I travel the world helping people make their computers and networks more secure. A question I get asked every week is, "What are the best steps I can take to protect my network?" I can understand the concern. Despite increasing amounts of the IT budget being thrown at the problem, nearly every computer security survey taken says malicious computer hacking has never been worse. It's more criminal in nature and more pervasive, and it's stealing more money and identities than ever before.
In general, we're doing a fairly good job of securing our servers, even though application coding security errors abound and continue to be the main weak server link. But Security Development Lifecycle (SDL) and code review tools are starting to permeate more programming departments. Other initiatives, such as the SANS Secure Programming Assessment program, are working to improve secure programming skills and methodologies.
Despite the advances in programming, we seem unable to convince some end-users to stop clicking on things they should not be clicking on. Client-side attacks continue to be a huge risk in most environments. Malicious hackers aren't as concerned with breaking into servers directly anymore; it's far easier to break into an end-user's workstation inside the firewall and security perimeter, then attack from within. Research the latest public hacking reports -- you'll find a large percentage of them include a reference to an infected insider.
The best bang-for-the-buck defenses for client-side attacks haven't changed in a decade. It doesn't matter what platform you have; whether it's Windows, Linux, BSD, Solaris, AS/400, or a mainframe, the same protection rules apply. If you want a more secure network, focus on these four tasks, in order of decreasing importance:
Prevent people from clicking on things they shouldn't click on: This one is easier said than done. It normally involves all the software and settings we associate with antimalware programs (that is, anti-virus, anti-spam, antispyware, and so on). It means blocking malicious e-mails and file attachments, as well as filtering out malicious Web links. End-user education will never prevent a small minority of users from being tricked into clicking something they shouldn't, so focus on making it absolutely impossible for them to click on the wrong thing.
Keep your computers and devices fully patched: Keep all your computers fully patched: applications, operating systems, and every computing device. Admins are doing a good job of keeping the OS patched. Heck, in the vast majority of cases, just accept the default vendor settings and your OS should patch itself. Many applications are taking the auto-patch approach, and that is a good thing. Still, I rarely find a company that has even one workstation fully patched and up to date. I'm not talking about a machine that is behind one or two weeks; most computers contain unpatched software many months old.
If we throw in network devices and appliances, the patching percentage is even worse. I've yet to penetration-test a facility that had fully patched routers and security devices. The very devices they depend on for protection are the ones that appear to be the least patched. This fact continues to befuddle me, but it's true in most environments. I assume that stand-alone appliances are unwittingly considered "hardened" by most people, so they don't put as much emphasis on patching them. But even more, device and appliance vendors are horribly neglectful in creating mechanisms to automate the process of pushing down critical OS and application patches to their own devices. They patch and update the application running on the device, but not the underlying OS.
Even when you have the best patching process in place and patch everything, there will be some percentage of patches that fail to install. Do you test for that? Is your missed patch reporting accurate?
Don't log on as root or admin all the time: It's easier to say this than to accomplish, but no one should be logged in with an elevated account all the time. Every OS has a method of providing alternate, less-privileged logins, each with its own advantages and disadvantages. However you accomplish this, every moment you actively compute at reduced level while not accomplishing administrative tasks is an improved moment in safety.
Use strong passwords: No user password should be shorter than 8 characters. It's even better if they are 9 or 10 characters long. Elevated accounts should have even lengthier passwords. Passwords should not be shared between internal and external sites, and they should be changed every 90 or so days. Account lockout should be turned on. I don't care what the account lockout settings are, but the mechanism should be enabled to prevent easy brute-force guessing.
Of course, there are many more security tasks to accomplish than these four, but if administrators were better at this quartet -- consistently better -- the risk of malicious exploit would drop significantly.