OTA recommends that all organizations implement the following best practices:
- Enforce effective password management policies. Attacks against user credentials, including brute force, sniffing, host-based access and theft of password databases, remain very strong attack vectors warranting the use of effective password management controls. Best practices for password management include:
- Use multi-factor authentication (e.g. one-time PINs) for access to administratively privileged accounts. Administrative privileges should be unique accounts and monitored for anomalous activity and should be used only for administrative activities;
- Require users to have a unique password for external vendor systems and refrain from reusing the same password for internal system and personal website logins;
- Require strong passwords comprised of an 8-character minimum including a combination of alphanumeric characters, and force password changes every 90 days with limited reuse permitted;
- Deploy a log-in abuse detection system monitoring connections, login counts, cookies, machine IDs, and other related data;
- Avoid storing passwords unless absolutely necessary and only store passwords (and files) that are hashed with salt or are otherwise encrypted;
- Remove or disable all default accounts from all devices and conduct regular audits to ensure that inactive accounts can no longer access your infrastructure;
- Remove access immediately for any terminated employees or any third parties or vendors that no longer require access to your infrastructure.
- Least privilege user access (LUA) is a core security strategy component, and all accounts should run with as few privileges and access levels as possible. LUA is widely recognized as an important design consideration in enhancing data security. It also provides protections against malicious behavior and system faults. For example, a user might have privileges to edit a specific document or email campaign, but lack permissions to download payroll data or access customer lists. Also, LUA controls help to minimize damages from exposed passwords or rogue employees.
- Harden client devices by deploying multilayered firewall protections (both client and WAN-based hardware firewalls), using up-to-date anti-virus software, disabling by default locally shared folders and removing default accounts. Enable automatic patch management for operating systems, applications (including mobile and web apps) and add-ons. All ports should be blocked to incoming traffic by default. Disable auto-running of removable media (e.g. USB drives, external drives, etc.). Whole disk encryption should be deployed on all laptops, mobile devices and systems hosting sensitive data.
- Conduct regular penetration tests and vulnerability scans of your infrastructure in order to identify and mitigate vulnerabilities and thwart potential attack vectors. Regularly scan your cloud providers and look for potential vulnerability points and risks of data loss or theft. Deploy solutions to detect anomalous flows of data which will to help detect attackers staging data for exfiltration.
- Require email authentication on all inbound and outbound mail streams to help detect malicious and deceptive emails including spear phishing and spoofed email. All organizations should:
- Authenticate outbound mail with SPF and DKIM, including parked and delegated sub-domains;
- Adopt a DMARC reject or quarantine policy once you have validated that you are authenticating all outbound mail streams;
- Implement inbound email authentication check for SPF, DKIM, and DMARC;
- Encourage business partners to authenticate all email sent to your organization to help minimize the risk of receiving spear-phishing and spoofed emails;
- Require end-to-end email authentication using SPF and DKIM with a DMARC reject or quarantine policy for all mail streams managed or hosted by third parties.
- Implement a mobile device management program, requiring authentication to unlock a device, locking out a device after five failed attempts, using encrypted data communications/storage, and enabling the remote wiping of devices if a mobile device is lost or stolen.
- Continuously monitor in real-time the security of your organization’s infrastructure including collecting and analyzing all network traffic in real time, and analyzing centralized logs (including firewall, IDS/IPS, VPN and AV) using log management tools, as well as reviewing network statistics. Identify anomalous activity, investigate, and revise your view of anomalous activity accordingly.
- Deploy web application firewalls to detect/prevent common web attacks, such as cross-site scripting, SQL injection and directory traversal attacks. Review and mitigate the top 10 list of web application security risks identified by the Open Web Application Security Project (OWASP). If relying on third-party hosting services, require deployment of firewalls.
- Permit only authorized wireless devices to connect to your network, including point of sale terminals and credit card devices, and encrypt communications with wireless devices such as routers and printers. Keep all “guest” network access on separate servers and access devices with strong encryption such as WPA2 with AES encryption or use of an IPSec VPN.
- Implement Always On Secure Socket Layer (AOSSL) for all servers requiring log in authentication and data collection. AOSSL helps prevent sniffing data from being transmitted between client devices, wireless access points and intermediaries.
- Review server certificates for vulnerabilities and risks of your domains being hijacked. Attackers often use “Domain Validated” (DV) SSL certificates to impersonate e-commerce websites and defraud consumers. Sites are recommended to upgrade from DV certificates to “Organizationally Validated” (OV) or “Extended Validation” (EVSSL) SSL certificates. OV and EV SSL certificates are validated by the Certificate Authority to ensure the identity of the applicant. EV SSL certificates offer the highest level of authentication and verification of a website. EVSSL provides users a higher level of assurance that the site owner is who they purport to be, presenting the user a green trust indicator in a browser’s address bar.
- Develop, test and continually refine a data breach response plan. Regularly review and improve the plan based upon changes in your organization’s information technology, data collection and security posture. Take the time after an incident to conduct a post-mortem and make improvements to your plan. Conduct regular tabletop exercises testing your plan and personnel.