IT Security and Breach Prevention
174 views
Skip to first unread message
John-Paul Damico
Feb 5, 2013, 10:49:42 AM2/5/13
to after-hours-c...@googlegroups.com
A client of ours have asked me to write up a short Do's and Don'ts for Network Security to help them stay within IT security best practices.
This is such a broad subject, I thought I'd open this up to the team. If you were going to tell the owner of a company (non IT) what they should do to keep their network and systems secure, what would you tell them?
Message has been deleted
Message has been deleted
John-Paul Damico
Feb 5, 2013, 11:00:43 AM2/5/13
to after-hours-c...@googlegroups.com
First, keep your anti-virus software up to date on all your systems. Use a malware scanner regularly. Enable and use a firewall, even if its just the Windows one. Make, and enforce as corporate (and network) policy, that only IT downloads and installs software. Removeable drives are to be checked over by IT on an isolated system before use, and at regular intervals while in use. Backups are vital and should be done frequently.
Cordially,
Kevin Cody
Cordially,
Kevin Cody
John-Paul Damico
Feb 5, 2013, 11:01:35 AM2/5/13
to after-hours-c...@googlegroups.com
-Duke Forster
Do:
Have an "network usage policy" signed by everyone using your network
Have security enabled for your WiFi
Change default passwords (you would be surprised how often they are not)
If feasible, track the devices that you allow on your network
Install/scan virus protection on computers before they access your network
Use an intrusion detection system if possible, there are good free resources
Use groups and the "need-to-know" process for file access, do not give access where it is not needed. Groups help with this in larger organizations
Use VPN over SSL for external connections
Use HTTPS when transferring personal or customer data
Donts:
Dont use WEP security for WiFi
Dont assume Apple products are secure
Dont assume phones are secure
Dont use bluetooth, if possible
Dont force too much security on your users, it may make you more secure but less productive. Example, forcing changed passwords too often without using old ones.
- Duke Forster
Hou Xiao
Feb 5, 2013, 11:33:05 AM2/5/13
to after-hours-c...@googlegroups.com
Do what ever and make sure everybody has our number in hand. Why feel worried? Just trust our techs!
John-Paul Damico
Feb 5, 2013, 12:04:21 PM2/5/13
to after-hours-c...@googlegroups.com
True words Hou!
Kevin Cody
Feb 5, 2013, 6:35:38 PM2/5/13
to after-hours-c...@googlegroups.com
With laptops that are used outside the secured corporate network (outside sales reps, delivery people, etc),
do not use Windows, if at all possible. Consider one of the Linux variants. It might make more work for your
IT staff, but the systems will be far less likely to be compromised. While encrypting a hard disk will make
the data more secure if the laptop is lost or stolen, be cautious as some hardware level encryption has been
known to fail in ways that make the drive unusable. Laptop users should be given a laptop advisory sheet they
have to sign, acknowledging being given the laptop, and the consequences they may encounter in losing or
damaging the laptop (eg, having to pay for part or all of the replacement cost ).
All corporate computers that are retired should at the least have the hard drives reformatted.
Personal laptops and tablet should be limited to a guest network if they are to be given network access at all..
When a user leaves the company, their account should be severely restricted in what it can "see" and do on the network,
if the account is not simply deleted.
do not use Windows, if at all possible. Consider one of the Linux variants. It might make more work for your
IT staff, but the systems will be far less likely to be compromised. While encrypting a hard disk will make
the data more secure if the laptop is lost or stolen, be cautious as some hardware level encryption has been
known to fail in ways that make the drive unusable. Laptop users should be given a laptop advisory sheet they
have to sign, acknowledging being given the laptop, and the consequences they may encounter in losing or
damaging the laptop (eg, having to pay for part or all of the replacement cost ).
All corporate computers that are retired should at the least have the hard drives reformatted.
Personal laptops and tablet should be limited to a guest network if they are to be given network access at all..
When a user leaves the company, their account should be severely restricted in what it can "see" and do on the network,
if the account is not simply deleted.
