Take Control of Your Security
Here are five things you can do right now— this minute—that will increase security on your networks.
We know what we need to do to secure our information systems, but we
just don’t do it. Oh, I know we don’t have all the answers. I know there’s
always a way that someone can break into a system. But we do have most
of the answers. We know how to prevent most attacks from being successful.
But instead of systematically hardening the operating system; instead
of physically securing systems; instead of instilling a culture of security
that includes everyone—yes, I mean everyone—in the business of security;
instead of doing these things, we run around patching systems and screaming
about the latest vulnerability that evil Microsoft has blessed us with.
Then, when we lose data and have to report to the citizens of California
that their credit card data was stolen, we blame someone else.
Stop. Look. Listen!
Stop. Stop right now. You’re either blindly reacting, or you’re paralyzed
into inaction. Stop reacting; stop sitting on the fence; start acting.
Take control of information security. Note that I said information security—computers
are one small part of that. You need a comprehensive plan that secures
information wherever it resides—on the mainframe, on the Linux Web server,
in the Active Directory, on a PDA, in or available through smart phones
and in the hearts and minds of employees, contractors, partners and customers
of your organization.
Here’s the simple idea to change your reactive model of information security to a more proactive one: “Hardened systems are secure systems.” By hardened, we mean locked down, secured and stripped of inessentials. By systems, we mean computers, networks and people. How do you do this? Write the policy. Engage management in the discussion. Dig out the reference works that tell you how to secure whatever it is you have to secure and get busy. If you have to, harden one computer at a time. Harden one concept at a time. Harden one user at a time.
Above all, mount your hardening, securing campaign in at least two directions:
a) The big picture, and b) The intimate reality of your day-to-day work.
Much of the cultural change needed won’t come swiftly or easily. It requires
planning and commitment. It requires evangelists and disciples, leaders
and doers, talkers and strong, silent types. Making security as easy and
as pervasive as breathing won’t happen overnight. But you can effect significant
changes in the security posture and actual security status of your networks
right now by doing things under your control. Here are five things you
can do right now—this minute—that will increase security on your networks.
1. Create a Stronger Password Policy
I know that this may be something that organization-wide, you can’t do
alone. However, you can, and do, have the authority to change the logical
password policy. This means the technical control of changes at the domain
level may not be possible right away, but you can, depending on your authority,
demand stronger passwords and password management by members of your own
staff, by those with local accounts on servers and, if nothing else, by
There’s no reason you can’t impose policy-based restrictions on IT administrators
or anyone who requires special access to servers. They include those who
do backups or have admin privileges on a server in order to administer
a database or other server application. Think of the damage that an attacker
could do by obtaining these administrative passwords. At the very least,
change yours, right now!
2. Lock Down Remote Administration
You may need to access a server remotely to administer it, but that doesn’t
mean you should allow that access to others. Where possible, use IPSec
or other protected communications. You can also use IPsec to block access
to ports required by your remote administrative programs, and then allow
administrative access to the ports by allowing access from designated
administrative workstations. In many cases, only a few accounts need any
access at all to a specific computer over the network; lock the rest out.
Also, just because the sheer number of managed computers may require remote
administration, it doesn’t mean all servers must be managed that way.
Require that computers with sensitive roles or data be administered from
the console only, and enforce that by preventing administrative accounts
from accessing the computer across the network.
3. Lock Down Administrative Workstations
Designate certain workstations as administrative workstations and harden
them. How much? Just as hard as you can. Start by putting them in a secured
area, reinstalling the operating system and adding the latest service
pack and security patches (do this off the network). Use IPSec or a personal
firewall to control egress and ingress (what goes in and out) and use
software restriction policies to prevent the use of non-approved software.
Use the workstations for administration only; no playing Solitaire, no
4. Physically Secure All Systems
Begin with your own. Ask yourself these questions: Do you use a cable
lock for your laptop when moving around with them, even in your own building?
When you travel, do you leave it unlocked in the hotel room? What data
is on the hard drive? Remember that with most laptops, the hard drive
can be removed even if the computer is cable locked. Data is what the
attacker wants anyway.
What about your PDA? What’s on it that would be damaging if lost? If your computer is a desktop, who can physically access it? Can it be stolen? The hard drive removed? Don't make it easy for theives; why would an attacker bother crafting code to break into your systems when all he or she has to do is steal them? Why penetrate your network defenses when she can walk by and insert a CD-ROM with malignant code on it—or use her USB data-storing wristwatch to steal data?
Keep servers locked up. Remove CD-ROMS and floppies from computers in
public areas. Provide traveling laptop users with cable locks. Make sure
those with access to the data center don’t allow others in. Don’t prop
open doors. Don’t allow tailgating—the process where someone follows an
authorized person into the data center. Teach security guards to look
for contraband. (Even those picture-taking phones should be considered
unacceptable in many organizations.)
5. Learn To Shut Your Mouth
It’s not rude to refuse to talk about issues that might compromise security.
It’s a good practice. It’s one thing to share a security-hardening tip
or to alert someone to a bad practice that can be corrected, and another
thing to reveal your own systems’ security weaknesses by talking about
them to others. I know you would never intentionally do this, but I see
on a daily basis information that could be used to successfully attack
other networks. You must become aware of what it is you’re telling people
or publishing sensitive information to your Web servers where any one
can find it by Googling on a few key words. Think of the security of your
information systems as if you were protecting your family or your country.
Don’t let your complaint, need to impress people with your knowledge or
request for help made to a public list reveal more than it should.
Hardening networks isn’t a simple chore, nor is it one that can be done
overnight. There are things you can do; I’ve given you some of them. There
are many guides to securing systems. The key is to start right now. Remember:
Hardened systems are secure systems.
This article is adapted from the upcoming book Hardening Windows Systems, by Roberta Bragg, part of a new information security series, the “Hardening Series” (Osborne McGraw-Hill).