization.

Keybase For Secret Management

Shared accounts. Documents. Forms. Development server keys, credentials. Employees have secrets, it’s unavoidable. And not all communication channels are safe.

Use tools that support E2E encryption for these types of communications, such as Keybase. Avoid email, IM, and physical copies when possible.

Security Champions

Recruit champions across the organization who are interested in improving security. Target at least one representative from each functional group, you don’t all need to meet in one room at one time. However you do need to meet with small groups on a regular basis.

A high performing security council will have a few primary goals and responsibilities outlined below.

Job-Based Risk Analysis

It’s hard to apply a one-size-fits-all approach to risk assessment and communication at the organization level. Meaning, customer support will have a different risks than QA. Engineers will have different risks than management. And so on.

Communicating directly with members of those teams, and understanding the primary threat vectors they face in day-to-day work will allow a more sophisticated risk analysis framework to be developed.

Best Practices Communication And Implementation

After identifying primary job-specific risks, use that information to craft security best practice recommendations. Accountability for following through on those recommendations falls to that team’s security champion, who is empowered to effect change within their team.

Foster A Red Team Mentality

Make it fun. Create short, informative presentations that include demos of hacks against the company’s platform. Show that hacking isn’t theoretical. Teach champions context specific ways to hack.

For non-technical folks, set them up with a script and show them how to run it. Set them up with a phishing campaign. Task them with swiping unsecured documents, thumb drives, or writing silly messages on unlocked and unattended computers.

Conclusion

Humans are prime first targets when an organization is attacked, yet we spend relatively little time addressing the problem. Most of the advice in this article is common sense:

Use strong, unique passwords.

Use a password manager.

Use MFA everywhere possible.

Avoid unencrypted channels for sensitive information.

So why don’t more people follow this commonsense advice? That is a critical failure in our profession. We’ve got to make it easier to do things the right way than it is do things the wrong way. To address this problem requires face-to-face dialog, leadership, mentoring, empathy, and empowerment. A security champion system is designed to be just such a framework.

A little bit of mischievous fun helps too.