You don't have to look into a crystal ball to find peace of mind when it comes to security. CSO Magazine presents 10 relatively low-labor changes you can make to achieve significant improvements in enterprise security.
#1. Help high-level decision-makers to understand.
"Help your top-level executives to be truly aware of the nature of the security situation and to take on their risk manager responsibility in a serious way," says Fred B. Cohen, an American computer scientist best known as the inventor of computer virus defense techniques.
To do this, use an external advisory committee comprised of people who know security and know how to talk to executives. To help leaders to hear and understand advisory committees, send them to an executive off-site security training or hire an initial security assessment of your organization so they can see where they stand and work to bridge the communication gap.
#2. Don't collect information when it is more harmful than beneficial.
"I know it's convenient to store credit cards and use them again next time. But that's also why some big box stores had to pay a price for losing them and why people had to change their credit cards for everybody they dealt with," says Cohen.
The same goes for any PII, including email addresses. "I bought something online from a very large big box store because they didn't have it in the physical store. I had to provide an email address. They just got millions and millions of these ripped off and they are collecting more," says Cohen. When the harm outweighs the benefit, just stop.
#3. Check the inputs.
Check inputs into software programs and databases at the place where you actually use them, not at the browser, and most of the bad things that happen would not happen, says Cohen. "All the big database rip offs using SQL injections and other input overruns happen because you don't check the inputs," says Cohen.
Check the size, syntax, and context of the input data / characters that people typically enter into an input field. "If they're putting in a Social Security number, it better be in the format of a Social Security number. And regardless of what checking you did in the browser, you need to check it at the place where it arrives, not where someone sent it from," says Cohen. Do the check when it arrives from the untrusted source (such as a browser) to the technology that interprets and uses it. "This is trivial to do and trivial to check that someone did it," he says.
#4. Contract, insure, test.
Sign up for Computerworld eNewsletters.