-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This was a checklist that Sonicwall developed and I saw on SnP. I thought it might be useful for the readers of the list and thus I posted it.
Cheers, Leon 10 Security Guidelines I. Secure telecommuters and remote workers: Telecommuters and remote workers are often one of the weakest parts of a company's security system. As external attacks become increasingly sophisticated, a favorite tactic is to infiltrate the computer of a telecommuter or remote worker and follow them into the corporate LAN. It is critical that businesses implement firewall, VPN and anti-virus technologies among telecommuters and remote workers. II. Assess the vulnerability of the network perimeter: Despite a heightened security awareness, many significant holes still exist in companies' security systems. A number of successful external attacks exploit known vulnerabilities. Vulnerability scanning services can help anticipate potential security problems and help a company address their weaknesses before a hacker exploits them. Vulnerability scanning should take place at a minimum of once per quarter. III. Guard against internal security threats: A common misperception is that the majority of attacks occur from the outside of a network. Internal attacks happen more often and tend to be significantly more costly and damaging than external hacks. Companies should implement security technologies such as enterprise-class firewalls for individual workstations that store sensitive data or servers that host mission-critical applications to protect them from these internal attacks. IV. Reduce time-to-deployment of patches: Updates and patches to defend against viruses and hacks often exist in time to prevent a successful infection or hack attack, but are not deployed in a timely manner. New computer viruses are designed to spread quickly, therefore leaving a computer on the local area network with outdated AV software exposes the entire network to infection, not just the PC. As a general rule, updates and patches should be deployed to all systems on the network within 4 hours from the time they are made available. Additionally, operating systems and applications should be regularly updated and businesses should not rely on the default installation. V. Decentralize and secure vital information: Many companies are considering a decentralized, distributed model for storing business-critical information to prevent the complete loss of such information in the event of an emergency. This requires security technologies that can protect a distributed architecture and that can also be centrally managed VI. Create a company culture of sound security: Network security is more than the IT manager's responsibility. For effective network security, all levels of the company must be involved. Additionally, effective security requires training and commitment. To create a company culture of sound security, a business can: - - Regularly train/update employees on current security practices - - Actively seek the help of employees to identify potential security risks - - Recognize individuals or departments that have a strong security track record VII. Regularly backup vital information: Important data such as sales records, personnel information, client records, etc. should be backed up daily, in offsite locations. Utilize a repository located offsite for either Internet-based or tape-based data backup. Look into alternative solutions for recovery, i.e. hotels with additional phones lines and quick access to the Internet. Test disaster recovery procedures to determine how long it will take for your business to be 50%, 75% and 90% functional. VIII. Develop an internal "Security Audit": In addition to assessments by third parties, each company should develop its own unique internal security diagnostic. This includes: - - The regular testing of all security hardware and software to ensure they are functioning properly and are properly configured - - Reviewing hardware and software to determine the date of the last firmware or software upgrade - - Reviewing the authorized users list to ensure former employees no longer have access to the network - - Interviewing key security personnel and random workers to determine if policies are effective, incomplete, being followed correctly, understood, etc. IX. Consider hardware solutions over server-based solutions: Hardware solutions typically offer higher performance at a better price-point and can support a diverse number of network configurations. Dedicated hardware solutions are not only higher performing and more cost-effective, they offer a higher level of security as they are not susceptible to OS vulnerabilities. X. Keep directory services up to date. On average, large percentages of names and accompanying passwords in company directories are out-dated and unused, hence are prime targets for external hacks as well as 'internal' hacks from terminated employees. User accounts should not have weak passwords or no passwords. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA+AwUBPEXT29qAgf0xoaEuEQJF/QCYiQE7bGsrPaJxhn1LCcgsLsO7mwCfbsqi 6PPuQS6kOwGxaH+p3UA5jmk= =gu4O -----END PGP SIGNATURE-----
