Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Seven ways to make yourself hard to hack
MSP Business

Seven ways to make yourself hard to hack

By Davey Winder
10 August, 2015

Call it layered security or defence in depth, but just make sure that you use it. While the concept is as old as IT security thinking itself, that doesn't make applying layers of security any the less relevant today. Choosing the correct layers, of course, is paramount. Think of defence in depth as being a risk mitigation construct applying multiple layers of control across the length and breadth of your IT environment and you will be pretty much on the money.

hard2hack

Doing this will not guarantee attack prevention, but it will slow down the bad guys and help protect your organisation against the inevitability of those attacks. Done properly, a layered approach to security will buy you time; the time you need to respond effectively to any attack and mitigate a potential breach. In other words, it makes you harder to hack.

Here are seven ways to do this and make your company hard to hack:

1. Network visibility
If you're pro-actively monitoring and maintaining their clients’ servers and workstations, then you'll know that an integral part of this is event log management, alerting and detective controls. Think of this as providing network visibility in a way that helps you fight off the bad guys by spotting them almost before they get started. Network visibility enables you to "scan all the things, count all the things, spot the anomalies, and apply policy accordingly." Of these, perhaps the most important factor is implementing proper event log management in order to turn boring data into patterns that can alert you to a breach before it has a chance to succeed. Security event monitoring of this kind can actually be very cost effective in providing meaningful analysis that leads to pro-active protection of infrastructure and the data within it.

If you want a degree of network visibility for free, then tools such as Alien Vault's ThreatFinder is powered by the Open Threat Exchange (OTX) and will check for compromised systems and malicious communication by correlating log file data against the live OTX database. Knowing what's connected to your network is also part of the visibility layer, and TripWire offer a free tool called SecureScan that will scan up to 100 IPs on your internal network and reveal lost or hidden devices. Remember, the more Internet-facing devices there are on your network, the greater the opportunity for compromise.

2. Web protection
Web protection is another essential layer of security, providing a window into controlling, monitoring and enforcing client web policies through a single front end. In fact, web protection is best thought of as being a policy-driven approach to security. Multiple devices can then point to a central policy that can be edited and scaled to suit a range of such devices rather than having device-level settings across the board as it were. Doing this enables you to apply website filtering by time or content, bandwidth checking to prevent network throttling, and ultimately help protect the business against legal liability.

3. Patch management
You can scan for attack patterns and apply all the policies you want, but with new vulnerabilities being exposed seemingly on a daily basis you will be hard-pressed to keep up with them all. Although patch management isn't a silver bullet and will not prevent zero day exploits or, indeed, unpatched vulnerabilities from hitting home, it will help you keep up with the bad guys. Rule of thumb is to subscribe to vendor notifications, keep an eye on security news sites, and patch as soon as it's safe to do so. That's where patch management enters the equation, as you need to not only know a patch is available but also that it's stable. Throwing an unstable patch at your live working environment without testing could do more damage to the business bottom line than the exploit it's trying to prevent.

4. Cover communication channels
Email protection is vital because just as email is baked into the DNA of your business, it's also baked into the DNA of the bad guys (check out this blog for more insight). Just look at how email is used as a distribution channel for spreading malware and even a direct launchpad for some malicious applications, not to mention social engineering through phishing attacks. The same is increasingly applying to social media channels such as Facebook and Twitter which, you could argue, are as much business communication tools as they are social ones these days. Look for a system that can apply blacklisting of known malicious senders, and anti-spam/anti-malware applications that can greylist email based upon contextual analysis.

When it comes to social media, the mantra to repeat is not to link accounts. By which I mean truly social and truly business profiles should be kept truly separate to help prevent ease of cross-infection should an attacker be successful in compromising one. Quickly follow this mantra with a 'educate your employees' one, because security-aware staff should be thought of as another layer in the security onion. See my "blame the messenger" blog  for further advice.

5. Encrypt that which needs encrypting
The problem with data encryption is that it is almost always seen as being a step too far in the security faff stakes; far too complex, far too expensive, far too much. The truth is that if you identify the data that's most valuable to your organisation and then focus on encrypting that, it doesn't have to be any of these things other than secure. That's secure if the worst does happen and the hackers breach your hardened attack surface. Encrypted data, which is encrypted strongly enough, will be beyond the abilities of most hackers outside of the Government Secret Squirrel types, and most likely them as well. Tablets and smartphones have firmware encryption built into the OS these days, so use it and they become useless to thieves.

