Week 13 - Cybersecurity Policy

aka — okay, it's bad..
..what to DO about it.
Glad you asked..

BROADLY

For better or worse...
..catastrophic failure is not seen as bad as "failure to prepare"

So then, despite reality:

If you can reasonably show that you've done
industry standards, you're probably good to go.

This is, of course, misaligned incentives.
If it's YOUR PERSONAL stuff we're talking — you'll want to do the real deal,
more on that later

Industry standards?

Okay, what are they?

Good question.
They change all the time. Will discuss broad concepts below.
Mix with names like Norton and McAfee

Policy in General

Write down a clear policy

(Both of these are extremely difficult, maybe literally the hardest part)

Employee training
OPEN LINES OF COMMUNICATION - Encourage a collaborative environment
Be clear and REALISTIC when it comes to WORK v NON-WORK

Encryption / Privacy

Consider both "default/standard" and "atypical" i.e.
- Be sure to use defaults, e.g. SSL
- Consider well accepted if not famous tools (e.g. Veracrypt/LUKS)

Infrastructure Protection

Sure, do all the firewalls and the antivirus.
It's a cat-and-mouse game, always, so do them because you're supposed to,

but also understand that they may not be very good

REDUNDANCY

Software Updates

On one hand they're usually a good idea, on the other...
This is DICEY, y'all. See what happened with Macs THIS WEEK.
REDUNDANCY (more on that below)

User Access and Security Measures

Password Policy
Account auditing (remove old accounts, keep these up to date)
Consider remote access policy, e.g. through company VPNS

..which frankly, I'm not sure are particularly useful?

Email

Consider filtering tools (spam) and send recieve policy

(again, this is much easier with official work emails)

Wall off work and non work email.
Discourage crossover personal email use, if possible

Website Security

SSL / or provider
(This is generally not TOO hard unless you do websites yourself;
you can generally outsource and rely on "state of the art")

Network

Firewalls
Password protection
Network Segmentation - Airgaps?
Remote use policy
BYOD Policy?

ONCE AGAIN--

Appear to be state of the art.

My personal IT rule, as I have discovered:

Prepare to be shocked. This stuff is ALL OVER THE PLACE.

But what if it literally is YOUR STUFF?

FAIL ELEGANTLY.

Disaster Recovery - REDUNDANCY

IMHO for reality NOTHING is more important than this
But is also difficult because you must consider data safety / privacy as well.

Disaster Recovery - REDUNDANCY

Consider SYNC and BACKUP (which are not always exactly the same)
(Perhaps you've heard RAID IS NOT BACKUP?)

SYNC

One part of a good disaster recovery:
Mirror/Sync all your stuff in real time if possible.
Both multiples onsite and offsite as well

BUT ALSO, BACKUP, not SYNC

ALSO

have backups that are NOT mirrored/synced in real time...

...but merely periodically. Keep multiple timelines and timeframes (daily, weekly, monthly, yearly, etc)

REDUNDANCY in systems

Try not to be a monoculture anything?
Mix old and new operating systems
(even if you have to keep the old ones ..

OFFLINE

I'm genuinely not sure why "offline strategy" appears to not be strongly pushed..
...well, actually I am. How else will you sell "the cloud" to people who don't need it?

The Cloud

Again, same story: Redundancy, and mostly

WATCH OUT for services you don't pay for.

Backlinks: FSU Courses:LIS4774:RawSlides