In-Depth

Take Control of Your Security

Here are five things you can do right now— this minute—that will increase security on your networks.

• By Roberta Bragg
• 01/01/2004

We know what we need to do to secure our information systems, but we just don’t do it. Oh, I know we don’t have all the answers. I know there’s always a way that someone can break into a system. But we do have most of the answers. We know how to prevent most attacks from being successful. But instead of systematically hardening the operating system; instead of physically securing systems; instead of instilling a culture of security that includes everyone—yes, I mean everyone—in the business of security; instead of doing these things, we run around patching systems and screaming about the latest vulnerability that evil Microsoft has blessed us with. Then, when we lose data and have to report to the citizens of California that their credit card data was stolen, we blame someone else.

Stop. Look. Listen!
Stop. Stop right now. You’re either blindly reacting, or you’re paralyzed into inaction. Stop reacting; stop sitting on the fence; start acting. Take control of information security. Note that I said information security—computers are one small part of that. You need a comprehensive plan that secures information wherever it resides—on the mainframe, on the Linux Web server, in the Active Directory, on a PDA, in or available through smart phones and in the hearts and minds of employees, contractors, partners and customers of your organization.

Here’s the simple idea to change your reactive model of information security to a more proactive one: “Hardened systems are secure systems.” By hardened, we mean locked down, secured and stripped of inessentials. By systems, we mean computers, networks and people. How do you do this? Write the policy. Engage management in the discussion. Dig out the reference works that tell you how to secure whatever it is you have to secure and get busy. If you have to, harden one computer at a time. Harden one concept at a time. Harden one user at a time.

Above all, mount your hardening, securing campaign in at least two directions: a) The big picture, and b) The intimate reality of your day-to-day work. Much of the cultural change needed won’t come swiftly or easily. It requires planning and commitment. It requires evangelists and disciples, leaders and doers, talkers and strong, silent types. Making security as easy and as pervasive as breathing won’t happen overnight. But you can effect significant changes in the security posture and actual security status of your networks right now by doing things under your control. Here are five things you can do right now—this minute—that will increase security on your networks.

1. Create a Stronger Password Policy
I know that this may be something that organization-wide, you can’t do alone. However, you can, and do, have the authority to change the logical password policy. This means the technical control of changes at the domain level may not be possible right away, but you can, depending on your authority, demand stronger passwords and password management by members of your own staff, by those with local accounts on servers and, if nothing else, by yourself.

There’s no reason you can’t impose policy-based restrictions on IT administrators or anyone who requires special access to servers. They include those who do backups or have admin privileges on a server in order to administer a database or other server application. Think of the damage that an attacker could do by obtaining these administrative passwords. At the very least, change yours, right now!

2. Lock Down Remote Administration
You may need to access a server remotely to administer it, but that doesn’t mean you should allow that access to others. Where possible, use IPSec or other protected communications. You can also use IPsec to block access to ports required by your remote administrative programs, and then allow administrative access to the ports by allowing access from designated administrative workstations. In many cases, only a few accounts need any access at all to a specific computer over the network; lock the rest out. Also, just because the sheer number of managed computers may require remote administration, it doesn’t mean all servers must be managed that way. Require that computers with sensitive roles or data be administered from the console only, and enforce that by preventing administrative accounts from accessing the computer across the network.

3. Lock Down Administrative Workstations
Designate certain workstations as administrative workstations and harden them. How much? Just as hard as you can. Start by putting them in a secured area, reinstalling the operating system and adding the latest service pack and security patches (do this off the network). Use IPSec or a personal firewall to control egress and ingress (what goes in and out) and use software restriction policies to prevent the use of non-approved software. Use the workstations for administration only; no playing Solitaire, no e-mail.

4. Physically Secure All Systems
Begin with your own. Ask yourself these questions: Do you use a cable lock for your laptop when moving around with them, even in your own building? When you travel, do you leave it unlocked in the hotel room? What data is on the hard drive? Remember that with most laptops, the hard drive can be removed even if the computer is cable locked. Data is what the attacker wants anyway.

What about your PDA? What’s on it that would be damaging if lost? If your computer is a desktop, who can physically access it? Can it be stolen? The hard drive removed? Don't make it easy for theives; why would an attacker bother crafting code to break into your systems when all he or she has to do is steal them? Why penetrate your network defenses when she can walk by and insert a CD-ROM with malignant code on it—or use her USB data-storing wristwatch to steal data?

Keep servers locked up. Remove CD-ROMS and floppies from computers in public areas. Provide traveling laptop users with cable locks. Make sure those with access to the data center don’t allow others in. Don’t prop open doors. Don’t allow tailgating—the process where someone follows an authorized person into the data center. Teach security guards to look for contraband. (Even those picture-taking phones should be considered unacceptable in many organizations.)

Take More Control Take Control of Your Network http://mcpmag.com/features/article.asp? editorialsid=390 Take Control of Your Users http://mcpmag.com/features/article.asp? editorialsid=392 Take Control of Your Vendors http://mcpmag.com/features/article.asp? editorialsid=393 Take Control of Your Career http://mcpmag.com/features/article.asp? editorialsid=394

5. Learn To Shut Your Mouth
It’s not rude to refuse to talk about issues that might compromise security. It’s a good practice. It’s one thing to share a security-hardening tip or to alert someone to a bad practice that can be corrected, and another thing to reveal your own systems’ security weaknesses by talking about them to others. I know you would never intentionally do this, but I see on a daily basis information that could be used to successfully attack other networks. You must become aware of what it is you’re telling people or publishing sensitive information to your Web servers where any one can find it by Googling on a few key words. Think of the security of your information systems as if you were protecting your family or your country. Don’t let your complaint, need to impress people with your knowledge or request for help made to a public list reveal more than it should.

Hardening networks isn’t a simple chore, nor is it one that can be done overnight. There are things you can do; I’ve given you some of them. There are many guides to securing systems. The key is to start right now. Remember: Hardened systems are secure systems.

This article is adapted from the upcoming book Hardening Windows Systems, by Roberta Bragg, part of a new information security series, the “Hardening Series” (Osborne McGraw-Hill).