Information

Security

Data

  • Regular backups to prevent data loss.

    • Backups of all important data.

      • Only data on the SMRU file server is regularly backed up. Any data on local drives of the computer is NOT backed up. Nor any data on an external hard drive nor a USB key.

    • Backups of BitLocker 48-digit recovery keys and passwords that are used to protect data.

  • Encryption to protect sensitive data.

    • All SMRU/TBHF computers must have all local drives encrypted.

    • Any data stored in the Cloud must be encrypted.

Network

  • Only SMRU/TBHF computers are allowed to have direct access or VPN access to the Private network.

    • Network access should be enforced using Port Authentication as MAC Authentication these days is considered to be insecure.

    • MORU has Port Authentication implemented, but SMRU/TBHF is still using MAC Authentication.

    • Personal computers are not allowed VPN access to the Private network.

    • However, anyone can install VPN software on their personal computer and copy the VPN configuration file from their SMRU/TBHF notebook to their personal computer.

    • Ideally the IT Policy should be updated and explicitly mention that VPN access from a personal computer to the Private network is not allowed.

  • Any other devices are only allowed access to the Guest network.

    • Access to the Guest network is only given when a user signs for a ticket.

  • However, at the SMRU clinics personal devices have access to that clinic’s network.

    • Access to the Private network at the main office is prohibited using Firewall rules.

    • Only some SMRU/TBHF servers at the clinics are allowed to have access to the Private network.

    • However, over time the Data Management department has requested access to the Private network from the remote clinics.

    • This has led to personal computers at the clinics also having access to the Private network at the main office.

Passwords

Before and Now

Before

Now

  1. All computers are protected by the firewall

  1. Only desktop computers are protected by the firewall.

    1. Notebooks outside the office are no longer protected.

  1. All computers have anti-virus software installed

  1. All computers have anti-virus software installed.

  1. All computers have their drives encrypted.

  1. All computers have their drives encrypted.

  1. All data on any computer is not backed up.

  1. All data on any computer is not backed up.

  1. All data on the file server is backed up using the 3-2-1 backup strategy.

    1. Having at least three copies of your data.

    2. Having two local (on-site) copies but on different media.

    3. Having at least one copy off-site.

  1. All data on the file server is backed up using the 3-2-1 backup strategy.

    1. Having at least three copies of your data.

    2. Having two local (on-site) copies but on different media.

    3. Having at least one copy off-site.

  1. Browser extensions, cloud storage, malicious email links,
    notebooks, smart phones and USB drives do not yet exist.

  1. Browser extensions, cloud storage, malicious email links,
    notebooks, smart phones and USB drives now do exist.

    1. Any user can install any extension on any browser.

    2. Any user can store sensitive data in the cloud with no 3-2-1 backup strategy.

    3. Over 50% of successful attacks start with opening an attachment or clicking on a malicious email link.

    4. Notebooks can get easily dropped, lost or stolen compared with desktops.

    5. Except for Apple iPhones, all smart phones are by definition compromised and insecure.

    6. USB drives can get easily failed, lost or stolen and can contain data that is not backed up nor encrypted.

  1. Email services are provided by Lonex.

    1. Emails are backed up.

    2. MFA (Multi Factor Authentication) is not needed for web email.

  1. Email services are provided by Microsoft Exchange 365.

    1. Emails are not backed up.

    2. MFA is not enabled yet for all users when using web email.

  1. IT operations are performed on-premises, except for Lonex that isn’t using MFA yet.

  1. IT operations are performed on-premises and in the cloud. Not all cloud services used by IT have MFA enabled.

    1. Microsoft Exchange Admin Center has not MFA enabled.

  1. Most websites use HTTP (plaintext, insecure communication)
    instead of HTTPS (encrypted, secure communication).

  1. Most websites use HTTPS (encrypted, secure communication)
    instead of HTTP (plaintext, insecure communication).

    1. Users should only visit HTTPS websites.

    2. Users should never enter credentials (username and password) on websites using HTTP.

  1. Passwords are required to be 8 characters only and are easy to remember.

  1. Passwords are required to be 12 or 16 characters at least
    and should contain at least 3 out of 4 character classes
    (lower case, upper case, digits ands symbols).

    1. It is no longer possible to memorize each password.

    2. The amount of passwords used has increased dramatically.

    3. MFA is now required for all important websites.

  1. Programs/software can only be installed by IT and are available to all users.

  1. Programs/software can not be installed by standard users.

  1. The guest network does not yet exist.

  1. The guest network is protected by the firewall and access is granted through a ticket system.

  1. The internal private network is protected by the firewall.

  1. The internal private network is protected by the firewall.

  1. Web filtering (restrict what websites can be visited) is done using a proxy server.

  1. Web filtering (restrict what websites can be visited) is done using the firewall.

Before: Every device is secured and the IT Department is in control.
Now: Less than 50% of devices is secured and the IT Department is no longer in control.

Other Concerns

  • Any notebook may contain important data that is not backed up.

  • Any notebook outside the office is not protected by the firewall.

    • Any user can visit any website.

    • Any app/program/software can contact any (malicious) cloud server.

  • There exist many malicious browser extensions that can be installed by any user.

  • Data stored in the cloud should be encrypted, but in most cases isn’t.

  • USB drives get infected all the time when used outside the office.

  • To properly manage all passwords a Password Manager is needed.

    • Cloud based password managers provide a backup, but should have an offline mode in case internet is down.

    • When using an on-premises password manager, make sure to have a 3-2-1 backup strategy in place.

  • Authentication apps for MFA from Microsoft Store can be malicious.