I'm frequently called to implement advanced computer security infrastructures, things like PKI, network-access management, intrusion protection systems, honeypots, and intrusion detection systems. Although I'm glad to offer my assistance and experience in planning and deploying these types of systems, I'm often surprised about a given organization's disregard of the basics.
Many of the same companies hiring me to implement these advanced security systems allow all their end-users to log on as local administrators or with root. This is akin to building an impenetrable castle protected by huge walls and a moat, then always leaving the drawbridge down.
Not allowing end-users to log in as a local administrator or root will defeat 70 percent to 80 percent of today's most popular threats. Perhaps vendors, particularly Microsoft, could do a better job at making it easier to follow this advice, but it doesn't change the fact that this little nugget is among the most-repeated recommendations from any vendor. And companies around the world almost universally ignore it. Unsurprisingly, their users' computers get exploited and hacked, and the company often blames the vendor and the "weak" software.
Note: Microsoft's forthcoming Windows Vista client will have many improvements that assist administrators in making sure their users use the appropriate, least-privileged accounts.
I propose that one of the best cost/benefit security moves any company can make is to take a step back, review the current security configuration of its assets, and fix the basics before looking into more advanced solutions. Spending a week or two doing this can provide immediate returns, compared with waiting for a three-year payback on an unproven device or solution.
I have to admit that this idea isn't my own -- it's stolen from the military. For example, every few years the military suffers from a spate of "random" incidents such as, say, airplane or helicopter crashes, accidental weapons fire, or unpredictable cases of post-traumatic stress. When management (the generals, admirals, or commanders) note a spike in such events, they often order a stand-down, which requires the entire affected force to drop all non-essential duties for the entirety of the stand-down period.
Everyone must re-examine current SOPs (standard operating procedures) to see if they need to be modified or, more likely, how they aren't being universally applied. Either way, after the stand-down review period, the spate of random incidents always seems magically to decrease.
Here are some basic computer security checks you can do for your own stand-down review:
- Do a complete inventory of all managed assets.
- Inventory all installed software and remove unauthorized software.
- Review running server services and remove unnecessary software.
- Inventory security permissions and implement correct security permissions.
- Inventory user accounts and remove unused accounts.
- Review the number of highly privileged accounts and who needs them.
- Review router and firewall access control lists.
- Review password policy and enforce complex passwords.
- Review physical protection of assets.
- Review patch management success.
- Do a spread spectrum analysis on network traffic and review any unexpected protocols.
- Review anti-virus infrastructure success.
- Review e-mail security policy.
- Review small computer security policies for potential management efficiencies.
- Review security automation tool success.
- Review software programming secure coding practices.
- Review backup policies and audit success.
The key is that reviewing and implementing all the things we are always told to do will provide more bang-for-the-buck security than all the expensive, specialized security devices you can purchase.
If you want to have a highly secure environment, one that is less prone to attack than your competitors', take a step back and review the basics. Many readers will read this column and shrug off my advice, but if you don't routinely review the basics, a hacker will.