It’s that time again. We’re one month into the New Year, when we look back at the goals and resolutions we set out to accomplish and were adamant we’d achieve.
Enterprises make resolutions, too – in the form of quarterly and annual plans. But whether you are an individual with a new year’s resolution to get into the gym or an enterprise seeking to improve security, achieving your goals can be difficult without knowing the individual steps needed to move forward.
I can’t tell you how to motivate yourself to go to the gym, but I can provide tips to help make 2011 the year that your company boosts enterprise security.
Here are 12 important tips to get you started:
Tip 1: Inspect Your Hardware
Track down any appliances such as routers and switches that are still using factory default passwords for the administrator account. Wherever you find factory defaults change these logins to require unique, cryptographically complex passwords that are not easily cracked or guessed.
Tip 2: Account for Job Role Changes
Review employee work role changes and turnover in the IT department and examine whether any systems that were accessed by former staff still have the same administrator passwords. If so, change these logins immediately.
Tip 3: Examine Your Web Applications
Check your organization’s websites for the use of embedded credentials in clear text, and for any static connection strings with credentials that may still be known to the site’s developers. Change these to unique and complex passwords so that previous access methods are no longer available.
Tip 4: Stop Sharing Passwords
Determine if IT staff are sharing passwords or publishing login credentials on a spreadsheet that is visible to too many people. It’s surprising how many individuals within IT still practice this downright dangerous behavior.
Tip 5: Stop Reusing Passwords
Catalog all highly privileged accounts used on critical systems and eliminate any common login credentials that don’t need to be reused.
Tip 6: Start Changing Passwords
Confirm that IT staff are changing administrator and root passwords on a regular basis and ensure that the current passwords are not generally known.
Tip 7: Lock Down Your Servers
On all of the lights-out management cards that provide console-level access to your datacenter servers, confirm that each password is different, not generally known, and not the vendor defaults.
Tip 8: Isolate Critical Devices
Move sensitive IP-controlled devices (such as lights-out management, switches, power control, and environmental devices) onto their own secure networks that are not accessible except by specific machines; consider using VPN technology to access these sensitive networks.
Tip 9: Adopt SIEM
Use Security Information and Event Management (SIEM)/logger technology to capture events and allow their correlation.
Tip 10: Keep Testing
Perform regular penetration testing (pen testing) of external and internal systems to confirm that critical systems are not subject to compromise, either by newly-discovered or well-worn threats. Consider contracting with outside vendors who are familiar with the latest threats for help with these tests. Many organizations use a combination of off-the-shelf pen testing software and outside contractors to achieve “belt and suspenders” coverage when it comes to vulnerability testing.
Note: Perform regular pen testing on systems and applications, whether internally-developed or vendor-supplied. Do not rely on appliance vendors’ assertions that their products are inherently more secure; black-box hardware that relies on “security by obscurity” can set up your organization for big failures when it comes to security and data availability.
Tip 11: Get It On Record
Consider installing session recording software onto sensitive systems to monitor local desktop and remote desktop activities.
Tip 12: Check Those Patches
To ensure your systems are up-to-date with the right patch levels, connect manually to the Microsoft online update server to see if security patches are still being applied.
Note: We have seen the legacy Microsoft Update application stop working without any notice. In one instance, we’ve seen critical servers that stopped automatically updating for more than eighteen months.