Computer security is a subject still unclear for many companies. For many, the protection of information systems requires increased budget and IT skills. However, there are some good practices, organizational rather than technical, simple to set up, which allow protecting the main attacks on the web.
Sort: remove unnecessary items
Keeping unnecessary items on your systems, it increases your exposure area and therefore the risk of compromise … without any gain in return. Delete your useless data and web pages, your services, plugins, or unused technologies … That’s less on the radar of hackers, and it also reduces the framework of what you have to manage!
Limit the risks of data theft: mapping and encryption
This is the third most common risk on the web, but the one that worries the most. The exposure of sensitive data, that is to say, the fact that data are accessible to people who are not supposed to be able to consult them is the main cause of data theft. Hackers look primarily for customer data, but may also be interested in information about your company, for example, to create a social engineering attack.
To protect yourself, put in place a clear security strategy. Identify the criticality of your data (public, sensitive or confidential) and adapt their level of security according to this classification. This good practice is recommended by many laws and standards. Find out, these are mines of good practice and ideas for your web safety!
And above all, make your data unusable even in case of theft! To do this, use data encryption, both when storing and transmitting data. Use encrypted protocols, such as HTTPS for the web, and encrypt your emails containing sensitive data. However, be careful not to use outdated encryption protocols, and to manage your keys well: if the encryption is vulnerable, your data will be too.
Do not give pirates gifts: the technology update
Here again, it is a subject regularly mentioned in the specialized press: the discovery of computer faults. Operating systems, frameworks, plugins … All have at least once contained a computer vulnerability whose patch required an update.
Typically, these fixes are released by publishers before hackers have time to massively exploit the corresponding vulnerabilities. However, many companies do not apply the patch in time, and therefore remain vulnerable to attacks from pirates, who are having a blast.
To avoid giving them this gift, keep a map of all the components and technologies used on your information systems, and their version. By monitoring with sources such as CVE for example, you can quickly identify if a vulnerability could compromise you, and thus apply the patch as quickly as possible, on a case-by-case basis. Of course, it is more restrictive than providing updates every month for example but allows much better security.
There are many reasons why these updates are rejected by the companies, or even never realized: lack of information or resources, incompatibilities of version between some programs … If the update is really complex, it is then necessary to set up a virtual patch, or virtual patching.