In this chapter, we cover the security policies that organisations should take in order not only to protect their users from being attacked, but ultimately to protect the organisation itself. The chapter covers directive policies, which are aimed at informing users what they may or may not do; administrative policies, which detail how the organisation should prepare for and, if necessary, respond to cyber security incidents; communal policies including business continuity and disaster recovery; and finally, technical policies, which go into greater detail about technical issues.

While all of the personal, physical and technical controls described in Chapter 8 will be sufficient for individuals and small businesses, larger organisations will need to undertake more significant activities in order to maintain good security. However, before we examine these areas, there are two key points that organisations should consider in far greater detail:

• Understand your data – it is absolutely vital that organisations understand the nature of the information over which they have control. This will not only be their own data but may also be other people’s or organisations’ information for which they are deemed to be data processors in the sense of the data protection legislation, or which they are simply storing, as in the case of a cloud provider.
• Protect the data, not just the perimeter – many organisations concentrate on preventing unauthorised access from outside the network without realising that an equally dangerous threat comes from insiders. While it is essential to protect the organisation’s network perimeter, it is vital to ensure that access to information from within is equally well protected, principally by the use of strictly enforced access permissions.

SECURITY POLICIES OVERVIEW

Organisations should produce and maintain an overall security policy, which will set the scene for other policies that may be required. In general, security policies need not be lengthy documents, since they do not require a great level of detail – this can be incorporated in lower-level documents such as processes, procedures and work instructions.

For ease of use and clarity, a security policy should generally contain no more than eight sections:

1. an overview, stating what aspect of the organisation’s operations the policy is intended to address;
2. the actual purpose of the policy;
3. the scope of the policy – both what is within scope and what is not;
4. the policy statements themselves – usually the largest part of the policy document;
5. requirements for compliance – including, if appropriate, the penalties for failing to observe the policy, whether these are required by the organisation, the sector regulator, national legislation, national or international standards, or if they are simply good practice;
6. any related standards, policies and procedures;
7. definitions of terms used within the policy;
8. revision history, including who is responsible for the security policy itself.

The overall security policy would normally contain policy statements along the lines of:

• The organisation’s information must be protected in line with all relevant legislation, sector regulations, business policies and international standards, in particular those relating to data protection, human rights and freedom of information.
• Each of the organisation’s information assets will have a nominated information owner who will accept responsibility for defining the appropriate uses of that asset and ensuring that appropriate security measures are in place to protect it.
• The organisation’s information will only be made available to those who have a legitimate business need.
• All the organisation’s information will be classified according to an appropriate level of privacy and sensitivity.
• The integrity of the organisation’s information assets must be maintained at all times.
• Individuals who have been granted access to information have the responsibility to handle it in an appropriate manner and according to its classification.
• The organisation’s information must be protected against unauthorised access.
• Compliance with the organisation’s information security policies will be enforced.

Organisational security steps fall broadly into four areas:

• directive policies that state ‘you must’ or ‘you must not’;
• administrative policies, that is those that are underpinned by an administrative function, such as access control;
• communal policies in which large parts of the organisation must work together;
• technical policies that require specific hardware, software or both.

The following policies and operational controls are likely to be implemented both by SMEs and within medium to large organisations.

DIRECTIVE POLICIES

Directive policies are concerned with individual behaviours and tell individuals what they should do or should not do. As with all policies there should be some mention not only of the consequences of failing to adhere to them, but also of the penalties for failing to do so.

Acceptable use

Acceptable use policies are those to which all users of the organisation’s network and services, whether temporary staff, contractors or permanent members of staff, should adhere.

Acceptable use will normally include such areas as personal access to the internet (browsing, shopping, etc.) and email. It may also cover use of organisational facilities when posting on blogs and social media.

Data and information retention

The organisation’s data and information retention policy will link closely with its information classification policy and where appropriate must consider the requirements of data protection, human rights and freedom of information legislation, since this will impact on the amount of time for which personal information may be stored, for example, as required by Principle 5 of the Data Protection Act 2018.¹

Information classification

An organisation is likely to possess many different types of information, including publicly available information; information that should be restricted to staff generally; and information that should be available only to very specific members of staff.