Kevin Cody
Feb 5, 2013, 6:48:57 PM2/5/13
to after-hours-c...@googlegroups.com
Android or Apple-type devices (smartphones, tablets, etc), if corporate property, should have anti-virus protection installed before issuance.
Again, a signed advisory sheet outlining the consequences of a lost, stolen or damaged device should be signed by the person
using it.
Again, a signed advisory sheet outlining the consequences of a lost, stolen or damaged device should be signed by the person
using it.
Todd Von Schulze
Feb 6, 2013, 7:52:49 AM2/6/13
to after-hours-c...@googlegroups.com
I have always found Sans.org to be a great source for all things "security". Below I have provided a link to the 20 Critical Security Controls. There you can download a 90 page PDF detailing each, as well as, a poster that gives a brief synopsis of each. And if you really want to go crazy with security check out NIST 800-53. There you will find a 240 page document on how to implement these security standards. Happy reading!
Juergen Nittner
Feb 6, 2013, 12:12:45 PM2/6/13
to after-hours-c...@googlegroups.com
I Suggest an initial three point critical security implementation.
I.REVIEW
- Security Audit
- Address immediate critical issues(IT side. patches ,upgrades, etc)
- Proper account schema.
II. Next, with as to not overwhelm the employees, a very modest security scheme should Implemented.
- Safe practices.
- Password guidelines.
- Ongoing client OS Security Maintenance.
III. Finally, but most important! 99.9% of all effort should be put into COMPLIANCE, EDUCATION, COMPLIANCE, EDUCATION, COMPLIANCE, EDUCATION, did I forget anything, oh yeah COMPLIANCE AND EDUCATION. Maybe a little spot employee auditing to gauge success of implementation should be done for good measure.
Juergen Nittner
Feb 7, 2013, 8:38:27 AM2/7/13
to after-hours-c...@googlegroups.com
Oh and I just ran across a good pub on doing just that.
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
David Rhoades
Jun 3, 2015, 1:08:03 PM6/3/15
to after-hours-c...@googlegroups.com
A few things
On any wireless router make sure WPS is turned off. This has an automatic security hole that is known but not fixed or even being fixed.
Secondly, make sure they are using a professional grade firewall not a linksys. The handshake on the cheaper models sends a bit from the actual wireless key. The professional grade (SonicWall, Cisco, Sophos et. al.) create a new code for each password and then discard it when the when the correct connection key is given. Makes for a more difficult crack.
Thirdly, make sure the guest wireless network is different and locked out of the business network.
Fourthly, lock down the MAC addresses allowed to attach to the network. This can prevent any one of a number of issues
Fifthly, train everybody on proper security. Prevent Phishing, as well as don't let them store their passwords in written form.,
Finally, use proper content filtering
On any wireless router make sure WPS is turned off. This has an automatic security hole that is known but not fixed or even being fixed.
Secondly, make sure they are using a professional grade firewall not a linksys. The handshake on the cheaper models sends a bit from the actual wireless key. The professional grade (SonicWall, Cisco, Sophos et. al.) create a new code for each password and then discard it when the when the correct connection key is given. Makes for a more difficult crack.
Thirdly, make sure the guest wireless network is different and locked out of the business network.
Fourthly, lock down the MAC addresses allowed to attach to the network. This can prevent any one of a number of issues
Fifthly, train everybody on proper security. Prevent Phishing, as well as don't let them store their passwords in written form.,
Finally, use proper content filtering
Roger Hopkins
Jun 17, 2015, 3:55:16 PM6/17/15
to after-hours-c...@googlegroups.com
Some small additions of mine, I'm sure I'll be adding more later...
- If you use shared folders, keep them served from a server and not a user's workstation.
- Users should have their own usernames and passwords for every resource they require. No sharing account credentials!
At one of my jobs there was a shared folder with a excel spreadsheet used by over 10 different people. They all used the same username to access it, and it was living on one person's computer! What a nightmare! Moved it onto a server where everyone accessed it via their own domain username and password...
DigiDan
Jul 21, 2016, 6:41:48 PM7/21/16
to After Hours Computer Repair
I would tighten down the ship and implement some hardened group policy especially for those that BYOD.!
Reply all
Reply to author
Forward
0 new messages