The National Information Systems Security Agency (Anssi) and the Club of Information and Digital Security Experts (Cesin) have published their best practices for protecting company IT and data . Some are very simple to implement but are nonetheless effective.
At a time when threats of all kinds (ransomware, spear-phishing, etc.) have reached an unprecedented level of intensity – with 4,165 cyberattacks detected in France in 2016 according to PWC (and 24,000 against the Ministry of Defence) -, companies are fortunately far from powerless to deal with it. Before embarking on the implementation of complex and expensive solutions – although often necessary – what better than to follow the best practices to avoid the worst? This is what Anssi (national information systems security agency) and Cesin (club of information and digital security experts) are proposing at the start of the year.
In the latest version of its computer hygiene guide “Reinforcing the security of its information system in 42 measures” published in January, ANSSI suggests that companies can easily improve their level of security. Among the measures, we find the always-necessary-but-often-still-too-neglected sensitizing users to good computer security practices. In addition to informing employees, as soon as they arrive, of the issues, rules and behaviors to adopt in terms of IS security, Anssi also recommends signing a charter and the instructions to be followed. The appointment of an information systems security referent known to staff is recommended. In addition to the assessment of specific risks related to outsourcing which will lead to a security insurance plan with its service provider(s), the identification phase of the most sensitive information and data that may also be found should not be neglected. well in databases, file sharing servers and workstations. Critical components for the entity that must be subject to appropriate security measures (backup, logging, etc.).
When cyber risk invites itself into the presidential campaign
“It is strongly recommended to carry out a periodic review of these accounts in order to ensure that access to sensitive elements (in particular the work directories and the e-mail of managers) is controlled. These reviews will also make it possible to delete access that has become obsolete following the departure of a user, for example,” indicates Anssi. This concerns both the deletion of computer accounts and associated mailboxes and the physical management of the premises. The activation and configuration of firewalls and anti-viruses, which may go through a centralized management tool in order to facilitate the execution of rules and updates, is of course recommended.
One of the keys to computer security on the user side also lies, as always, in the measures to be taken to secure access to accounts and computer systems. Efforts must therefore be made to avoid any passwords that are too easy to become and to reuse them from one application to another. An encrypted digital safe storing user passwords can also be implemented. Anssi also recommends the implementation of strong two-factor authentication combining password, signature or unlocking trace with a smart card, a USB token, a magnetic card, an SMS code or even a biometric fingerprint. .
Nicolas Arpagian (scientific director of the digital security cycle at INHES and director of public affairs at Orange Cyberdefense), Mounir Mahjoubi (responsible for Emmanuel Macron’s digital campaign), Florence Puybarreau (host) and David Guez (lawyer and organizer from Primary.org).
With regard to workstations, Anssi recommends a minimum level of security for all computer equipment, ranging from workstations to servers, including printers and mobiles (do not forget to apply a confidentiality filter and setting up SSL/TLS VPN tunnels) or USB devices. This involves measures such as “limiting installed applications and optional modules of web browsers to only those necessary, providing user workstations with a local firewall and an anti-virus (these are sometimes included in the system of exploitation), encrypt the partitions where user data is stored or even disable automatic executions (autorun). » Among the tools put in place, it is better to choose those certified by Anssi and to call on service providers qualified in audit (PASSI), response to security incidents (PRIS), detection of security incidents (PDIS) or even cloud security provider (SecNumCloud). We will also not forget to take an interest in the security providers of the Hexatrust alliance. Another point of vigilance: removable media whose policy may be of the ban type or to authorize only those whose integrity and security are established. Controls and protection of access to server rooms as well as technical rooms should not be neglected.
It is of course also necessary to pay particular attention to updates to all the components of the information system. Lately, the Emmanuel Macron En Marche site has been the victim of hackers. “At the start of the campaign, we had not updated our WordPress site and hackers took the opportunity to bring down our site,” said Mounir Mahjoubi, head of Emmanuel Macron’s digital campaign and former president of the National Council. digital during a debate at the Cercle evening on February 23 on cyber risk. “We are subject to regular attacks on the front, the databases and the site. Moreover, this is not the only player in the context of the presidential election campaign to have been targeted by hacking actions, this was also the case of the laprimaire.org site. “We had a lot of brute force attacks and candidates wanted to claim false support,” explained David Guez, lawyer and organizer of the primary.org. The latter has set up a monitoring system and used a private blockchain to secure online votes coupled with secure communication tools such as Telegram Messenger and Facemail.
Robust encryption as backup
Carrying out regular security checks and audits of the IS, at least once a year, is also highly recommended. “Following these audits, corrective actions must be identified, their application planned and follow-up points organized at regular intervals. For greater efficiency, indicators on the progress of the action plan can be integrated into a dashboard for the address of the management”, underlines Anssi.
Unsurprisingly, a salvo of good practices relating to network security was also drawn by Anssi. “The segmentation of the network architecture must make it possible to limit the consequences of an intrusion by radio channel to a determined perimeter of the information system. Flows from workstations connected to the Wi-Fi access network must therefore be filtered and restricted to the only necessary flows. In addition, it is important to primarily use robust encryption (WPA2 mode, AES CCMP algorithm) and centralized authentication, if possible using machine client certificates. » The use of secure protocols TLS, HTTPS, IMAPS, SMTPS or even POP3S and SSH are highlighted. “It is recommended to implement a secure Internet access gateway comprising at least a firewall as close as possible to the Internet access to filter connections and a proxy server incorporating various security mechanisms. This ensures in particular the authentication of users and the logging of requests. »
On the messaging side, the main vector of workstation infection, common sense makes it possible to avoid opening risky messages. And in case of doubt, a phone call or SMS can ensure their authenticity. The redirection of professional messages to a personal mailbox is to be avoided. Anti-spam, setting up a relay server with an Internet break and mechanisms for verifying the authenticity and correct configuration of public DNS records linked to the messaging infrastructure (MX, SPF, DKIM and DMARC) are also recommended.
The essential role of the CISO
The role of the CISO is of course central in the company and the security strategy implemented. “An RSSI is often attached to the DSI. The question is not to place it in or outside it but where it will have the means to act effectively ”, can we read in the guide to digital security for leaders co-authored by Cesin and unveiled on the occasion of the evening of the Circle on February 23. “Provided that three principles are applied: clear mandate, proximity to the comex, freedom of action. Its word will have a better reach, and management will retain control over the security policy best suited to its strategy. »
Finally, the guide recommends the implementation of a security dashboard, making it possible to measure the gap between the real situation and the objectives of the company according to the risks, can also be set up, comprising 5 vital subjects articulated around strategy (implementation of the security policy, dangerousness of the risks, evolution of their mapping), compliance (regulatory and normative compliance, compliance with contractual commitments), finance (budget and return on investment). But also operational (incidents with identification of causes, audits and vulnerability tests, service availability rate, system and software updates as well as shadow IT reduction rate) and HR (awareness actions, training, team skills in charge).