You often hear that security is a journey and not a destination. That's true because when managing the security of your networked assets, you always have to try and stay one step ahead of your opponents - the criminals, malcontents and miscreants who want to steal, alter and destroy your data. You can't stay in one place for very long, because your opponents are always honing their methods and trying harder and using increasing creativity each day to breach your network and access the assets it contains. And in many cases the attacks aren't even related to a network breach, since the most painful and destructive attacks are carried out by insiders who are authorized to connect to your network.
The bad guys and the good guys will always be vying for the lead - and sometimes they will be ahead of you and sometimes you will be ahead of them. Perhaps it's more accurate to say that security is a race (similar to an arms race) where you and your adversary take turns outsmarting each other.
However, even though security is a journey that never ends, you need to be aware of and take advantage of checkpoints along the way. These are the things that you do to improve your organization's overall security posture, and things you do to assess your security posture at any single point in time. Then after making the assessment, you can make adjustments to change your security configuration and advance it ahead of where it was before.
With that in mind, I offer you this list off eight things you can do to improve your security today.
Optimize Physical Security
There's an old saying in the security business: if the bad guys can take physical control of the computer, then the game is over. Once they are in possession of the machine, they can use a number of tools to access information on disk and perhaps even in memory - and of course, they can also access any information moving to and from the "p0wnd" computer. Therefore, physical security must be a primary concern before you even start thinking about any other security methods you can deploy.
Physical security might include:
- Key, card or biometric access controls to the rooms were computers are located
- Video recording of the entrances and exits of the rooms where the computers are located
- Logging and reporting entries and exits into the rooms where the computers are located
- Posting guards or other observers at the entries and exits of the rooms where the computers are located
Physical security goes a long way toward preventing the most egregious of attacks against your systems. But it's only the first step. As we know all too well, if a computer is connected to a network, the bad guys don't have to have physical access to do great damage.
Use Host-Based Firewalls
Network firewalls seem to get most of the attention. There's a certain sexiness about network firewalls, and many observers seem to imbue them with almost magical powers of protection. However, if you look at the man behind the curtain, you'll find that most firewalls in deployment today provide little more security than what you see at American airports- that is, the network firewall is in large part about appearances and does less than it might seem to actually secure your network. One of the reasons for this is that the most severe attacks often come from inside of the network, so the network firewall's job of preventing external users from accessing intranet resources provides diminishing returns.
In contrast, a host-based firewall is able to protect the computing assets from all attackers, both insiders and outsiders. In addition, sophisticated host-based firewalls can be configured to allow inbound connections for only the specific services that computer provides for users. These host-based firewalls (such as the Windows Firewall with Advanced Security) can even require that users or machines authenticate at the network layer, so that if a user can't authenticate or isn't authorized, he will never get near the application layer - and it's at the application layer where most of the vulnerability exists and all of your data are located.
Partition Your Network into Security Zones
A front-end Web server is different from the database server to which it connects when it comes to security zoning. A file server hosting publicly available files is different from a SharePoint server that hosts your secret marketing plans for a hot new product your company is putting out next quarter. An outbound SMTP relay is different from a reverse web proxy server, because it's in a different security zone.
You should assign your computing assets to different security zones and then create physical or logical partitions between those zones. If you want to use physical partitions, you should make sure that resources assigned to different zones have firewalls or some other network access control devices separating them. If you want to use logical security zones, you can take advantage of IPsec and server and domain isolation to create virtual partitions between the security zones.
Creating security zones allows you to focus your security efforts, and your monitoring attention on the highest value assets. Lower value assets assigned to lower security zones are also protected, but the amount of time and money you spend on assets in the lower security zones is much less, because the cost of compromise is relatively lower than the cost of compromise of those in a higher security zone.
Enforce Least Privilege to All Resources
The principle of Least Privilege states that users and administrators should have access only to the resources and controls that they need to get their jobs done. Users should only be able to access web sites they need to visit in order to get their jobs done, they should only be able to use the applications they need to get their jobs done, and administrators should only be able to make configuration changes that are appropriate to their levels of authority, and none above that.
In these days of the "consumerization of IT", the entire principle of least privilege seems to have been turned on its head. While it might seem that way, the value and the validity of least privilege hasn't changed; for every level of privilege a user or an administrator has above what they need, there is an incremental increase in the risk of compromise. Just because people want to use an iPad to connect to corporate assets doesn't automatically mean that it's a good idea. We too often take the path of least resistance and give people what they want, rather than what they need.
