Six Easy Pieces for Computer Security
By Mike Danseglio, Senior Group Program Manager, Security & Compliance Solution Accelerators, Microsoft Corporation
See other Security Tip of the Month columns
Computer security has substantially evolved over the last fifty years. The early computer systems of the 1940s and 1950s had no security at all, and for a variety of reasons that worked fine. But today’s computer systems exist in a different world. They’re designed from the ground up to implement various security controls to help protect against both malicious and inadvertent security issues.
Even over the last few years, the computer security landscape has changed. We’ve gone from the age of Firewalls Everywhere to the age of defense-in-depth and balancing security with usability and cost factors. Some would argue that security requirements have softened recently as law enforcement catches up with attackers, and systems are designed with better default security and built-in resilience.
These advancements in law enforcement and built-in security do make the computer world a safer place. But they’re no substitute for good security stewardship. Ultimately it’s up to the network administration and management staff to make the right security decisions and implement them properly. But because of the tremendous attention focused on security in recent years, many complex and esoteric security controls are now easy to understand and implement.
This article is about six easy things that every company should do to enhance computer security. When coming up with this list, my criteria were not the first things I’d do or the things that are critical. These tasks are more about getting the proverbial biggest bang for the security buck. I’ll describe each suggestion in some detail and provide links to more in-depth treatments, templates, tools, and so on.
Become a security expert or seek assistance from experts
When it comes to security expertise, you have two options:
Hire a security expert (”buy a fish”)
Educate yourself to become a security expert (“learn how to fish”)
Both of these have their benefits and drawbacks. While hiring a security expert can be expensive, it’s often a one-time expense. And the security system that a true expert can help design and implement can keep you safe for a long time. On the other hand, becoming a security expert yourself takes time away from other things you’re responsible for. It also takes a great deal of personal commitment to achieve goals such as getting your CISSP certification. But once you’ve gained that knowledge, you can apply it throughout your career.
My recommendation is that if you’re not already a security expert, you should hire one to analyze your infrastructure, conduct a risk analysis, and provide recommendations for implementing security controls. Most administrators and executives don’t know what assets they have, let alone what they’re worth or how to protect them. An independent security expert can provide this information very efficiently and without bias.
There are a number of criteria that go into hiring the right security expert. Some questions you should ask a security expert or firm before signing any agreement include:
Do you have experience with my type of systems? For example, if you use Microsoft software extensively, do you have Microsoft certifications in security?
Do you hold industry-standard security certifications such as the CISSP certification?
How many years have you worked in computer security? You want to hire someone who has extensive practical security experience.
In addition, like any contractor you should ask for a work history and verify that history. This will help ensure that you’re hiring someone who can do a great job and who you can trust with the secrets of your organization.
Understand your business
Protecting what you don’t understand is a difficult task. For example, you may be well-versed in security and get a job managing the IT assets of a law firm. To do your job, you need to know important information, including:
Which information assets are valuable to the company
Which documents are protected by attorney-client privilege
What government or industry regulations apply to your IT infrastructure
You should get to know the business well before implementing any security changes. There may be seemingly ineffectual or random security controls in place for specific reasons such as contractual, legal, or regulatory compliance. Or you might compromise security boundaries by consolidating servers or data warehouses. The only way you can truly understand the existing infrastructure and make good decisions about changes is to be very familiar with the “what” and the “why” of both IT and the business itself.
Catalog your assets
I’m certain that you don’t know all the assets in your company right now. It’s a common occurrence. Computers and devices get installed all the time, often without the permission or knowledge of the IT department. For example, it’s common for an employee to bring his or her personal laptop to work and connect it to the corporate network. Often that same person wants to use wireless networking on his or her laptop, and if the company doesn’t use wireless, the employee will install his or her own wireless router. Both of these events are security risks because they’re unmanaged, unauthorized entities on your network.
The easiest way to uncover potential risks like these is to create a comprehensive system catalog. This entails using a combination of physical and logical tools to identify everything connected to the corporate network. Much of the cataloging can be automated with scanning tools. Some, such as Microsoft System Center Configuration Manager (formerly SMS), are agent-based. That means that they require software installation on the target computers and that they cannot scan for some types of attached devices. Other tools are agentless -- that is, they do not require software on the target computers and generally can scan any attached device. While agent-based tools provide much richer information about the system’s configuration and often allow security management of those systems, agentless scanners are better for identifying what’s on the network.
Lock down the desktops
Users don’t intentionally break security, but it’s very easy for them to create security risks inadvertently and so they often do. They install games that their friends send them in an e-mail message, they visit unsafe Web sites, they change system configurations to make their work easier. These behaviors are common and often result in malware infection, data disclosure, or identity theft. Luckily these things are fairly easy to mitigate by locking down the desktop computer configuration.
This precaution is particularly well explored. There are many references and tools that will help you to lock down desktops. For example, Windows XP administrators can deploy the Windows XP Security Guide, while Windows Vista administrators can use the Windows Vista Security Guide. Both of these guides provide several levels of security, depending on your specific need, and can easily be automatically deployed throughout your network. There are similar guides available from the Center for Internet Security and the National Institute of Standards and Technology. No matter which guide you choose, use one as a starting point and your desktop lockdown should go quickly and efficiently.
Lock down the perimeter
Defense in depth is the key to effective security. This means having more than one layer of protection against common forms of attack. The most traditional form of network protection has been the creation of a perimeter and installing robust defenses at the perimeter to keep outside attackers away from internal computer systems.
Deploying firewalls and proxy servers is the usual method for this. If you don’t have a firewall between your network and the Internet, get one. Attackers are often (but not always) thwarted by firewalls. Many security experts today are arguing for the removal of firewalls, making the case that modern attackers can easily work around them. Sometimes this is true. But if you can easily and inexpensively deploy a firewall that protects your network from the majority of attacks, you should do it. It shouldn’t be your only defense, but it’s a good control to have in place.
There are many firewall vendors. Look for a product that fits your budget, installs easily, and maintains itself as much as possible. All-in-one solutions also exist that perform routing or spam-filtering functions as well. It may make sense to invest in one that meets as many needs as possible.
Establish contingency plans
What happens when a successful attack brings down your database servers? Or when your Internet Service Provider is attacked by a worm that disables Internet connectivity? Problems are inevitable, but the wrong time to decide on a plan is when the problems are happening.
Based on your risk assessment (see Seek assistance from experts above), you know what assets are critical to your business. Begin with those assets and create contingency plans (also called business continuity plans) for when those assets are unavailable for any reason. These plans are often expensive to implement so plan carefully to ensure that your budget works for as many plans as possible. Some aspects of contingency plans can be easy and inexpensive -- for example, running two applications on a single computer when one of the computers goes down to cover the down time (and also provide redundancy or fault tolerance). But no matter how simple or economical your plan is, you should ensure that it always maps back to mitigate a documented risk.