The information classification policy should define these levels, avoiding generic terms such as ‘confidential’ or ‘restricted’, since these can have different meanings, not only between the public and private sectors, but also between similar organisations.

For each type of information, the policy will dictate how and where the information is stored (and in some cases where it may not be stored); its retention period; how it is labelled; the extent to which it may be shared; how and where it must be backed up; how it is transported; and finally, how it is destroyed when no longer required.

Peer-to-peer (P2P) networking

One of the simplest methods for distributing malware is by concealing it inside files being shared on P2P networks. Unless it is a business imperative, organisations should enforce a policy forbidding the use of P2P networking, including P2P on company computers used at home and on individuals’ personal computers used on the organisation’s network.

ADMINISTRATIVE POLICIES

Administrative policies deal more with the steps that individuals or groups of individuals take in order to protect the wider organisation. These policies will determine the capabilities of all users within the organisation as opposed to the dos and don’ts of individual users.

Access control

This determines how applications and information are accessed, and can be achieved in a number of ways, including role based, time of day or date, level of privilege, and whether access is read only or read and write.

An access control policy can quite reasonably include the requirement for different methods of authentication, such as single sign-on, digital certificates, biometrics and token-based authentication.

Change control

Uncontrolled changes are a frequent cause of problems in systems and services. The change control policy will describe the process for making changes to the systems and their supporting network, including the operating system and applications. This may involve detailed analysis of the proposals prior to any attempt at implementation and may also include functionality and load testing prior to roll out.

Hand in hand with the change control function is that of change management, which includes informing users of impending changes and having a back-out process that would be invoked should the change fail for any reason.

Termination of access

When employees leave the organisation, it is vital that their access permissions are terminated. If an employee transfers to a new department or to a new role within the existing department, then existing permissions should still be terminated (as opposed to being modified), and then reinstated at levels appropriate to the new role.

Viruses and malware

Viruses and other malware can infect systems without warning and must be dealt with in a formalised manner rather than an ad hoc approach that may do more harm than good. The policy will define who will address the problem and the procedure they will follow to identify, isolate if possible, and remove or quarantine the virus.

Passwords

Password management is a key aspect of information security policy, and one that is frequently overlooked.

Users are notoriously bad at password management. They will (when they can get away with it) use passwords they find easy to remember, such as their mother’s maiden name, their birthday, or the name of their pet, all of which are relatively simple for an attacker to guess or discover. Users should be warned of the dangers of this practice and advised how to create strong passwords.

In the past, the general advice has always been to recommend a minimum password length; to use a complex combination of letters, numbers and other symbols; and to force the user to change their password at intervals.

The USA’s National Institute of Standards and Technology has recently changed its view on passwords and has published a draft of a new standard – SP 800-63-3,² which deals with digital identity. The draft currently makes three recommendations of things that organisations should do, and four that they should avoid.

Things that organisations should do:

• Since users are only human, instead of placing the burden on the user, place the burden on the verifier. It is much easier to write one piece of software than it is to force hundreds or thousands of users to conform to a set of rules, and this is also less stressful on the users.
• Size matters – check for password length and require users to input a minimum number of characters.
• Check the passwords the users enter against a dictionary list of known poor or bad passwords and require the users to try again if the test proves positive.

Things that organisations should avoid:

• Complex rules for composition, such as a combination of upper- and lower-case letters, numbers and other keyboard symbols. These are almost impossible for users to remember (especially if they are required to have different passwords for each application) and may only result in users writing them down.
• Password hints can help the users remember their passwords, but they can also provide clues to an attacker. Since the originator of a targeted attack may well have undertaken considerable research into their target, such clues could easily betray the user’s credentials.
• Credentials chosen from lists are similarly of dubious value. Such choices as mother’s maiden name, town of birth, name of first school and so on are just as likely to be known to a serious attacker as the hints described above.
• Expiration of passwords after a finite period of time does little to improve password security, and only serves to complicate matters for the user. Users should have the option to change their password if they feel that it may have been compromised but forcing them to do it without good cause only adds to their burden.

As mentioned in Chapter 8, there is excellent advice from NCSC regarding passwords, which recommends the use of three random words.

The policy should also include a statement regarding the changing of default passwords, especially those that allow root access to systems and network devices such as firewalls and routers.