That goes double for administrators, who too often have carte blanche to do what they want just because they are administrators. Determine how permissions are delegated to the administrators of services you provide to your users. The Exchange administrators, the database administrators, the SharePoint administrators, the CRM administrators, and all the other services administrators should have the levels of access to controls that are appropriate to their administrative roles, and no more. Modern applications enable you to delegate the appropriate permissions to different levels of administrators. Take advantage of that ability to delegate.
As for end-users, provide them access to the services and data they need to get their work done and prevent access to anything other than that. The same goes for applications. If the application isn't on the approved list, then use automated methods to prevent application installation for applications that aren't approved by IT.
Whole disk encryption through the use of BitLocker can go a long way toward protecting your critical information. It can even help you in the event of a physical compromise. For example, if someone steals a server from your server room, the offender could mount the drive on that server by booting into Linux and reading the file system from there, in what is called an "offline" attack. The good news is that offline attacks are preventable by using BitLocker to encrypt the disk.
But whole disk encryption is no longer limited only to internal hard drives. With Windows 7 and Windows Server 2008 R2, you can use it on USB keys, USB drives, and other types of removable media. Create policies mandating that removable media on which company data is stored must always be encrypted using BitLocker.
Removable media that is connected to smart phones used by users in your organization should also be encrypted. Policies should require use of smart phone operating systems or applications that support encryption of the microSD card if corporate data is going to be stored on them. The data stored on the phone's internal memory should also be encrypted. Users should use smart phones that can be remotely wiped in case of loss or theft.
Update, Update, Update!
You probably know this already, but one of the most effective measures you can take to increase your overall security posture is to keep your systems up to date with application and security updates. While many admins will complain that Microsoft products need to be updated too often because of security issues, the fact is that Microsoft is more security-minded than almost any other vendor because they are so assiduous about updating their software. If you use software (and that software can also represent firmware for hardware devices) from a vendor that rarely updates, don't fool yourself into thinking that the lack of updates has any relationship to the known or potential vulnerabilities in that software. It's more often than not a reflection of the level of attention the vendor gives to discovering and repairing security issues with their software.
Updating should be done as soon as possible, since once the updates are released, the hackers and attackers are aware of the flaws and will try to leverage them during the time between the release of the update and the time it takes to deploy the fix. This is the "zero day" period , the critical window of vulnerability. If you use automatic updates and immediately install the fixes when they become available, your window of vulnerability will be much smaller.
However, many firms need to test security updates because they have line of business applications that may not "get along" with every security update, and therefore they need to know in advance about any compatibilities that may affect the operation of those applications. In that case, you can reduce your risk by deploying perimeter devices such as the Microsoft Threat Management Gateway (TMG) 2010, which is specially designed to block known Microsoft vulnerabilities and therefore will protect you from those during this critical vulnerability window.
Use Secure Authentication Mechanisms
If should go without saying that the day of the five letter password is over. Increasing sophistication in password cracking techniques make short passwords quite simple to discover, and even longer passwords are falling victim to advanced cracking techniques. If you must use a user name and password as your only authentication mechanism, then at a minimum require that all passwords must be 15 or more characters and include upper case, lower case, numeric and non-alphanumeric characters. The use of complex passwords that have some type of meaning to the user (often referred to as "pass phrases") can make remembering passwords of over 21 characters quite easy. But in our increasingly mobile world, there's another problem. Although remembering long passphrases may be easy, entering them into a password text box on a smart phone or other device without a physical keyboard can get pretty challenging.
A better method is two-factor authentication, which requires that the user be in possession of some device (such as a card or token) and also know a password (sometimes referred to as a PIN in the 2FA space). When two-factor authentication is used, even if the password is compromised, that password is of little value unless the criminal also has physical possession of the device. For more secure deployments, additional factors can be added, such as voice recognition, face recognition, finger print, or retinal scan.
Secure Against Data Leakage
As cloud computing has a greater and greater influence over our lives, network based security will begin to have less influence over your security design and purchases, because security will need to be pushed back closer and closer to the data. That's where data leakage protection comes in. You can put in great access controls over information so that only authorized users can access that information. But then what? What can the authorized user do with that information? Can that user pass it on to unauthorized users? Can that user print it and mail it to someone? Can the user make changes to it and pass it back to its repository with those changes when the information should have been read-only?
Think about how to secure this data against authorized users. If you're using Microsoft Office and SharePoint and Exchange, you can take advantage of Microsoft Rights Management Services (RMS) to create policies that control what users can do with information after they have legitimately accessed it.
In this article, we presented eight things you can do today to increase your overall security posture. While you might have been aware of all of them, or at least some of them, there's a good chance that you haven't deployed all of these security methods and approaches. Most of them are fairly easy to deploy - so if you haven't gotten around to checking out some of them (such as BitLocker and RMS), think about scheduling some time to learn more about these technologies. You'll be glad you did. -Deb.