It goes without saying that COVID-19 pandemic has upended every aspect of our daily lives - from work and financial security to mental health and leisure. And Builders, unfortunately it doesn’t end there. At this time of heightened vulnerability, business institutions across the globe have also been witnessing an alarming rise in cyber-attacks.
At the beginning of March this year, hackers attempted to break into the email accounts of World Health Organisation staff members. Around the same time, the Department of Health and Human Services (HHS) faced a security breach. After picking up on the increase in activity, security employees monitored and fought the breach for several hours.
In case you missed it, recently the National Cyber Security Centre (NCSC) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory against government-backed hackers attacking healthcare and research institutions during COVID-19. “CISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations,” the agencies said in a statement.
But there is enough evidence to prove that the interest of attackers goes beyond just these institutional giants. If you ask us, every business irrespective of the industry, from finance, law, nonprofits to fashion and education, both big and small, are equally at risk.
So, that brings us to the big question:
What can you do as a business owner to protect your data in 2020?
Since cybercriminals continue to get more innovative and find new ways to breach, the ideal practice is to keep your business’ cyber security policies up to the minute. Smart businesses recognise threats and eliminate risks early to keep their data safe and avoid any breaches. Don’t worry; we are here to help you get started. Be warned; this may get technical. We hope you have your tech dictionaries open, Builders.
Here are our 3 fundamental best practices for enterprise security in 2020:
1. A risk-based strategic approach to security.
Every industry and business within comes with its own set of specific hidden risks, and therefore, meeting standard regulations isn’t entirely enough. We recommend regular risk assessment wherein you identify all valuable assets and the efficacy of the current cyber security set up, and the new strategy required to counter any new threats. This simple practice will help you avoid fines for failing to comply with regulations, remediation costs for potential breaches, and the losses from missing or inefficient processes.
2. Timely data backups
Ever since ransomware got introduced into our lives, having a full and current backup of all data has become almost a standard practice in information security and deserves a mention here. Just to give you a clearer picture, here are some of our data back and retention policies at Builder.ai:
· We have enabled EC2 server backup through AWS Lifecycle Manager and set a cloud watch event for that function, which runs at every midnight taking backup of EC2 server by making an AMI of that EC2 server.
· And the second option is that we have scripts for taking backup of EC2 server, for this we have launched a minimum configuration server and have that script on that server, which runs every midnight and makes AMI of that particular server.
· We have set the retention period to delete the AMI after 7 days of creation and for that we have configured lambda function and cloud watch event for that. The second option is the script for deleting 7 days old AMI. And for our RDS we have enabled Automatic backup of RDS DB servers.
3. The principle of least privilege
Critically evaluate and determine stakeholders that absolutely require privileged access to sensitive data and restrict access wherever possible. The opposite scenario, where all new employees are granted privileges by default increases the probability of data compromise by giving away sensitive data as soon as any of the employee accounts is hacked. For instance, here are our authority, access and data security policies at Builder.ai:
- Access to information shall be restricted to authorized users who have a required business need to access the information.
- Authorization to access the customer accounts must be granted by the designated business owner. An email from a customer and/or designated owner will be considered as approval.
- We will provide required access on a least privilege basis to all services.
AWS Console and API Access
- MFA shall be enabled for Root users of Builder.ai and all customer accounts.
- Root users shall not be used for any operational activity.
- Builder.ai resources shall use their Builder.ai IAM or SSO user with MFA enabled to access customer resources accounts.
- Builder.ai Admin shall delegate client access to resources as per requirement.
- All programmatic access shall be via IAM roles.
- All users will only have access to the privileges they need and no more.
- An IAM user shall have either password or the keys. Passwords shall be used to access AWS console and keys for programmatic access only. One IAM user shall never be used for both purposes.
- We check MFA activation every 3 month for all AWS accounts.
Remote Access to client servers by Builder.ai resources
- Builder.ai has its own Private Cloud Infrastructure in AWS.
- All Builder.ai Windows laptop devices shall be secured by Windows defender Antivirus.
- Builder.ai resources shall use their Builder.ai user with MFA to access customer resources accounts.
- Records of all the users having access to specific internal and customer information are maintained.
- Furthermore, here are some of the top recommendations we share with our customers:
- Firewall ports such as SSH and DB ports should be restricted for public access, SSH should only be allowed from specific IP’s DB ports should only be opened from private IP address of the EC2 servers.
- Use “Bastion” host and keep our Instance in private mode so that there is no chance to access those Instances directly.
- Keep their password protected and don't share the password with anyone else.
- Use NACL rules which restrict the in and out of one or more subnet, network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic, by default it allows all inbound and outbound Ipv4 traffic and, if applicable, Ipv6 traffic.
- Use VPC endpoint to transfer data to one AWS resource to another e.g. To transfer data from EC2 to S3 using VPC endpoint so that the data should travel on AWS private network, which makes the data more secure and also increases the transfer speed.
- Use IPsec VPN to transfer data from on premise DCs to AWS so the data transfers securely.