Best practices a enterprise can follow to secure his information.
- Asset inventory of all the devices connected to the network.
- Automated tool to review the devices connected to the network (scanning the addresses, analysing the traffic and looking at the DHCP logs) and comparing the results with the asset inventory.
- NAC using 802.1x
- Software inventory tool integrated with the hardware inventory – (SCCM)
- List of applications and versions authorized to be executed (White listing). Allow only the execution of this application in the computers.
- Scan of unauthorized software that generates alerts.
- Use of non-persistent workstations.
- Use only vendor supported versions of software
- Create images with a hardened operative systems for workstations and servers.
- Automatic patching tools (WSUS + Solarwinds Patch Manager)
- Limit administrative privileges to the minimum
- Monitoring of configurations to detect unauthorized changes.
- Force configurations with management tools (AD Group Policy Objects or Puppet)
- Automated remote and local vulnerability scan to all systems
- Continuous information from specialized channels, not only public and free information providers.
- Use of antivirus, client firewalls, anti-spyware and host-based IPS managed centrally to compile the events and logs.
- Disable automatic run configuration and perform a automatic scan when connecting external devices
- Antivirus scan for outbound and inbound emails.
- DNS query analysis to search for known malicious domains requests.
Software development and deployment
- Use of Web Application Firewalls
- For all input, check and document all possible errors (size, data type, ranges and formats)
- Periodically scan applications with automatic remote scanners (before deployment and when applying changes)
- Not display error messages to end users
- Separate production and non-production environments
- Developers should receive training in secure programming
- Session hijacking countermeasures:
- Use always SSL
- Enable secure field in cookies
- Provide logout function
- Reauthenticate before critical actions
- Regenerate session ID for intervals
- Auto-Expire sessions after some inactivity
- All devices connected to the wireless should be identified
- Scan for rogue access points
- WIDS to scan access points, attacks and traffic passing from Wireless network to wired network.
- Authorize devices to access only to a specified wireless network.
- Minimum configuration: WPA2 + AES
- Separate traffic from the BYOD network
- Automatic weekly backups or more frequent for the sensitive systems
- Backup of the operative system, applications and data
- Test backup restore regularly
- Backups should be protected (encryption, physical security)
Education and training
- Organize security information training for general staff
- Online awarness program and test the knowledg
Network devices configuration
- Define a standard configuration for the network devices
- Periodically automaticallycompare the device configuration with the defined standard configuration
- All changes over a standard configuration needs to be documented and recorded
- Use two factor authentication and encrypted communication protocols
- Install the latest available security update
- Use a management network to access to the network devices
- Only necessary ports, protocols and services have to run in the server. Uninstall unnecessary components.
- Use of host-based firewalls
- Perform automated port scans periodically
- Keep services up to date
- Re-evaluate periodically the requirement to have any public accessible server
- Operate critical services in independent machines
- Use firewalls to identify traffic to unauthorized or not used ports and services
- Reduce the system accounts to the minimum required
- Use of administrative accounts only when and where it’s required.
- Inventory of the administrative accounts with the appropriate validation
- Force secure and unique password usage and periodic change without reuse for long period. Also for service accounts
- Change ASAP the default passwords of the network devices
- Users must work with non admin accounts
- Systems should log when a admin account is created or privileges are granted to a user
- Systems should log the admin account unsuccessful attempts
- Use double factor authorization and/or certificates
- Use of blacklists or whitelists to ban traffic to known malicious addresses from internet
- Use of SFP records in DNS to avoid email spoffing
- Use of network IDS and IPS
- Use of a proxy for the traffic going to internet
- Remote access using VPNs with a double factor authentication
- Segmentation of the networks used inside the company depending on the requirements of each department/3rd party/etc
- Implement netflow
- Configure firewalls to monitor long time sessions
- Deploy a tool in the perimeter to monitor for sensitive information using keywords
- Use of DMZ for public accessible systems. It should not contain sensitive information and should communicate to the private network through a intermediate proxy.
- Use of internal DNS, If they don’t have the information, they should forward the request to DNS in the DMZ, and finally, the DMZ DNS should ask to trusted internet DNS
- Separate the network in different trusted segments to provide granular access
- Configure two NTP servers set in UTC
- Check all systems generate logs in a standard way or use a normalization tool
- Check storage space for the logs and retention policy.
- Review the logs searching for anomalies
- Deploy a SIEM (Security Incident and Event Management) and perform correlation and analysi
User Account Management
- All accounts should have an expiration date
- Generate reports with accounts locked, disabled, password expired and with the never expire password
- Create a leaver process to disable accounts immediately after employee termination
- Monitor account usage, detect dormant accounts and detect attempts to login in disabled accounts
- Automatic log off inactive users
- Configuration of screen locks for unattended workstations
- Use of a strong password policy
- Lock accounts after a determined number of attempts
- Use of a centralized point of authentication
- Use of encrypted channels for the transmission of passwords
- Verify that all passwords are stored hashed or encrypted
- Encrypt the hard drives of all the computers using trusted algorithms
- Configure systems to not allow the usage of USB drives. If it’s required, allow only authorized USB devices
- Perform internal and external penetration tests, including the usage of vulnerability scanners and social engineering
- Create a testing environment to make that tests that are not appropriate to be performed in the production systems.
Information Security Management System
- Internal Audits
- Incident reporting
- Risk assesment
- Periodic meetings
- Security Policy
- Business Continuity Plan
- Clear desk
- Information classification and handling
- Media disposal
- Data protection