However, in my experience there is another, smaller subset of InfoSec tips and practices that offer great security benefits, but which few people actually apply in real life. So here are my top five rarely- implemented security practices that I think you should reconsider:
1. Egress filter on your firewall. Everyone understands the primary purpose of firewalls. We use them to prevent external actors from accessing internal resources. In short, we tend to block all incoming traffic, unless itís specifically to some asset we want to allow the public to access, like a Web or mail server.
However, you can also use your firewall to control your internal users' access to the outside world, which is what we call egress filtering. Unfortunately, many of the organizations Iíve visited donít egress filter. They allow their internal users full access to the Internet, regardless of the port, protocols, or applications with which the users connect. To egress filter, you start by blocking all external access by default. Then you slowly add policies to allow the specific types of external communication to which you want users to have access, , such as DNS, the Web, Skype, FTP, etc..
Egress filtering realizes the benefits of the least privilege principle. There is no reason your users should have access to things that arenít specifically necessary for your organization to do business. More importantly, egress filtering can limit what attackers can do if they are able to gain access to one of your computers. Malware and Trojans often communicate on non-standard ports and attackers can use protocols like TFTP, SSH, or telnetówhich your users may not needóto grab more malicious files. If you are egress filtering, you will block these communications, making it a bit more difficult for attackers to get out.
So if egress filtering is so useful, why donít people do it? My simple guess is because itís difficult at first. When you start egress filtering, you will surely get a handful of helpdesk calls. Even if you do a good job of creating policies for what you think your users need, youíll probably miss some network communications and applications you didnít know your employees used. While it may seem like a temporary hurdle for you to discover and add these additional policies, it actually gives you the opportunity to make a business decision on whether or not that communication is necessary.
2. Encrypt sensitive email. This one seems like such a no-brainer, and yet so many organizations send sensitive emails -- some containing confidential documents -- over the Internet without encryption.
Iím sure everyone in the InfoSec industry understands SMTP traffic is completely clear text, unless you take specific measures to encrypt it. There are a number of functional and good cryptography standards or products that allow us to encrypt email, such as lS/MIME, TLS, Pretty Good Privacy (PGP) and many proprietary options.