Establish basic perimeter defences

Small and Medium Organizations: Establish basic perimeter defences

Cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. actors can exploit networks and devices that connect to the Internet. By using basic perimeter PerimeterThe boundary between two network security zones through which traffic is routed. defences, your organization can create safer networks and keep sensitive information safe.

What are examples of basic perimeter defences?

Your organization should use a dedicated firewall FirewallA security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside. . A firewall is a hardware (or software) network security system that monitors and controls the flow of network traffic via a set of security rules. Firewalls sit at the entrances to networks, defending against cyber threats.

Your organization should implement a Domain Name System (DNS) firewall. DNS is the Internet equivalent to a phone book; it translates domain names into Internet protocol (IP) addresses. DNS firewalls can prevent users and devices from connecting to known malicious Internet websites by taking advantage of threat intelligence made available by the cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. community.

There are additional risks to consider if your organization allows employees to work from outside of the office (i.e. from home or on the road) and connect remotely into a network from the Internet. If allowing employees to work remotely, you should understand the benefits and risks associated with using a virtual private network Virtual private networkA private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN. (VPN VPNSee virtual private network. ) connection. If using a VPN, you should ensure that it uses encryption EncryptionConverting information from one form to another to hide its content and prevent unauthorized access. and two-factor authentication Two-factor authenticationA type of multi-factor authentication used to confirm the identity of a user. Authentication is validated by using a combination of two different factors including: something you know (e.g. a password), something you have (e.g. a physical token), or something you are (a biometric). .

Your organization likely uses wireless networks (Wi-Fi) to leverage advantages such as mobility, simplicity, and lower costs. When using Wi-Fi, avoid connecting to public networks. We recommend that you use networks that are secure and provide strong user authentication AuthenticationA process or measure used to verify a users identity. (i.e. use WPA2 wireless security protocol). If your organization offers public Wi-Fi services for visitors and guests, never connect the public network to your internal network and resources (e.g. printers).

Be sure to segment point-of-sale terminals and financial systems, isolating them from the Internet and other areas of the corporate network via a firewall. Your organization should follow the Payment Card Industry Data Security Standard (PCI DSS), which is an information security standard meant to increase controls around credit cards data and reduce fraud.

Your organization should have security measures to protect its email services. We recommend that you implement Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC is an email authentication, policy, and reporting system that can detect and prevent the forging of a sender’s email address. DMARC also addresses spam and malicious emails.

Recommendations for your organization:

• Install a dedicated firewall at the boundary between the corporate network and the Internet
• Implement a DNS firewall for outbound DNS requests to the Internet
• Use secure VPN connectivity with two-factor authentication for all remote access to the corporate network
• Use secure Wi-Fi for internal networks
• Avoid connecting publicly accessible Wi-Fi networks to your corporate network
• Follow the PCI DSS for all point-of-sale terminals
• Use a firewall to isolate point-of-sale terminals from the Internet and other areas of the corporate network
• Implement DMARC for email services

For more information:

• Baseline Cyber Security Controls for Small and Medium Organizations
• Global Cyber Alliance Prevent Phishing and Viruses
• PCI Security Standards Council
• Domain-based Message Authentication, Reporting and Conformance (DMARC)
• Center for Internet Security Boundary Defense Control