My job involves travelling the world, helping people make their computers and networks more secure. And, a question I get asked every week is: "What are the best steps I can take to protect my network?" I can understand the concern. Despite an increasing amount of the IT budget being thrown at the problem nearly every computer security survey says malicious computer-hacking has never been worse. It's more criminal in nature and more pervasive – and it's stealing more money and identities than ever before.
In general, we're doing a fairly good job of securing our servers, even though application-coding security errors abound and continue to be the main weak link when it comes to servers. But Security Development Lifecycle (SDL) and code-review tools are starting to permeate more programming departments. Other initiatives, such as the SANS Secure Programming Assessment program, are working to improve secure programming skills and methodologies.
Despite the advances in programming, we seem unable to convince some end-users to stop clicking on things they shouldn’t be clicking on. Client-side attacks continue to be a huge risk in most environments. Malicious hackers aren't as concerned with breaking into servers directly any more; it's far easier to break into an end-user's workstation inside the firewall and security perimeter, and then attack from within. If you research the latest public hacking reports — you'll find a large percentage of them include a reference to an infected insider.
The best bang-for-the-buck defences for client-side attacks haven't changed in a decade. It doesn't matter what platform you have; whether it's Windows, Linux, BSD, Solaris, AS/400, or a mainframe, the same protection rules apply. If you want a more secure network, focus on these four tasks, in order of decreasing importance:
1. Prevent people from clicking on things they shouldn't click on: This one is easier said than done. It normally involves all the software and settings we associate with anti-malware programs (that is, anti-virus, anti-spam, anti-spyware and so on). It means blocking malicious emails and file-attachments, as well as filtering out malicious web-links. End-user education will never prevent a small minority of users from being tricked into clicking on something they shouldn't, so focus on making it absolutely impossible for them to click on the wrong thing.
2. Keep your computers and devices fully patched: Keep all your computers fully patched: applications, operating systems and every computing device. Admins are doing a good job of keeping the OS patched. Heck, in the vast majority of cases, just accept the default vendor-settings and your OS should patch itself. Many applications are taking the auto-patch approach, and that is a good thing. Still, I rarely find a company that has even one workstation fully patched and up-to-date. I'm not talking about a machine that is behind one or two weeks; most computers contain unpatched software many months old.
If we throw in network devices and appliances, the patching percentage is even worse. I've yet to penetration-test a facility that had fully patched its routers and security devices. The very devices they depend on for protection are the ones that appear to be the least patched. This fact continues to befuddle me, but it's true in most environments.
I assume that stand-alone appliances are unwittingly considered "hardened" by most people, so they don't put as much emphasis on patching them. In addition to this problem, device and appliance vendors are horribly neglectful when it comes to creating mechanisms to automate the process of pushing-down critical OS and application patches to their own devices. They patch and update the application running on the device, but not the underlying OS.
Even when you have the best patching process in place and patch everything, there will be a percentage of patches that fail to install. Do you test for that? Is your missed patch reporting accurate?
3. Don't log-on as root or admin all the time: It's easier to say this than to accomplish it, but no one should be logged in with an elevated account all the time. Every OS has a method of providing alternate, less-privileged logins, each with its own advantages and disadvantages. However you accomplish this, every moment you actively compute at a reduced level while not accomplishing administrative tasks is an improved moment in safety.
4. Use strong passwords: No user password should be shorter than eight characters. It's even better if they are nine or 10 characters long. Elevated accounts should have even lengthier passwords. Passwords should not be shared between internal and external sites, and they should be changed every 90 or so days. Account lock-out should be turned on. It doesn’t matter what the account lock-out settings are, but the mechanism should be enabled to prevent easy brute-force guessing.
Of course, there are many more security tasks to accomplish than these four, but if administrators were better at this quartet — consistently better — the risks from malicious exploits would decrease significantly.