M.12) Harden employees devices

Category:        Corporate Information Security, Initial for every employee

Responsible:   CSR

Effort:              ~ 1 hour per employee

Based on:       Author’s recommendations to deal with “bring your own device”

Attention: Because of legal and privacy aspects each employee has to agree to the following procedure and it is necessary that the employee is present during the process. If an employee disagrees, then his personal devices should be used for company related tasks.

A big problem startups face is the “bring your own device” (BYOD). Because most startups don’t have the money to buy equipment (laptops, mobiles) for their employees, they are simply using their own hardware. But this is a major threat to the company’s information security. On the devices of employees outdated and vulnerable software might run or they might already be infected with malware before joining the company. Therefore at least the following steps should be executed by the CSR for each new device which will have access to the company’s data:

  • PC, Laptops, Smartphones, Tablets:
    • Check if the operating system is up-to-date and activate automatic system updates
    • Check if all applications are up-to-date and activate automatic updates
    • Check if Antivirus with latest updates is installed. Perform a system scan with the Antivirus. An Antivirus comparison can be found on the following website: https://www.av-test.org/de/
    • Install or enable hard disk encryption (there are plenty of tools available, like Bitlocker and VeraCrypt. Android and iOS have already integrated hard disk encryption tools. More encryption software can be found here: https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software).
    • Make sure that the user isn’t logged in as administrator. The admin account should only be used in special occasions. For every day working no admin account is needed.
  •  PC, Laptops:
    • Check if the Personal Firewall is activated and is up-to-date.
    • Check if all browser plugins are up-to-date and activate automatic plugin updates. Deactivate or uninstall all unnecessary or unknown plugins. Deactivate Java and Flash browser plugins, because they have been vulnerable in the past.
  •  Windows Systems:
    • Check running processes with the tool Process Explorer (Microsoft Sysinternals Suite)
    • Verify Image Signatures
    • Check Processes with virustotal.com
    • Install Microsoft EMET and activate all additional security mechanisms (Profile: Maximum security settings).

These safeguards are also necessary if the device is owned by the company itself. In this case even more security mechanisms can/should be used, like:

  • Disallow users to have an admin account
  • Disallow users to install software without informing the PSR
  • Restrict users to modify certain system settings
  • Usage of software distribution and management system (like Opsi – Open PC server integration) for
    • central management and distribution of software, operating system and patches
    • Inventory and license management

The latter isn’t easy to implement for startups, because a) it needs a certain amount of configuration, management and maintenance and b) it only makes sense if the users don’t install software by themselves. Therefore in the author’s opinion this measure only makes sense for companies with more than 15 employees. But in either way, it is much more important to train the employees on what they are allowed to do and what’s prohibited. If every employee knows that he or she should always inform the CSR before installing a new software or plugin, then “software distribution and management systems” aren’t really necessary, because the CSR can check manually if the tools are trustworthy. Of course for bigger companies manual confirmation and installation is a lot of work for the CSR and it makes sense to provide predefined software packages for the employees.

If software distribution and management systems aren’t an option, the safeguard M.13 and M.14 are also good alternatives.

 

Disclaimer

The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.