Occasionally, passwords are embedded within applications, especially in cases where one application must connect and exchange data with another without human intervention. The use of embedded passwords should be avoided wherever possible, since they may be widely known and therefore represent a potential avenue of attack, but if they must be used, they should be changed from the manufacturer’s default.

No password is immune from a ‘brute force’ search in which an attacker’s computer tries every combination of characters until it eventually finds the right one. Using long passwords will make this much more complicated, and the attacker may simply give up and move on to another, possibly easier, target.

Users also have a habit of using the same password on multiple systems. Attackers know this, and if they discover one of a user’s passwords, it will normally allow them to access other systems as well. Users should have a different password for each system to which they require access.

If users must have multiple passwords and have difficulty in remembering them all, a password management tool may well be an appropriate solution as discussed in Chapter 8; alternatively, single sign-on is a method that can be used to alleviate multiple password issues.

Users should also be discouraged from reusing passwords, and where available, some access control systems, such as Microsoft’s Active Directory, can be configured to forbid reuse within a certain period of time.

Removable media

While many types of removable media are now redundant (e.g. floppy disks and DVDs), some removable media, including USB memory sticks and external disk drives, can be not only a source of malware if they have been infected on another system outside the organisation, but also a means of users removing information from the organisation without authority.

Although not obviously seen as such, there are many USB devices that can easily act as removable media and become a source of malware, including smartphones, tablet computers and even e-cigarettes.

System hardware can be easily configured to prevent the use of removable media unless the user has a very specific, authorised need.

Shared network resources

Shared network drives are an extremely useful resource, allowing staff to move large volume files around the organisation. However, they suffer from one serious failure and that is that there is usually no audit trail of who copied files onto the hard drive and who subsequently copied them off.

Additionally, some forms of malware such as worms can infect multiple shared drives within a network.

If files are to be shared between users within the organisation, or with users outside the organisation, then a collaborative system such as Microsoft SharePoint should be considered, since this allows the organisation to select who can make use of the system to share files, and retain an audit trail of who has done what and when.

Segregation of duties

It is all too easy for organisations to allocate people who understand IT to wide-ranging roles, and in some situations this is a mistake, since it can provide administration-level users with the capability to create and allocate high-level user accounts for people who do not or should not have them.

This can lead, for example, to a member of staff being able both to order goods and to authorise their purchase, which can lead to fraudulent activities. The correct method of addressing this is to ensure that a particular type of user account cannot carry out both functions – in other words, to completely segregate the duties and access permissions of two account types.

Backups and restoral

Organisations should always operate a policy that demands that information is backed up; including the backup intervals (which may differ for different information elements); the backup method (for example, full or incremental); the media upon which backups are stored; whether backup media is kept on the organisation’s premises (but not in the same location as that of the data being backed up) or at a third-party location; the maximum time allowed for recovering the data, including transport from third-party sites; and how often backup media is tested for reliable restoral.

Most large organisations will have a backup policy, but as with all policies, this should be regularly reviewed to ensure that the correct systems are being backed up to some form of removable (encrypted) media, which is then stored off-site in a secure location. However, that is only half the story, since many organisations have discovered to their cost that after a period of time some backup tapes or disks cannot be read, and so it is essential to perform a test restoral of data at intervals as a sanity check.

As an alternative to conventional backups, some organisations rely on the use of cloud services to maintain a long-term store of data, and while this might be cost-effective solution, it does require careful planning and management, since it is often very easy to delete files stored in the cloud, which rather defeats the object of the exercise.

Another increasingly popular alternative is where the move to virtualisation has occurred and storage area networks (SANs) are becoming widely used, configured with a second SAN for backup. The SAN can be updated daily or by regular snapshots during the day. However, additional backups to other media would normally be recommended.

Antivirus software

Some organisations have begun to move away from antivirus software, having been put off by stories in the media about its lack of effectiveness, especially when new malware appears but has not yet been addressed by the antivirus software author. These are called ‘zero-day’ vulnerabilities, since once they become known, the author has no time at all in which to provide a fix.

However, even if antivirus software does not identify and trap every vulnerability, it will prevent existing known vulnerabilities from causing problems by neutralising or quarantining the offending virus, so it is still very much worthwhile maintaining an antivirus capability and ensuring that it is kept fully up to date.