Make sure your website is Hyper Text Transfer Protocol Secure (HTTPS) protected so the information transferred between it and client browsers is encrypted. Make sure to use HTTPS Everywhere, a collaboration between the Tor Project and the Electronic Frontier Foundation, so your web browser rewrites requests from unencrypted HTTP sites to secure HTTPS ones. And finally, checkout VeraCrypt, which has become the open source encryption container product of choice these days, following the demise in support terms of TrueCrypt from which it forked. It's easy to use, it works and it's free; use this to secure your USB memory sticks.

6. Become a data Dalek: authenticate, authenticate, authenticate...
Authentication, has anyone mentioned the authentication layer yet? Well they have now, and by this I specifically mean the use of password managers and multifactor authentication. Strong passwords are a no-brainer, or at least they should be, The problem being that any password that is lengthy, complex and random enough to be defined as strong, is impossible to remember unless they call you Rain Man. Throw multiple secure passwords into the equation and even Rain Man would struggle; whereas password managers do not.

LastPass Enterprise is a business-grade example, it's not free but with prices starting from (US) $18 a head it's as close as. This can allow you to manage a password policy from the cloud and generate truly secure passwords at the touch of a button. Even that, though, is not enough. You need to throw multifactor authentication into the mix. As it happens, you can add two factor authentication (2FA) to LastPass in the form of a physical token or smartphone app generated code. Whatever, the added security layer that is 2FA should be a baseline for any mature authentication policy these days as it adds something you have to something you know for a double whammy of hacker protection.

7. Secure erasure
No, not a geeky nineties pop duo tribute band, but rather the not so small matter of secure file deletion. It's the last item on our list of suggested layers, and it's often the last thing on the mind of otherwise security-savvy folk. After all, if you're removing something from the data equation it's no longer a security problem, right? Wrong! If you have not securely erased the file in question then it remains a potential security threat should the device it is on get into the wrong hands. Hitting delete doesn't delete data securely, and nor does formatting a drive for that matter. It is forensically possible to retrieve data really very easily and quickly, and importantly very cheaply now if someone wants to.

Your mission is to make that as hard as possible so that the investment in time becomes more than the likely profit in data restored would amount to. So at the very least encrypt your data then use secure deletion tools on individual files and folders, such as Eraser, which employs the Guttmann algorithm to overwrite drive space with a series of 35 random patterns. That's a free tool and towards the bottom of the paranoia-delete scale, but coupled with encryption is a good way to go.

Employ the costly services of hard drive shredders to chop your legacy drives into little bits of metal to do the job properly.

You might also like...
MSP Business

Operation Cloud Hopper-A wake-up call for MSPs and IT service providers

MSP Business

Are companies spending their IT Security Budget on the wrong things?

MSP Business

MSP Password Management

MSP Business

How to keep on top of the malware threat

MSP Business

Do we go overboard with security?

MSP Business

A brief history of DDoS… and how to defend yourself and your customers

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • What the Head Nerds Were Up to in 2020
  • RMM and PSA Tools: How to Make the Most of Both
  • How to Empower an IT Help Desk Team for Success
  • Six Tips That Will Make Managing Your MSP Company Easier
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
Categories:
  • Security (230)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (83)
  • The Head Nerds (75)
  • Business Growth (75)
  • IT Support (42)
  • Business (39)
  • Automation (37)
  • Cybersecurity (37)
  • Operations (34)
  • Mail (33)
  • Remote Management (28)
  • ITSM (25)
  • Cloud Computing (21)
  • Networking (21)
  • Data (21)
  • Marketing (14)
  • Product (11)
  • PSA (11)
  • Service Desk (5)
  • Services & Support (5)
  • Mobile (4)
  • Risk Intelligence (4)
  • Customer Service (3)
  • Internet of Things (3)
  • Research & Trends (2)
  • Training (2)
  • GDPR (2)
  • Business Risk (1)
  • LOGICcards (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.