1) Enable Automatic Operating System and 3rd Party Updates.
Did you know that the top four most exploited applications are Java, Adobe Flash, Adobe Reader, and Microsoft Silverlight? Malware developers target the end user first and foremost. And where does the end user interact with the world? Via email and a web browser, of course. So it’s really no surprise that 3rd party applications are the number one most exploited aspect of a network. Furthermore, operating system patches are extremely important as these updates often involve fixes that would give a would-be attacker full control of your system.
2) Enforce Password Complexity and Lockouts.
Oh no, not change! Please, anything but change. Yes, I am telling you to adopt some change into your life and to set new passwords every 30-60 days. The new standard actually says to change your password every 24 days, but let’s be real. Most of my end users won’t buy into that, and I’ll be performing account unlocks on a regular basis. So, let’s introduce this change gradually, and next year we can tighten the belt a little bit more.
Regarding account lockouts, this determines the number of times a user can incorrectly type a password before the account is locked. The book says 3 invalid attempts, but in practice I recommend 5. It’s better than 0, more manageable than 3, and most brute force attacks won’t guess a password in under 5 attempts.
Lastly, complexity is also required. Password complexity determines the length of the password and how many special characters and numeric characters are used. This feature has to be enabled along with the others that I have mentioned. I’ve seen too many instances of cell phone numbers and fax numbers being used for passwords that some hacker was able to guess and exploit. Make the passwords hard to guess and not something obvious or publicly available about yourself.
3) Don’t Use Default Passwords.
Default passwords for routers, firewalls, and wireless access devices are well known and well documented (http://www.defaultpassword.com/). And that’s just one example. Many websites have this information documented, including the manufacturers. Leaving this information the same as when it left the manufacturer opens you up to a potential compromise. A compromise from one of these Internet devices could allow an attacker to intercept and read all traffic moving in and out of your network.
4) Secure Wireless Devices.
Most companies offer wireless access for their employees and their guests. It’s very important to make sure that your corporate wireless is segmented from the guest wireless. After all, you don’t want your guests to have any access to your company files.
A wireless router can typically offer a separate VLAN for guest networks. A separate VLAN will make sure that your guests cannot see your employees and that your employees cannot see your guests.
Lastly, make sure that the wireless network is using encryption and that the password is not something simple and easy to guess. Passwords that contain a company’s phone number, fax number, or address are examples of what not to use.
5) Data Recovery.
Last, but certainly not least, is data recovery. I cannot stress how utterly important this one is. It's your safety net so that when all else fails, you're not looking at a total loss. In fact, do yourself a favor and check your backups before you leave the office today. Make sure they are working properly. And by that I mean don’t just check the backup log for success or fail. Go through the backup and actually restore a critical file from last week or last month. I can’t tell you how many times I have encountered a situation, where a client thought they were getting a good backup, only to find out that the right files were not selected. So take some time today and actually restore a file. If you need any more motivation check out my other blog post related to Ransomeware.
I’ll step off my soap box for a minute so we can talk about proper data recovery. Let’s use an analogy that everyone can understand; don’t keep all your eggs in one basket. For example, don’t use tape backups that are stored at the office. I don’t care about your fireproof safe or the one tape you stick in your pocket and take home with you each night; don’t do it. Get yourself an off-site backup solution that uses encryption, has built in redundancy (multiple sites) and can give you status reports daily.
Every off-site backup company that you look at should offer 256bit AES encryption over SSL. That’s the same technology the United States military uses. They should also have built in redundancy or multiple sites. Just like the egg analogy, you don’t want to choose a provider that keeps all your data in one spot, so make sure it’s replicated. Lastly, make sure that you get the status reports daily and that you test a restore weekly. You need to make sure the data is correct and recoverable. By doing a test restore weekly you’ll ensure both of those things are happening.
In summary, the items discussed in this post are part of an overall strategy for network security. Every business, regardless of its size, should be implementing these strategies as measures of prevention and security. There is a lot of risk associated with owning and operating a business, and a large part of that risk is associated with data breaches and data corruption or loss. These steps aim to address those concerns by reducing the risk of a cyber-attack and data loss. Thanks for reading and stay safe.
-Nathan Studebaker
Chief Hacking Officer
WatchPoint Data
www.watchpointdata.com