Larger organisations are now moving away from dedicated antivirus software loaded on individual computers and are opting instead for Managed Detection and Response (MDR), in which a suitably qualified organisation takes over the responsibility for detecting and dealing with viruses across the organisation’s entire network.

Software updates

Many of the key applications upon which organisations rely – for example, Microsoft Windows, Microsoft Edge and Microsoft Office, Adobe Acrobat Reader, Mozilla Firefox or Google Chrome – are all targets in which attackers find vulnerabilities. The authors of this software will invariably produce updates to fix known vulnerabilities at regular intervals, and it is essential that organisations keep these operating systems and applications fully up to date with the latest patches. Failure to do this can result in an attacker taking advantage of the gap between the vulnerability becoming known and the organisation applying the patch to fix it.

Where possible and practicable, automatic updating should be applied since this does not require further manual input from support staff and reduces the ‘patch gap’ to a minimum.

Additionally, any software update that will result in a major change to the operating system or applications should have a back-out plan so that the organisation can revert quickly and easily to the original version if problems are subsequently identified.

Remote access/working from home/guest/third-party access

With the advent of the Coronavirus pandemic in 2020, many organisations discovered the urgent need to introduce teleworking or remote access in order to allow staff to connect with the organisation’s information, systems and services while working from home, since the government’s rules at the time made it either difficult or impractical for staff to travel to their normal place of work.

This brought about the need either to install a completely new remote access infrastructure for those organisations that had never previously worked in this way, or to increase the remote access capability for those organisations that previously had made use of it.

Whether or not an organisation makes use of VPNs for network access, it will be necessary to define how staff and third-party contractors are able to access the network and its systems. This policy will also link closely with other policies such as access control, security awareness and passwords.

Wireless/mobile devices

This type of policy will set out the organisation’s requirements for implementing wireless access points around its premises; how the wireless infrastructure devices must be configured and secured, including the encryption method; whether the SSID is broadcast; and which bands and channels are to be used.

When considering devices that make use of Bluetooth for communications, it should only be enabled when it is actually required and then turned off. Once initially configured for use, the organisation should ensure that the device’s visibility is set to ‘Hidden’ so that it cannot be scanned by other Bluetooth devices. If device pairing is mandated, all devices must be configured to ‘Unauthorised’, which then requires authorisation for each connection request. Applications to connect that are unsigned or sent from unknown sources should be rejected.

For mobile devices supplied by the organisation, there will also need to be a section of the policy that regulates when and where these may be used over wireless networks that are not owned or provided by the organisation, for example public wireless or third-party networks.

This policy may well also include a definition of what information may be stored on the device; what applications may be loaded onto it; whether it may be used to gain access to the wider internet; and whether the user’s personal information stored on the device is or becomes the intellectual property of the organisation.

Increasingly, many larger organisations, especially those that encourage BYOD and remote working practices, are moving to Mobile Data Management (MDM) and Mobile Application Management (MAM) services, in which a degree of control is exerted over the user’s device so that it conforms to the organisation’s security policies.

Bring your own device (BYOD)

This policy will overlap to a certain extent with the mobile device policy described above, but in this case, the device – such as a laptop computer, tablet computer or smartphone – will be the personal property of the staff member as opposed to being owned by the organisation.

The policy may include statements regarding use by friends or members of the user’s family and may also require separate login procedures for access to the organisation’s network and, where necessary, hard disk drive encryption.

Peripherals

By default, many operating systems install auxiliary services that are not critical to the operation of the system, and which provide avenues of attack. When configuring users’ computers, system administrators can disable and remove unnecessary services and peripherals such as USB ports and SD card slots, which, once they are removed, cannot be enabled, except by the system administrator, or used. This policy may form part of a more general procurement policy on the organisation’s IT infrastructure.

Isolation of compromised systems

Organisations that have detected that a system has been compromised would be well advised to isolate it quickly from the network in order to prevent possible malware from spreading to other systems on the network. Once removed, it would be sensible to perform a forensic analysis on the system, using a specialist organisation if the relevant skills are not available internally, and finally to restore the systems to normal operation using trusted media.

