The SANS Institute used to publish the SANS Top 20, which was their list of the top 20 most significant things impacting network security. While they have moved on from the top 20 to other approaches, most security professionals still know of and refer to the top 20, and many security products refer to scans for the “top 20” as one of their features. In today’s post, we’re going to look at the top 30 things you can do, today, without having to spend your entire IT budget, hire expensive consultants, or retool your network, to improve your network’s security. Let’s start.
1. Reset all your passwords
The older a password is, the longer an attacker has to crack it, and once they do, if you never change it, they can use it forever. When was the last time you changed your passwords? On how many systems do you use that same password? Do as you say, and not as you do, and change every password on a regular basis; also use different passwords on different systems so that if one system does fall, it’s not a gateway into other systems.
2. Enforce a password policy
Make sure you are enforcing a password policy that requires regular changes and uniqueness of password so users have to do the same. Scan for those accounts (other than service) that are set to ‘password never expires’, and clear that out.
3. Reset all shared passwords
When two or more people know a password, you have no way to determine which of those two logged on and did something. And when an admin leaves the company, there should be no way for them to leverage older information to access your systems. Go through and change the shared passwords for admin accounts and default logins to something unique per system. As there are probably plenty of former co-workers who know them, provision unique accounts for each admin on all systems that can support this.
4. Reset all the default passwords
The easiest way to access most systems is to look up the default credentials online and try them. Odds are good they will get you in. Go into all the applications and network devices, and change the default logins for them. Admin/admin is not a good login for anything, and every single default set of credentials is available online.
5. Review and disable all stale accounts
Once a user leaves the company, you must cut off their access. This ensures that no one can use their credentials, not just them. Run a scan of last login time for all accounts, and disable those that haven’t been used in more than 30 days. You don’t want old or unused accounts being available for attack or other inappropriate use.
6. Update your servers
Operating system updates come out every month. Critical updates are released in response to active exploits compromising real systems right now. Pay attention to security bulletins, and update all your servers; Windows, Linux, Solaris, Mac, etc. to make sure they are running the most recent code to help protect against vulnerabilities.
7. Update your workstations
Workstations are even more critical to keep current, as users are on them and tend to click on things. Updates are released at least monthly, and if you are not patching every month, you are missing critical updates that could be the difference between being secure and being hacked.
8. Update your apps
Updating operating systems and Office suites is critical, but it’s not the only thing you need to do. Patch management software is your friend here. There are so many third-party apps on both your workstations and your servers that your best bet to keep them current is to use an app, like GFI LanGuard, that can cover both operating systems and third-party applications, and confirm the status of all systems.
9. Harden your wireless network security
Your four walls, ceilings, floors, and doors help to ensure no one can just walk in off the street and plug into your ethernet network. With wireless networking, they can sit in the parking lot or in a building across the street, and be in the range of your wireless network. To protect against unauthorized access to your wireless network, make sure you are using strong encryption (WPA2 Enterprise) and when possible, 802.1x to ensure only authorized devices can connect.
10. Run antivirus software on everything
Patching protects against vulnerabilities, but it cannot prevent malware. Whether it’s ransomware, keyloggers, backdoor Trojans, or botnet software, malware threats to your network are everywhere. You need to make sure every workstation, every server, and every other device that can run antivirus does. Yes, Macs can be infected by viruses too. You want 100% compliance; 0 tolerance.
11. Update your network hardware
Have you heard of ShellShock, the bash vulnerability that has rocked the Internet? Do you know that most of your network hardware is probably running a bash shell? You need to get all your routers, switches, and firewalls up to date, and you need to do it now.
12. Update your mobile devices
With the proliferation of mobile devices like phones, tablets, and more, ensuring that these devices are up to date and configured securely is vital to making sure they are not a backdoor path into your environment and access to your data. Consider an endpoint security solution that has the ability to help you manage BYOD and mobile devices to ensure they are up-to-date.
13. Scan for vulnerabilities
Regular vulnerability scanning of your systems from both inside and outside your network is the best way to both assess your current state, and to see your network from the same point of view that potential attackers will. A vulnerability scanner is a vital piece of equipment for both security professionals and sysadmins, and will automate and simplify this process.
14. Obfuscate your banners
By default, most service banners will declare the vendor and version of whatever software is running. This makes it trivial for an attacker to determine exactly what attacks have the best chance of succeeding, especially if you are behind on your patches. Change your banners so that they reveal only the required information on all services which you can configure.
15. Lock your doors, drawers, and cabinets
Don’t overlook the importance of physical security. Keep the doors to your datacenters and wiring closets locked, and make sure your users lock their desk drawers and cabinets when they are not going to be in the office to protect sensitive data stored within; whether that is printouts, portable storage, ‘spare’ hardware, or optical media.
16. Upgrade your fax solution
One of the easiest ways to let confidential data slip is to leave paper copies out for others to see. The output tray of your fax machine is one of the biggest culprits here, since faxes come in all the time and the recipient is not standing there waiting for the output, or even aware that it was coming. A fax to email solution, like GFI FaxMaker, not only eliminates the old clunky hardware, but also delivers faxes straight to the user’s inbox and lets them print directly from an app to fax, so nothing needs to be left sitting around for prying eyes to see.
