That you need to secure your systems is obvious; how to do so that isn’t though. You’ve heard of port scanners and vulnerability scanners and you know antivirus software and patching are important, but it’s easy to get lost in the weeds when it comes time to formalize your approach.
In this article we are going to see how to secure your systems in nine easy steps. We’ll keep things high level so that you can apply the concepts to as many systems as possible, rather than drilling down to the specifics on product X. Applying these steps to your systems will help ensure your systems are as secure as possible, will reduce the risks as much as possible and will get the boss and the security guy off your back. Here’s how you begin:
1. Get a network security application
It doesn’t have to be a $100K purchase, nor will it necessarily be something you download from an open source website. What it will be is one that can run in your environment, is easy for you to start using, has support and updates included, and can help you to automate and perform many of the tasks that are in this list. A good network security application is a key part of any security program, and with so much to do and so little time, not an option.
2. Use a vulnerability scanner
Vulnerability scanners are tools that can scan systems over the network looking for security issues that you need to remediate. Vulnerability scanners include databases of known vulnerabilities for all kinds of systems and applications, and it is critical to keep that database up-to-date so your vulnerability scanner can look for the latest discovered issues. Use your vulnerability scanner to scan every new system before it is approved for production, before the firewall ports on the Internet are open, and whenever the configuration is changed. You should also use your vulnerability scanner to assess your entire network. Run it from the Internet against your DMZ to see everything an attacker outside would see. Run it internally against your entire network to be sure every system is up-to-date. Regular use is key to ensure nothing slips through the cracks.
3. Lock down defaults
Vulnerability scanners can also help you to identify default settings. These are the things that the vendor sets up out-of-the-box, and that often can be used by attackers to find a back door into your network or to access data on devices. Examples include default passwords, running services that you don’t need, open shares that contain sensitive information and protocols that don’t use encryption. Finding these defaults and either securing or disabling them reduces your exposure and takes away an easy in for any attacker to exploit.
It’s as simple as that. Patch. Patch everything. Patch operating systems on servers and workstations, third party applications, drivers, network devices, firmware and anything else you can. Keeping all of your systems 100% updated on patches closes the largest number of vulnerabilities of any action you can take. In support of this fact, your vulnerability scanner will identify many unpatched systems and list the patches they need. It may not find them all, but it will find the ones most attackers would find too. Seriously, if you do nothing else on this list, patch. If you have more systems than you have fingers, then you need patch management software to keep up with everything. Look for patch management software that includes vulnerability scanning so you can get a two for one solution.
5. Use good passwords
That means using strong, easy-to-remember but hard-to-guess passwords on every system, and training your users to do the same. It also means using different passwords on different systems, and changing those passwords regularly. It also means resetting any default passwords, and never sharing them. Each user should have his or her own access to any system, and no one should know another user’s password.
6. Practice least privilege
The concept of least privilege is pretty straightforward. Don’t give out any access to someone unless they need that access. Only give them the minimum access they need to do their job. Take away that access when it is no longer required.
One of the most difficult tasks for many sys admins is one of the most important. Documenting your systems, your network, your configurations, and your best practices is a critical part of maintaining your systems. Without documentation, how do you know what you have? How can you be sure you didn’t miss something? Never put off documentation until ‘later’. ‘Later’ will never come.
8. Establish baselines
Each system will have its own particular behaviours. How busy is it? How much RAM is it using? What services is it running? How quickly is it running out of disk space? Make sure that you establish baselines for every new system while you are still paying close attention to it and before you declare it production-ready, and add those into the documentation. When the server varies from its baseline, it’s a good indication that something might be wrong. Whether that is an errant app, an underestimated load, or an uninvited guest remains to be seen, but consider spikes in CPU and RAM, and rapidly diminishing disk space all to be your early warning system.
9. Set up alerts
If you have central monitoring, it is easy to stay on top of these baselines and also to automate reviews of logs. Smaller shops aren’t so well equipped. Setting up alerts on your systems for things like failed logons, spikes in CPU, low disk space, etc., not only helps you with the sys admin tasks of maintaining the systems, but can also call to your attention issues that might indicate a security incident is happening.
Getting these nine steps in place now, consistently and across all systems, will immensely help you in securing your systems. You would cover the majority of things that could be exploited by an attacker, and set yourself up to stay informed on what is happening with your systems.
Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. Learn more about the importance of network scanning by downloading the free eBook: A first aid kit for SysAdmins.
Disclaimer: All product and company names herein may be trademarks of their respective owners.