To get started with securing your network, you don’t need to begin with a multi-million dollar project with multiple penetration tests, massive network audits, wide-spread operating systems upgrades, and the installation of eye-wateringly expensive security appliances. Those are all great things to do if you have the staff and budget, but just starting with some entry-level basics will provide a huge step forward in securing your network from today’s more common vulnerabilities. These ten practices are relatively easy and quick ways to create the foundation of a robust security program.
Keeping operating system patches up to date may seem like a no-brainer, but it still seems to fall by the wayside even in large organizations. I use the term “patching” very loosely here because I want to highlight the importance of updating all operating systems, not just Windows.
It’s important to set a regular Windows patch schedule and automate it using whatever tools you have available. Whether this is weekly or monthly, the key is that it’s regular and systematic.
Also remember all the other operating systems running on the network. This means keeping track of and updating the software running on network devices such as routers, switches, and firewalls, and also Linux-based operating systems commonly used for many servers and specialized end-user use cases.
2. Endpoint Virus Protection
Not long ago, endpoint virus protection was a bear to run because of how resource intensive it was on the local computer. This is not at all the case anymore, and with how frequently malware sneaks into networks via email and random web-browsing, endpoint protection is an absolutely necessary piece of any meaningful security program.
3. Policy of Least Privilege
Keep in mind that attack vectors aren’t all external to your network. It’s important to keep things secure internally as well. Assigning end-users only the privileges they need to perform their job function is a simple way to provide another layer of protection against malicious or even accidental deletion of files, copying or sending unauthorized data, or accessing prohibited resources.
4. Centralized Authentication
Using individual or shared passwords to access company resources is a recipe for a security breach. For example, rather than use a shared pre-shared-key for company wireless, use 802.1x authentication and a centralized database of users such as Windows Active Directory in order to lock down connectivity and restrict what resources users can access. This can be applied to almost any resource including computers, file shares, and even building access.
5. Monitoring and Logging
Monitoring a network and keeping extensive logs can be very expensive simply because of the cost associated with the hardware and licensing needed to audit and store large amounts of data. However, this may be one area in which it would be a good idea to explore some software options. Most network devices have very few built-in tools for monitoring and logging, so even a basic software solution is still a huge step forward. This is very important for creating network baselines in order to determine anomalous behavior as well as traffic trends needed to right-size network designs. Additionally, having even very basic logs are priceless when investigating a security breach or performing service-desk root cause analysis.
6. End-user training
The only way to completely secure a network is to turn off all the computers and send them to the bottom of the ocean. Until management approves such a policy, end-users will be clicking on links they shouldn’t be clicking on and grabbing files from the file share just before their friendly exit interview. End-user training is a practice in changing culture and security awareness. This is a difficult task for sure, but it’s an inexpensive and non-technical way to strengthen the security posture of an organization. End-user training should include instructions on what red flags to look for in suspicious email and how to report suspicious activity. It should also include training to prevent password sharing and how to use email properly.
7. Perimeter Security
The perimeter of the network is where the local area network meets the public internet, but today that line is very blurred. A shift toward a remote workforce, the use of cloud services, and the movement away from private circuits means that the public internet is almost an extension of the LAN. Traditionally, perimeter firewalls were used to lock down the network edge and stop any malicious attack from the outside. Today, so much necessary business traffic ingresses and egresses the perimeter firewall that it’s important to keep firewall rules up-to-date and maintain a very keen awareness of what services run on the network. For example, a very simple modification for egress filtering is to restrict outbound traffic to any destination on port 25 (Simple Mail Transfer Protocol) to only the email server. This simple firewall change prevents any infected computer from generating outbound mail traffic possibly marking the organization as a spam originator.
8. Enterprise IoT
The Internet of Things may certainly be a buzzword in some peoples’ minds, but many companies have been dealing with a multitude of small, insecure, IP-enabled devices for years. Manufacturing companies often use hand-held barcode scanners, medical facilities use IP-based tracking devices for medical equipment, and large office campuses use IP-based card access readers for doors. These devices aren’t always very secure sometimes utilizing port 80 (unencrypted HTTP) for data transmission. This can be a big hole in an organization’s network security posture. Some organizations have the money and staff to implement custom management systems for these devices, but an entry-level approach to get started could be to simply place all like devices in a VLAN that has very restricted access. Applying the policy of least privilege to a network’s IoT devices is a great first step toward securing the current influx of IP-enabled everything.
9. Personal Devices
End-users’ personal mobile devices, including smartphones and tablets, often outnumber corporate devices on many enterprise networks. It’s important to have a strategy to give folks a pleasant experience using their devices while keeping in mind that these are normally unmanaged and unknown network entities. To start, simply require by policy that all personal smartphones must use the guest wireless. This may ruffle some executive feathers, but really there’s almost no reason for a tiny smartphone to access company resources while on the LAN. Of course there are exceptions, but starting with this type of policy is at least a good company conversation starter to move toward a decent end-user experience without compromising network security.
10. Physical security
It may go without saying that a company’s servers, network devices, and other sensitive infrastructure equipment should be behind locked doors, but often this is not the case. Especially in smaller organizations where there may be a culture of trust, entire server rooms are unlocked and accessible to anyone walking by. Physical security can take the form of biometric scanners to enter secure data centers with cameras peering down from overhead, but a simple first step is to lock all the network closets and server room doors. If keys are unaccounted for, locks should be changed. Additionally, disabling network ports not assigned to a workstation, printer, or other verified network device is a good way to prevent guests from plugging in their non-corporate devices into the corporate network.
You don’t need to mortgage the farm to start making great strides in your organization’s security posture. These relatively simple and entry-level tasks will prevent most of the attack vectors we see today. Start with the basics to lay the foundation for a strong network security posture.