17. Update your publicly disclosed information
If a motivated attacker wants into your network, they are going to do reconnaissance. There’s a lot of information available online for an attacker to use to get the inside track on ways into your network. Check your website, data in WHOIS, network registrations, etc. and make sure not only that your information is correct, but that contacts go to shared mailboxes or distribution lists, rather than to individuals. It might be good to update phone numbers too, but whether you set those to the main company switchboard, or the department number, or your number, depends on what you have and whether you are comfortable with your receptionist recognizing social engineering attempts or not. More on that below.
18. Configure Filter incoming email
Whether it’s simply spam, malware, or phishing attempts, the best way to ensure your messaging system is not the avenue of attack is to filter your incoming email. You can deploy on-premises filtering, or you can subscribe to a cloud-based service, but whichever way you choose to go, choose one that provides protection for your users against email-based threats and gives you total control over your email.
19. Set up SPF records to use hard fail
Help others from falling victim to spoofed email purportedly from your organization by implementing Sender Policy Framework (SPF) records and setting hard fail. You want to ensure that no unauthorized system is sending mail as if it is a part of your organization. SPF is the way to do that.
20. Configure your email system to reject fails
And to minimize the chance your own users will fall victim to a phishing message or other spoofed message, configure your own systems to reject any incoming messages that fail an SPF check.
21. Block outbound traffic
There are certain protocols that your servers may need to access externally, but your users should never need. From your end-user subnets, use your firewall to block outbound access to SMTP and DNS, and investigate any systems that try to make connections to external servers for either. Unless the system belongs to another sysadmin, odds are good it is infected with something if it tries to use external services instead of your internal ones.
22. Filter web content
Whether or not you want to control what things on the web which your users access, you definitely want to protect them. Even reputable websites can be compromised, and start serving up malware in downloads or malicious scripts in web pages. You can use web filtering software to help protect your users without having to monitor what they are doing or decide what they are allowed to do. Of course, if you do want to restrict Internet access or even just ensure that unfettered access does not lead to a loss of productivity, web filtering software is the right solution for those too.
23. Disable clear text protocols
Whether prying eyes are from curious co-workers at the office, or nefarious sorts lurking around coffee shops, you should not have your users accessing anything that is sensitive or requires authentication over clear text protocols. It’s easy to sniff network traffic, intercept logons, and see usernames and passwords when the protocols in use are clear text. Think websites, email systems, queries to Active Directory or other LDAP systems, shell access to routers/switches/firewalls… anything that uses clear text should also be able to use encrypted protocols. Switch over.
24. Set screensavers and timeouts
You don’t want unauthorized users to walk up to a logged in but unattended PC and start browsing for data, or worse, destroying things. Your policy should require users to lock their workstations when they walk away, but use a GPO to force a screensaver after a certain amount of inactivity, and to always require a password to unlock the system to cover when users slip up and forget.
25. Encrypt your hard drives
Lost or stolen laptops, or even hard drives stolen out of servers in data centers, can contain a wealth of sensitive information. One way to help prevent that data being compromised is to encrypt all hard drives. That way, even if a drive is stolen, the thief won’t have access to the data.
26. Encrypt your portable media
USB keys, portable hard drives, and backup tapes go missing all the time. Their very nature makes them mobile, and it is easy for accidents to happen. Just as you protect data on your systems from compromise by encrypting all hard drives, you should encrypt all portable media.
27. Encrypt your mobile devices
Mobile phones and tablets that can access your corporate email can also contain all sorts of sensitive data, and they too are easily misplaced or stolen. Use Exchange ActiveSync policies to enforce encryption on mobile devices, so that if a thief tries to access the SD card before you can perform a remote wipe, they won’t get anything of value.
28. Block external OOO
Out-of-office responses are very useful to inform your co-workers when you are away, but they can give far too much information away to others. A malicious attacker has all that he or she needs to launch a social engineering attack against your helpdesk if they know an executive is OOO and where they have gone. If your business needs are such that you must allow OOO responses to be sent to external recipients, require that they only be sent to those who are in your employees’ contact lists so that you are limiting the scope of external parties who will know when someone senior is out of the office and unlikely to regularly check their email.
29. Update your policies to use regular language
Internet Access and Acceptable Use Policies all tend to suffer from the same problem. They are written by technical people to address technical issues, but regular users can’t understand them. Review your policies to make sure they are current and that users can understand what is expected of them and how to comply.
30. Train your users
Your users are your first and your last line of defence, and are also the best equipped to help you help them to protect your network and your data. But they must be trained. Do not look at your users as a burden or as a source of trouble, because if they are it is because you made them be that way by not talking to them, educating them, and keeping them informed of the whys and the hows behind all the whats that you expect of them.
If you can take many of these 30 actions now, you can quickly improve your security by leaps and bounds, and be well positioned to defend against threats from both inside and outside your network.