Browser add-ins and extensions

Attacks on internet browsers, add-ins and extensions are becoming increasingly prevalent, and it is critical that attackers should not be able to use vulnerabilities in software such as Microsoft Edge, Adobe’s Acrobat Reader or Adobe Flash to gain access to systems. Organisations should make use of the vendor’s automatic update or software distribution facilities to install patches as soon as they become available.

AutoRun

AutoRun is a facility provided on Microsoft Windows that permits a command file on media such as a USB memory stick, CD or DVD to execute when it is inserted into the computer. This is an extremely simple way for an attacker to gain access to a system, since the user may be totally unaware that the media is infected and may not notice the program is running.

Turning off AutoRun will probably be a minor inconvenience both to users and to system administrators but is an excellent way of overcoming some attacks on AutoRun.

It is interesting to note that Apple’s MacOS operating system does not support this kind of facility.

Adobe Acrobat Reader

Adobe’s Portable Document Format (PDF) has become the de facto standard format for sharing information. Almost any file, presentation or document can be exported or converted into PDF format, and will look identical on any type of computer, smartphone or tablet that has Acrobat Reader software loaded. However, an increasing number of cyber-attacks are being conducted by inserting malware into PDF documents, which are then transferred to the reader’s device.

Organisations can protect their machines from such attacks hidden inside PDF files by downloading and actioning the advice from the NSA³ in order to harden Acrobat Reader.

Outsourcing

Organisations may find it economically advantageous to outsource certain aspects of their operations. This is increasingly so in the case of the organisation’s ICT infrastructure, and outsource service providers may offer to provide not only data storage, but also the operating system hardware and software and the application software required for the organisation’s operations.

In some cases, this will be provided at a dedicated third-party site, as is frequently used in DR arrangements; or it may be provided in a more virtual environment such as cloud services. In either case, it will be vital that the organisation has a clear policy regarding the selection of suppliers for this type of service, which will form the basis of a service level agreement (SLA) and should also include an exit policy should the organisation decide to move away from a supplier, especially with regard to ownership of indexing of the organisation’s information, and the subsequent destruction of any of the organisation’s information remaining in the cloud.

The organisation to which the information or infrastructure is outsourced must understand that those members of its staff who are authorised to access this will be bound by the same rules, directives and laws as the outsourcing organisation itself. This also must be made clear in the SLA.

COMMUNAL POLICIES

Communal policies are those that may have an impact not only on individuals within the organisation, but also on the wider context of the business and the environment in which it exists.

Contingency planning

Contingency planning determines how data or access to systems is made available to users during the prescribed hours of operation. The policy will cover what measures are to be put in place to ensure that access is available in the event of failure of either the systems themselves or the means of accessing them such as a web server and the associated supporting network.

A contingency planning policy will often link directly to a business continuity or to a disaster recovery policy.

Incident response

The organisation’s incident response policy will detail how disruptive incidents are reported, investigated and resolved. In the event that certain predefined failure thresholds are exceeded, additional measures such as business continuity and disaster recovery plans may need to be invoked.

A disruptive incident may also require communication regarding the incident to be made available to staff, customers, third-party suppliers, the public at large and, if the organisation is part of a highly regulated sector (such as energy, finance or transport), the incident may also require notification to the sector regulator.

As with business continuity and disaster recovery plans, incident response plans should be reviewed at regular intervals or when any major aspect of the organisation’s business changes, and also tested at regular intervals.

User awareness and training

Since many of the cyber security issues we experience are caused by users, making them aware of the risks they face – including the major threats, vulnerabilities and potential impacts – is a highly important step to achieving better cyber security.

Awareness is the first step and introduces users gradually to the things they need to know and understand, so that security becomes second nature to them, and they cease to foster bad security habits and move towards a position where they are fully committed to good security practice. This is then supplemented with training for those people who are more actively involved in day-to-day security operations, and who require specialist training courses in order to properly fulfil their role.

User awareness and training are covered in greater detail in Chapter 10.

TECHNICAL POLICIES

While the sections below refer to technical tools or controls, the implication is that for each there should be an equivalent policy which sets out the requirement. They may be necessary in order to allow other policies previously described to operate successfully, or they may stand on their own.

Spam email filtering

Spam email is the bane of most people’s lives. It can range from the simply annoying to the positively alarming. Nowadays, most email service providers check email passing through their systems and filter out those that have been previously flagged as spam.

