Security: Don’t forget the basics
While much of the focus—and much of the funding—goes to advanced security technologies, it pays to not overlook the fundamentals.
John Vacca
Adapted from “Computer and Information Security Handbook” (Elsevier Science & Technology books).
Many organizations spend a great deal of time and money addressing perimeter defenses. While those are indeed important, organizations can sometimes overlook some fundamental security processes and procedures. Just simple password-management tactics and configuration tricks can go a long way toward increasing your security posture.
Change default account passwords
Nearly all new network devices come preconfigured with a password/username combination. This combination is included with the setup materials and is documented in numerous locations. Very often, these devices are gateways to the Internet or other internal networks.
If you don’t change those default passwords upon configuration, it becomes a trivial matter for an attacker to get into these systems. Hackers can find password lists on the Internet, and vendors often include default passwords in their online manuals.
Use robust passwords
With the increased processing power in any PC or laptop and password-cracking software such as the Passware products and the AccessData Password Recovery Toolkit, cracking passwords is fairly simple and straightforward. For this reason, it’s extremely important to create robust passwords. Complex passwords are hard for users to remember, though, so the challenge is to create passwords they can remember without writing them down.
One solution is to use the first letter of each word in a phrase, such as “I like to eat imported cheese from Holland.” This becomes IlteicfH, which is an eight-character password using upper and lowercase letters. You can make this even more complex by substituting an exclamation point for the letter I and substituting the number 3 for the letter e, so the password becomes!lt3icfH. This is a fairly robust password that a user can easily remember.
Close unnecessary ports
A computer’s ports are logical communication access points over a network. Knowing what ports are open on your computers will help you understand the types of access points you have available. The well-known port numbers are 0 through 1023.
Some easily recognized ports and their uses are listed here:
- Port 21: FTP
- Port 23: Telnet
- Port 25: SMTP
- Port 53: DNS
- Port 80: HTTP
- Port 110: POP (Post Office Protocol)
- Port 119: NNTP (Network News Transfer Protocol)
Open ports that aren’t necessary can be an entrance into your systems. Open ports that are open unexpectedly could be a sign of malicious software. Therefore, identifying open ports is an important security process. There are several tools that will help you identify open ports. The built-in command-line tool netstat will help you identify open ports and process IDs by using the following switches:
- a: Displays all connections and listening ports
- n: Displays addresses and port numbers in numerical form
- o: Displays the owning process ID associated with each connection
Other helpful tools for port management include CurrPorts, a GUI tool that lets you export the results in delimited format, and TCPView, a tool provided by Microsoft.
Patch, patch, patch
Nearly all OSes have a mechanism for automatically checking for updates. You should make sure this notification system remains turned on. Although there’s some debate as to whether updates should be installed automatically, you should at least be notified of updates. You might not want to have them installed automatically, as patches and updates have been known to cause more problems than they solve. However, don’t wait too long before installing updates because this can unnecessarily expose your systems to attack. A simple tool that can help keep track of system updates is the Microsoft Baseline Security Analyzer, which also will examine other fundamental security configurations.
Don’t use administrator accounts for personal tasks
A common security vulnerability develops when you, as the systems administrator, conduct administrative or personal tasks while logged into your computers with administrator rights. Tasks such as checking e-mail, surfing the Internet, and testing questionable software can expose the computer to malicious software. This also means malicious software may be able to run with administrator privileges, which can create serious problems. To prevent this, you should log into your systems using a standard user account to prevent malicious software from gaining control of your computers.
Restrict physical access
With such a focus on technology, it’s often easy to overlook the non-technical aspects of security. If an intruder can gain physical access to a server or other infrastructure asset, the intruder will own the organization. Critical systems should be kept in secure areas. A secure area is one that provides the ability to control access to only those who need access to the systems as part of their job.
A locked room is a good start. Only the server administrator should have a key, and you should store the spare key in a safe somewhere within the executive suites. The room should not have any windows that can open. The room shouldn’t even have any labels or signs identifying it as a server room or network operations center. You should most definitely not store the server equipment in a closet where other employees, custodians or contractors can gain access. Review the validity of your security mechanisms during a third-party vulnerability assessment.
Don’t forget paper
With the advent of digital technology, some people have forgotten how information was stolen in the past: on paper. Managing paper documents is fairly straightforward. Use locking file cabinets, and make sure they’re locked consistently. Extra copies of proprietary documents, document drafts, and expired internal communications are some of the materials that should be shredded. Create a policy to inform employees of what they should and shouldn’t do with printed documents.
This example of trade secret theft underscores the importance of protecting paper documents: A company surveillance camera caught Coca-Cola employee Joya Williams at her desk looking through files and “stuffing documents into bags,” according to FBI officials. Then in June, an undercover FBI agent met at the Atlanta airport with another culprit, handing him $30,000 in a yellow Girl Scout Cookie box in exchange for an Armani bag containing confidential Coca-Cola documents and a sample of a product the company had under development.
These fundamental steps toward securing your physical and digital environment are just the beginning. They should provide some insight into where to start building a secure organization.
John Vacca is an information technology consultant, professional writer, editor, reviewer and internationally known best-selling author based in Pomeroy, Ohio. He has authored more than 50 titles in the areas of advanced storage, computer security and aerospace technology. Vacca was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA’s space station program (Freedom) and the International Space Station Program from 1988 until his retirement from NASA in 1995.
For more on this and other Elsevier titles, check out Elsevier Science & Technology books.