If you’re an infosec professional, we substantially know a ton of confidence tips and best practices; use a firewall, refurbish antivirus, patch regularly, belong to a slightest payoff principle, don’t click unsolicited attachments, and so on. Chances are, we substantially have implemented most, if not all, of those critical best practices already.
However, in my knowledge there is another, smaller subset of InfoSec tips and practices that offer good confidence benefits, though that few people indeed request in genuine life. So here are my tip 5 rarely- implemented confidence practices that we consider we should reconsider:
1. Egress filter on your firewall. Everyone understands a primary purpose of firewalls. We use them to forestall outmost actors from accessing inner resources. In short, we tend to retard all incoming traffic, unless it’s privately to some item we wish to concede a open to access, like a Web or mail server.
However, we can also use your firewall to control your inner users’ entrance to a outward world, that is what we call outlet filtering. Unfortunately, many of a organizations I’ve visited don’t outlet filter. They concede their inner users full entrance to a Internet, regardless of a port, protocols, or applications with that a users connect. To outlet filter, we start by restraint all outmost entrance by default. Then we solemnly supplement policies to concede a specific forms of outmost communication to that we wish users to have access, , such as DNS, a Web, Skype, FTP, etc..
Egress filtering realizes a advantages of a slightest payoff principle. There is no reason your users should have entrance to things that aren’t privately required for your classification to do business. More importantly, outlet filtering can extent what enemy can do if they are means to benefit entrance to one of your computers. Malware and Trojans mostly promulgate on non-standard ports and enemy can use protocols like TFTP, SSH, or telnet—which your users might not need—to squeeze some-more antagonistic files. If we are outlet filtering, we will retard these communications, creation it a bit some-more formidable for enemy to get out.
So if outlet filtering is so useful, since don’t people do it? My elementary theory is since it’s formidable during first. When we start outlet filtering, we will certainly get a handful of helpdesk calls. Even if we do a good pursuit of formulating policies for what we consider your users need, you’ll substantially skip some network communications and applications we didn’t know your employees used. While it might seem like a proxy jump for we to learn and supplement these additional policies, it indeed gives we a event to make a business preference on either or not that communication is necessary.
2. Encrypt supportive email. This one seems like such a no-brainer, and nonetheless so many organizations send supportive emails — some containing trusted papers — over a Internet but encryption.
I’m certain everybody in a InfoSec attention understands SMTP trade is totally transparent text, unless we take specific measures to encrypt it. There are a series of organic and good cryptography standards or products that concede us to encrypt email, such as lS/MIME, TLS, Pretty Good Privacy (PGP) and many exclusive options.
Article source: http://www.net-security.org/article.php?id=2048