However, this may not remove all spam email, as new spam messages will always arise, and some filters may either never add them to their blacklist, or it may take time for the spam to be reported. Organisations can make use of their own spam filters such as SpamAssassin,⁴ which will remove unwanted email from entering users’ inboxes and junk mail folders.

Alternatively, organisations may outsource email scanning to a specialist organisation such as Message Labs. It is also vitally important to instruct users as part of the organisation’s awareness programme how to identify spam and junk mail even if it originates from a supposedly known and normally trusted source.

Audit trails

These allow an organisation to follow a sequence of events in cases where security incidents have occurred and, where necessary, to be able to show that a user has or has not carried out a particular action. Such evidence might be required in cases where legal proceedings take place, in which case the audit trail must also be forensically robust.

Firewalls

Firewall policies will determine the way in which firewalls are deployed and configured to form an integral part of the network, especially with regard to the rules that must be applied and subsequently maintained.

Firewalls should be used to block all incoming connections, from the internet to services that the organisation does not wish to be available. By default, all incoming connections should be denied, and only allowed for those services that the organisation explicitly wishes to offer to the outside world.

Good practice also calls for the IP address of the incoming session to be a valid public IP address and not an IP address associated with the business itself. For example, if the business has a block of 32 public IP addresses these must be filtered out.

In addition to firewalls, it may be advantageous to partition the organisation’s network into separate areas by splitting them according to their function, such as research and development, operations and finance, making it more difficult for an attacker to reach a particular service (see the later item on VPNs). Each area will become an independent security domain with firewall-controlled access between them.

It is also common practice for organisations to create another barrier between the external and internal networks by introducing a demilitarised zone, or DMZ.

Good practice also requires that any outgoing connection from the organisation to the internet originates from a specific proxy server or service located on a DMZ and not from within the main network.

Firewalls come in various shapes and sizes. Many require specialised hardware on which to operate, and well-trained staff to configure and maintain them. The decision on which type of firewall to use and how it should be configured is best left to specialist advice, since it must not only provide protection for the business against unwanted intrusion, but also meet the business needs as regards what can and cannot be transmitted through it.

Other firewalls come built into desktop operating systems – these are much simpler and require little, if any, configuration. On user computers these should always be enabled, and the user’s access should prevent them from changing this: a non-administrative account should be provided to them.

Encryption

The information encryption policy will go hand in hand with the information classification policy, in that it will define, for certain levels of information classification (for example, secret or top secret), how sensitive information will be encrypted and how the encryption keys will be managed and exchanged.

For example, information classified at a certain level could be exchanged between two people using a straightforward encryption mechanism such as PGP, with each owning their own encryption keys, while other information might require the use of a full-blown public key management system, with encryption keys centrally managed and distributed.

The policy should additionally make the distinction between information in transit (for example, within emails) and information at rest – that is, stored on hard drives or other media, especially if stored in the cloud.

For information at rest, encrypting the hard drive of a mobile user’s computer is relatively straightforward, and means that the device cannot be used without the user’s password to decrypt the data, making the information useless to anyone who steals it.

On Apple Mac computers, turning on the free built-in FileVault software⁵ will encrypt the entire hard drive, while for Windows users there are two options. The first, for Professional or Enterprise versions of Windows, is to enable the inbuilt BitLocker software.⁶ The second, for other versions of Windows, is to download and install the free VeraCrypt encryption software.⁷

Business data stored in the cloud should always be encrypted, since it is always uncertain in which country or countries the cloud storage is actually located, and those countries’ jurisdictions may not place a high level of protection on data, even to the extent of intercepting and analysing it themselves.

Sensitive information that is being moved to another location – whether by some form of media like a memory stick or by email – should always be encrypted, so that, again, anyone who is able to intercept the transmission or steal the media will be unable to access the information.

The key length used by enterprise organisations in symmetric AES is typically 256 bits in length, whereas the keys used in asymmetric or public key cryptography are typically 2048 bits in length and are used in the initial setup of an encrypted session that determines the actual fixed encryption key that will be used by the symmetric algorithm during the session. These keys are not typically used for the main encryption work because they require too much computation resource.

