Part 1 of this series (click here) dealt with servers and the computers that host them, and how and why we keep them running at maximum performance. In Part 2, (click here) we discussed “virtualization” and the “physical hosts” that contain “virtual machines”, as well as Data Structure and Storage. This final piece deals with hardware including mobile devices, applications, email messaging and physical security.
Screen Locking – Are your machines set to lock after a certain period of inactivity? This prevents people who are not authorized from using computers and possibly exploiting them.
USB Storage – You should be restricting USB storage devices from being connected to your workstations. Two reasons: Attaching USBs to a workstation is one way for viruses to get into the computer, then possibly into your entire environment. Second, this is a way for proprietary information to be copied and stolen.
Power Settings – Your workstations should go into sleep or hibernate mode after a certain period of inactivity. This conserves power and may extend the life of the unit. (Updating and patching can still be done when the workstation is in this state.)
Hardware Protection & Replacement
Specifications – By now, you should have replaced all hardware that has less than a 2GHz processor or 4GB of memory. This is what we consider baseline right now. However, when buying new equipment, even higher standards should be considered because as technology continues to evolve, current standards may not run updated applications.
Warranties – All your hardware should be under warranty. If any piece is not, extended warranties should be investigated. Machines not under warranty may be problematic if parts are needed and may be costly to replace if not readily available. We have tools that can check this factor, or you can check online at the manufacturer’s website by entering the service tag into the warranty section.
Surge Protection – Power surges are still a problem and hardware not plugged into surge protectors are at risk.
Acceptable Use Policies
Do you have one? – This should cover employees’ use of personal email, Internet usage (surfing), and remote access for laptops. Most cyber intrusions start with employees.
Endpoint protection refers to a system for network security management that focuses on network endpoints, or individual devices such as workstations and mobile devices from which a network is accessed. The term also describes specific software packages that address endpoint security.
Endpoint protection may also be called endpoint security.
Administrative Rights – Administrative rights should be carefully considered and only necessary levels should be granted to users. Most software needs administrative access for installation and by restricting these rights, you are also lessening the opportunity for people to install personal applications, which may affect workstation performance, licensing, or employee productivity.
Anti-Virus – In today’s world, active and centrally managed antivirus, with provisions for both scheduled and real-time updating is crucial. This is the backbone of endpoint protection. While there is no single answer to complete protection on all your devices, this is an important part of network security and is highly recommended.
Anti-Malware – As above, a centrally managed anti-malware is very important and today’s malware has increasingly become a productivity killer. And as above, while there is no single solution, this is another important part of your protection.
What is the difference between Virus and Malware? In simple terms, a virus is a piece of code that can replicate itself and travel from computer to computer, much like a flu virus can replicate itself and travel from human to human. Malware is more of an umbrella term that refers to a wide variety of malicious software, including viruses, as well as Trojans, adware, worms, and ransomware. In other words, all viruses are malware but not all malware are viruses. Exactly how each of these performs is beyond the scope of this piece, but the most commonly known of these recently is ransomware, with which a cyber-criminal will encrypt, or lock down, a company’s data files, demanding a ransom before releasing them.
Web Filtering – Another part of an overall security suite. This prevents a workstation from becoming infected by being redirected to a website that installs malicious software.
Patching – Patches are applied to fix bugs, remediate security risks, and make use of applications easier. It is important that this is centrally managed so that all applicable machines are updated.
Authentication – We believe in two-factor authentication. An example of two-factor authentication that we use every day is the use of both an ATM card (one factor) and a PIN (second factor) at the bank’s ATM. For computer use, an example might be the use of both a password and PIN. This provides an enhanced level of security.
Remote Management – Workstations can often best be managed by use of a remote management tool. For example, DynaSis’ client's devices need to be accessible by our management tool to take advantage of our endpoint security functionality.
Definition: A Thin Client (or “lean client” or “zero client” or “terminal”) is a small computer that relies heavily on remoting into a server for processing. Unlike a “fat client” which is a typical desktop PC and if necessary can handle all required functionality, the thin client is limited to essential applications.
Spare Terminals: because of the low cost of these units, it is suggested that spare terminals be kept on premises in the event of failure.
Firmware: Many problems can be corrected through the use of the latest firmware. This is particularly true of devices such as these because of their basic nature.
Device Policy – Do you have a mobile device policy that clearly outlines screen locking, password protection, email, etc., as well as use of employees’ own devices?
Installation Documentation: Are step-by-step installation instructions readily available for all of the applications used in your business? This is important when building a new work-station, or reinstalling applications. This is particularly important if your company uses a large number of applications, or applications that have been developed for and/or by your business.
Licensing: Are licenses easily available when installing for new employees? Is someone familiar with the licensing process?
Support Contracts: Are valid and active support contracts in place with all 3rd party vendors? This can be important if you require direct support from a vendor, particularly in emergency situations. Vendors are more likely to respond to regular clients than they are to companies that only call them in emergent situations.
Version/Release: All your applications should be up-to-date with the latest releases as this makes trouble shooting easier, as well as providing you with the latest improvements and security updates.
Approval Policies: Employees should be well-aware of which applications are allowed and which are prohibited. (You may prohibit all applications which have not been specifically approved, however, some there should be a policy on asking for approval of apps that may not be in wide usage throughout your company. Some employees may want/need other applications that make them more efficient in their work.)
Automated Policies: An automated policy can restrict the installation of applications that have not been approved.
Email platform: The Microsoft Exchange platform provides a high level of business class collaboration as well as security features that may not be available in other platforms. If your company is not using Exchange, you should consider migrating.
Archiving: Emails should be archived. It is not uncommon for a company to have need to retrieve emails that are several years old, whether to enforce contracts, show time sequence, or satisfy government or civil subpoenas.
Encryption: This provides a significant level of cyber-protection.
Continuity: In the event of an outage, there should be a plan in place for email continuity.
Dedicated Area: Best practices dictate that a dedicated room should be set up for your servers and networking equipment.
Temperature Control: Properly controlling the temperature of your server room can prolong the life of the equipment. High temperatures can be very destructive.
Physical Security: This should be a secure room with very limited access. There should be a door as opposed to an open entrance, and we prefer that there be no windows to the exterior.
Fire Suppression: A fire suppression system that can cause minimal damage to the equipment is highly recommended.
Electric: Your server room should have a dedicated electrical circuit so that electrical issues in the server room cannot be causes by problems elsewhere in your building.
Monitoring and Alerts: When server/equipment rooms are properly monitored and alerts properly functioning, reaction times are faster in the event they are needed. We recommend:
Labeling: This may seem rather basic, but proper labeling helps your onsite people work with third parties in identifying troublesome equipment, especially when working with third parties.
That said, you should understand that this was a broad look at our STR – Strategic Technology Review. There are many topics that are covered in our real-life review such as Power Management, Rack Management, Backup, Disaster Recovery, Business Continuity, Networking, Telephony, Remote Users, Password Protection, and others, that we have not mentioned. Below are links to white papers we have written on some of these subjects:
Questions? Please feel free to contact us at 678.373.0716 or www.DynaSis.com.