IT for mere mortals - Securing the network
Security is a paradox. People demand it but refuse to acquire it.This is due to the fact that as the security goes up the convenience declines and vice versa. Safety vs. happiness -there is no right answer in it. You have to decide. You must help your boss to decide.
This is crucial because it is the base of what I am about to share with you. When the very owner of the business (hence the network) you are protecting doesn’t care, in security perspective, whatever you do will be wrong. It is not a theory, it is a natural law.
Do not proceed on any security initiative (well unless it is as obvious as physical security) before you succeed on getting the management’s commitment.
Once you have the commitment this short todo list will help you create an above average secure network
Deploy the firewalls and antimalware software and keep them updated.
They are the first thing you do because they will be the last thing you rely on. I mean with the virus and antivirus analogy, isn’t it clear that the cure is always one step behind the disease? Zero day attack is the official term for that unfortunate phenomenon. In the long run, anybody who rely solely on these solutions are as good as those who have no solutions. Nevertheless they are a quick and effective solution for known threats. They cover the bases.
Kill all usb ports on all user’s machine.
I kid you not. USB stick is the reincarnation of floppy disk - the backbone of the snicker net. Remember those dark ages? You do not want to revisit that memory in today’s more complex and more open network. After all, if you still allow people exchange files with removable devices why bother having a network?
Restrict files exchange through removable devices to several people who have the responsibility to scan the devices and know what to do when they do not pass the scan.
Never allow any user to run as local admin (or root for the enlightened ones).
You can kill the usb drives but you can not shut down the e-mail service. So allowing users to install their own program poses the same risk as the removable storage. Plus in worst case scenario where the machine does get hit by a virus, the virus will operate under the user’s right. Not the admin’s.
Need to install an application? Call IT support and have that questioner that assess why the application is a legitimate need, filled out and signed. Yes, needless to say, you need to standardize application used for the business before you implement this policy.
And make sure you implement strong password for that local admin account.
Whitelist the internet connection.
If blacklist act like parents trying to fend off bad influence to their children, whitelist is like a bouncer of a club that allow only legitimate guests to get in the party. So instead of banning bad links or sites, you banned everything (including search engines, news sources, EVERYTHING) except the legitimate links or sites. What kinds of business need users to have full access to the internet? How many of them? Is your business among those few? Precisely.
Customers, suppliers, governments and business partners -what is there left to consider?
If a user manage to give a compelling argument to have full access, provide half a dozen standalone (that means totally not connected to the company’s network) internet stations.
Need to download files? Use the usb stick and go to those few people addressed in the second point before.
Last but not least have a recovery plan ready and ensure it works.
Security is a myth.
An admin’s job is not to fight hackers, neutralized malwares or to create the most secure network in the planet. Admin’s sole purpose and responsibility is to keep the services needed by the organization to do business, running. This is very important to keep in mind especially when under attack and when you wonder why you go all the way to college just to sit and wait for a backup routine to finish the process. As dull as it is, this is how admins perform their magic of resurrecting a dead network.
From tape backup to disaster recovery site get and implement them when you can afford it.