Secure Socket Shell (SSH) and Transport Layer Security (TLS) keys

SSH is a network protocol that provides administrators with a secure method of access to remote systems. It provides a means of strong authentication and encrypted communication between two systems over an insecure network, especially the internet. It is widely used by network administrators for the remote management of systems and applications, enabling them to log on to another system, execute commands and move files between systems.

The TLS protocol provides both confidentiality and integrity between two communicating applications exchanging information such as that between a user’s web browser and an internet banking or e-commerce application. TLS is also used in VPN connections, instant messaging services and Voice over Internet Protocol (VoIP) applications.

Both SSH and TLS make use of encryption keys (as described above) to secure the transfers; they are typically 256 bits in length.

Abuse of SSH and TLS keys is not uncommon. In order to reduce the likelihood of insiders taking advantage of these when they leave the organisation, which renders critical network infrastructure open to malicious access, it is recommended that organisations rotate SSH and TLS keys at intervals.

Digital certificates

Digital certificates are widely used to provide authentication of websites, particularly when conducting financial transactions. Digital certificates can be purchased from accredited certification authorities (CAs) both for personal use and by organisations. However, it is important to remember to renew the certificate (normally annually), since failure to do so renders the certificate useless, and users whose web browser detects this will receive a notification that the certificate has expired. This may result in their deciding not to or being unable to continue with the online transaction.

Email attachments

As an integral part of their awareness training, employees should be instructed that they should not open email attachments unless they are expecting them. Additionally, users should be forbidden to execute software that has been downloaded from the internet unless it has been scanned for viruses and tested for security vulnerabilities. Users who visit a compromised website can unintentionally introduce malware.

Organisations should configure email servers to block or remove emails that contain those file attachments that are commonly used to spread malware, such as .vbs, .bat, .exe, .pif, .zip and .scr files.

Network security

Network security policies are very wide-ranging, considering how the organisation’s networks can be secured against intrusion using a combination of firewalls, intrusion detection software, antivirus software, operating system and application patching, and password protection.

These should include fixed and wireless local area networks (LANs and WLANs), VPNs, wide area networks (WANs) and SANs.

Virtual private networks (VPNs)

The use of virtual private networks is commonplace, especially in larger organisations, and a policy will be required that sets out how and where these are deployed; who may make use of them (for example, for remote access by staff, guests and third-party contractors); and how they are configured and secured.

The use of VPNs should be part of the organisation’s strategy that includes network segregation and firewall deployment.

Physical access

This will define how access to the physical areas of the organisation is controlled and may include perimeter fencing and gates with movement detection and/or CCTV systems, electronically controlled gates, and physical security guards.

Within the organisation’s sites, physical access control will normally be governed by electronic door access systems, whether by PIN, wireless proximity card or a combination of both. The supporting system will dictate the levels and locations of access available to individual members of staff, visitors and contractors.

Internally, infrared movement detection and CCTV systems are also frequently used, especially in highly sensitive areas.

Intrusion detection systems (IDSs)

As with many security tools, intrusion detection systems are just one weapon in the security manager’s armoury. As the name suggests, their purpose is to try to identify when unauthorised intrusion to a network or computer system is being attempted, and they are available in a variety of forms:

• Host intrusion detection systems (HIDS) are installed on individual computer systems and monitor that system’s configuration only. If a HIDS perceives an abnormal change in a system configuration, it will send an alert message to a console for a security operator to examine.
• Network intrusion detection systems (NIDSs) are installed on internal networks and subnetworks in order to detect abnormal network traffic such as attacks on firewalls. They will also report to a console if they detect an attack, but additionally can take some form of action, such as to change firewall rules.
• Under certain circumstances it may be necessary to undertake such work using forensic techniques and to retain hard drives and data for possible use in legal proceedings.

1. See https://www.legislation.gov.uk/ukpga/2018/12/contents

2. See https://pages.nist.gov/800-63-3/

3. See https://www.scribd.com/document/280616716/Recommendations-for-Configuring-Adobe-Acrobat-Reader-XI-in-a-Windows-Environment

4. See https://spamassassin.apache.org/

5. See https://support.apple.com/en-gb/HT204837

6. See https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

7. See https://sourceforge.net/projects/veracrypt/