Secure Infrastructure:
- Employ Perimeter Security
- Do not allow any external Internet connections to terminate on any internal machines. DMZs must be used. This also goes for connections from partner networks.
- All Internet exposed machines should have locked down operating systems and applications. Components should be removed and permissions set so that the machines have the minimum functionality required to do their job. Run a hardening script. Machines must be deployed with the latest patches. Consider a standardized secure build. Take a backup of the machine before deploying for quick reconstitution to a known state.
- Filter incoming mail. Drop attachment types not required to run your organization. Strip out scripting code. Use anti-virus software to scan remaining attachments.
- Do not deploy Wireless networks unless they are connected outside of perimeter firewall and VPN software is used.
- VPN client machines must be under the control of corporate IT. They should run personal firewalls, anti-virus software, and comply with IT policy for the activities and software allowed.
- Compartmentalize your network: servers on server networks, clients on client networks, administration done from administrative networks. Filter these networks based on the services required for each.
- Use anti-virus software and personal firewalls on each machine. Keep signatures up to date.
- Do not use protocols that use clear text authentication such as POP or IMAP. Use SSL versions instead. Dont use weakly encrypted authentication such as Windows LANMAN or NTLM.
Secure Software:
- Consider security at the very beginning of the internal application development cycle: at requirements or design phase rather than at test phase or not at all. Have a security review of the applications design.
- Follow secure coding practices for your internal application development. Train application developers in secure coding and review the implementation for security problems.
Secure Operations:
- Track all user accounts and have procedures in place to remove them on termination. Dont forget remote access accounts such as VPN keys. Change passwords on administrative role accounts such as root accounts when people with access to them leave the company. Audit all accounts and passwords.
- Compartmentalize administrative functions so there is no “super admin” account that can control it all.
- Maintain Incident Readiness
- Turn on the audit and logging capability of your servers
- Centralize logging from servers on a secure log host. Review these logs.
- Have an incident response procedure that includes roles, responsibilities, call tree, and relationships with legal and security firms.
- Conduct training on incident response for IT security staff enabling them to detect and diagnose incidents and not destroy evidence.
- Educate all employees to instill user awareness on issues including strong passwords, malicious attachments, the risks of using external non-approved services such as free email, chat services and peer-to-peer systems.
- Institute a policy of patching critical machines within 24 hours and all other machines within 2 weeks. Create the resources to accomplish this. Subscribe to vendor security bulletin mailing lists.
- Practice positive data destruction on information no longer needed by your organization.
- Document your network and all the services running on it.
- Back up data on a regular basis.