Week 13 - Cybersecurity Policy
aka — okay, it's bad..
..what to DO about it.
Glad you asked..
BROADLY
For better or worse...
..catastrophic failure is not seen as bad as "failure to prepare"
So then, despite reality:
If you can reasonably show that you've done
industry standards, you're probably good to go.
- This is, of course, misaligned incentives.
- If it's YOUR PERSONAL stuff we're talking — you'll want to do the real deal,
- more on that later
Industry standards?
Okay, what are they?
Good question.
They change all the time. Will discuss broad concepts below.
Mix with names like Norton and McAfee
Policy in General
- Write down a clear policy
- Employee training
- OPEN LINES OF COMMUNICATION - Encourage a collaborative environment
- Be clear and REALISTIC when it comes to WORK v NON-WORK
Encryption / Privacy
- Consider both "default/standard" and "atypical" i.e.
- Be sure to use defaults, e.g. SSL
- Consider well accepted if not famous tools (e.g. Veracrypt/LUKS)
Infrastructure Protection
- Sure, do all the firewalls and the antivirus.
- It's a cat-and-mouse game, always, so do them because you're supposed to,
- REDUNDANCY
Software Updates
- On one hand they're usually a good idea, on the other...
- This is DICEY, y'all. See what happened with Macs THIS WEEK.
- REDUNDANCY (more on that below)
User Access and Security Measures
- Password Policy
- Account auditing (remove old accounts, keep these up to date)
- Consider remote access policy, e.g. through company VPNS
- Consider filtering tools (spam) and send recieve policy
- Wall off work and non work email.
- Discourage crossover personal email use, if possible
Website Security
SSL / or provider
(This is generally not TOO hard unless you do websites yourself;
you can generally outsource and rely on "state of the art")
Network
Firewalls
Password protection
Network Segmentation - Airgaps?
Remote use policy
BYOD Policy?
ONCE AGAIN--
- Appear to be state of the art.
My personal IT rule, as I have discovered:
Prepare to be shocked. This stuff is ALL OVER THE PLACE.
But what if it literally is YOUR STUFF?
FAIL ELEGANTLY.
Disaster Recovery - REDUNDANCY
- IMHO for reality NOTHING is more important than this
- But is also difficult because you must consider data safety / privacy as well.
Disaster Recovery - REDUNDANCY
Consider SYNC and BACKUP (which are not always exactly the same)
(Perhaps you've heard RAID IS NOT BACKUP?)
SYNC
- One part of a good disaster recovery:
- Mirror/Sync all your stuff in real time if possible.
- Both multiples onsite and offsite as well
BUT ALSO, BACKUP, not SYNC
ALSO
- have backups that are NOT mirrored/synced in real time...
REDUNDANCY in systems
Try not to be a monoculture anything?
Mix old and new operating systems
(even if you have to keep the old ones ..
OFFLINE
I'm genuinely not sure why "offline strategy" appears to not be strongly pushed..
...well, actually I am. How else will you sell "the cloud" to people who don't need it?
The Cloud
Again, same story: Redundancy, and mostly
- WATCH OUT for services you don't pay for.
Backlinks: FSU Courses:LIS4774:RawSlides