- Never think that it won't happen to you, or that nobody will create a new way of attacking. Example, when Microsoft was first formulating their Office bundle with a powerful scripting language (early 1990's; to allow anyone, to do anything, from anywhere), a number of people in the industry warned that this would allow miscreants to create viruses with it, but Bill Gates claimed that 'Nobody would do that'. Thank you Bill for giving people the tools to create viruses and worms such as; Concept, Melissa, & Love Letter.
- Never assume that one particular method will cover all your security/data protection concerns. Humans are fallible, and those fallible people make, maintain, and run our systems.
- Do educate the user community; Have a continuing education program where you are regularly training the end users on how to use the systems safely. Have an intranet that contains what you have trained your users on, and do regular e-mailings to remind the users of how to use the systems safely. Do include how to do things safely at home, as many system infections have started at a users home and either come into the office on a notebook or via VPN.
Remember "Ignorance: The Hackers' Best Friend", so lets reduce that knowledge gap
- Don't assume a particular system or platform is totally protected. While some platforms are fundamentally more secure than others, they all have their defaults that need changing, and they all have some security concerns that need watching for.
- Do factor security in to every project. Every project should have a security implications document written for it, and don't accept "no security concerns because it is behind the firewall" as the majority of security concerns actually come from inside your systems (i.e. the end users) such as notebooks infected elsewhere.
- Passwords. Have and enforce a solid password policy, make them strong and change them regularly. Passwords do get cracked and/or spread around, so make them hard to crack and limit the life span of any discovered passwords.
"Treat your password like your toothbrush. Don't let anybody else use it--and get a new one at least every six months"
- FireWalls. Implement them with the policy of block all traffic except what you explicitly allow through. This means both for inbound and outbound traffic, such as only the email server should be allowed to send email through the firewall, therefore blocking many of the modern worms that have built in email servers.
- AntiVirus. Do run it on all your servers, especially email and file servers, and run it on all the PCs. And most importantly, update frequently, automated if possible. Remember that antivirus tools generally only catch yesterday's viruses and worms, so having auto updating PCs helps clean up after a new virus or worm sneaks through the outer defenses before the antivirus vendors have images for them.
- Remove unneeded services on systems. Many servers auto install services such Web server, LDAP, SNMP, etc.. If you aren't going to use it, then turn it off, if you are going to use it, make sure example configurations and sample code are removed. One of the larger 'advancements' in Windows 2003 vs. 2000, that Windows2003 only installs what is needed and not everything (like Windows2000) and therefore not exposing a server to more possible attacks than necessary
- Patches: make sure your systems are regularly patched and up to date. Any time you install a new system, bring it to the most current patch level before connecting it to the net. Bad patching practice is why 2+ year old worms such as Code Red and Nimda are still running around in the 'wilds of the net' and can quickly infect newly installed but not yet patched systems.
- Backup data frequently and perform periodic test restores as part of a disaster recovery plan. If all else fails, being able to restore data that was destroyed may be your last line of defense. Blessed are the pessimists for they have current backups.
- Make sure all your systems are on the same time. This is very easy to do with NTP (Network Time Protocol) and makes troubleshooting and forensics a whole lot easier.
Konecny Consulting Inc. can assist you with all of these and other items such as; security policies, design, implementation, repair, maintenance, assessments, and audits.
Last updated 2009-05-13