Data and network security in small businesses is a largely grey area for many owners and managers without specialized expertise. Basic concepts such encryping wireless connects and using passwords on devices and in programs has become common knowledge. Most busineses understand that they should be backing up data also. However, network security has many more levels of complexity than those few simple manadates. So, what steps should you take are both simple and instanly effective?
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
Deploy an automated asset inventory tool that both scans designated IP address ranges and analyses traffic to identify devices and software. You can’t secure your network unless you know exactly what hardware and software is running on your network.
3. Secure Configurations For Hardware and Software on Laptops, Workstations, and Servers
Remove games, hyperterminals and “crapware” that comes bundled with many end user machines, and unnecessary software on servers. If you need six applications on a machine, then there should be six, not twenty. Ideally, deploy standardized images, and document whenever a non standardized image is used for any reason. We have three words: standardize, standardize, standardize!
4. Secure Configurations For Network Devices Such as Firewalls, Routers, and Switches
Implement ingress and egress filtering, allowing only those ports and services with a documented business need. Configurations should be documented and checked to ensure they are secure.
5. Boundary Defense
Deploy whitelists and blacklists, and an IDS system, and configure outbound controls. If you have no egress monitoring, you are leaving yourself vulnerable.
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
Logs are created for a reason. Make sure they are monitored so you can see what is going on on your network and spot any anomalies or unusual behavior.
Use Web application firewalls and application layer security to protect your applications from SQL injections, cross site scripting and other attacks.
8. Controlled Use of Administrative Privileges
Some IT staff need admin privileges, but not for reading email. Ensure they have different accounts and passwords for admin and non-admin activities. It’s also important to ensure that all devices have usernames and passwords changed from their defaults.
9. Controlled Access Based on Need to Know
Make sure you know which data needs protecting, where it is, and who need s access to it, and ensuring controls are in place to restrict access to authorized users.
10. Continuous Vulnerability Assessment and Remediation
One way to do this is to use a vulnerability scanner like Nessus. It needs to be updated and run often, because a mild vulnerability one day can become a critical vulnerability the next.
11. Account Monitoring and Control
Disable any accounts that can’t be associated with current staff or contractors, and create a procedure for disabling accounts when users leave. It’s also useful to generate regular reports on accounts that are not used regularly and attempts to access disabled accounts
12. Malware Defenses
Ensuring anti-malware software is running on all systems is important, but make sure you have a system in place so that every system is updated regularly. Another quick win measure you can take is disabling autorun for removable storage devices.
13. Limitation and Control of Network Ports, Protocols, and Services
Make sure your routers can only be accessed internally, and that firewalls or filters drop all traffic except for services and ports that are explicitly allowed.
14. Wireless Device Control
Scan for rogue access points on your network regularly. Using centrally managed enterprise-class devices with an authorized configuration and security profile is also important. (more on this in part II)
15. Data Loss Prevention
Ensure that laptop hard drives are encrypted, and scan outbound traffic on your network for keywords. Make sure that all desktops are storing data on the servers not locally and backup your server data EVERY day, preferably onsite and offiste.