Top 5 things wrong with network security

Happy 4th of July!!!

To celebrate this Independence Day, I've decided to write an article to help you gain independence managing your network security. So, in an effort to help tighten up commonly seen errors and blunders in networks today, I've devised this list of the top five things wrong with network security today.This type of a list can be built using a multitude of criteria and considerations. In this discussion, we look at the items that aren't necessarily the worst kind of mistake but those that are likely to occur and have the largest negative impact on a company.

5. Domain Admin accounts for $1 / Pass-the-hash / not changing admin passwords. It seems like organizations are granting domain admin rights as part of the new user package these days. Ok, maybe it's not that bad but how many people are truly needed to manage the domain? Are you still granting helpdesk staff domain admin rights just so they can join PC's to the domain? When software vendors come in and says my product needs to be installed with a domain admin account with no reasoning and sometimes without an understanding of why they need those rights, ask them for the specific reason or try it with a standard user account and see what happens. Certainly never give domain admin accounts out to vendors or consultants. If they are working remotely, you can type in the password when necessary and avoid being part of a "Con-Net" (network similar to a bot-net consisting of machines/domains that are owned by a consultant). Administrative and service accounts need to be dished out cautiously and maintained. Changing service account passwords can be a nuisance but it is especially necessary when IT staff leave the company and should be done regularly for safe measure. Also, don't use accounts on your webservers that have rights to other servers in the forest. Webserver services and connections should have unique, dedicated, audited accounts with strong passwords (that should also be periodically changed). And for goodness sakes, don't use the same password for your local administrator that you use for the domain administrator account!

4. Applications. Both in-house and vendor-provided applications have the same problem - they usually aren't secure. Many application developers don't have a solid understanding of servers, networking and especially security. Especially for any applications that will be available over the Internet, work with your developers to incorporate security from the beginning stages of development. Security as an afterthought doesn't work well. Hire a team to perform an assessment of your application BEFORE it goes online. If there is a database behind the app, ensure it does live on the same server that your HR database does and that the user account the web server uses to communicate with the database has proper permissions, use read-only views, etc.

3. Rogue access points. Many organizations still have not deployed a wireless infrastructure for staff use. As such, when Bob wants to play on his ITouch/IPad/IPhone (yeah IPhone since AT&T's service stinks!), it suddenly seems like a great idea to go to BestBuy and pick up a $49 netgear wireless router and slap it on the network in between their PC and the wall jack. The problem is that this happens a lot more that you might think and can be difficult to prevent without spending a good amount of time and money on network access control at the switch. The problem is that now you have no control over the devices on the network. They are un-patched, have old Anti-virus definitions if they have AV at all and are going all over the internet because they think they aren't being tracked. Many OS worms infiltrate and propagate through networks this way. A really cheap method of dealing with this is to give your helpdesk staff WiFi detecting keychains. You know, the kind that beep and display the SID of a wireless network when one is detected. This is sort of an on-going detective control without costing anyone additional time or major expense. If you're serious about protecting your network from unauthorized access, consider standing up a PKI and deploying an access control server like a Cisco ACS 1120 and require certificate-based authentication on the switches with a guest vlan for internet access. This solution keeps the users happy while protecting the network.

2. Laptops at home. It's almost impossible for companies to do business anymore without having laptops at home. Unfortunately, while many of our telecommuters are somewhat tech savvy, they aren't security pro's which means they sometimes fall prey to simplifying the VPN process by leaving all usernames, passwords, instructions, etc in the bag with the laptop. The risk of laptops being stolen is not only real but it is significant. According to ADT, laptops and home electronics are among the most stolen items from homes second only to tools and cash. Two factor authentication is helpful. You could use tokens but that would only get left in the bag as well. My recommendation is to purchase laptops with fingerprint readers. These have become very accurate and are difficult for the average Joe to circumvent. The best part is that they don't really add any inconvenience to our already overwhelmed users. Encrypting laptop hard drives with BitLocker or something similar also goes a long way to protecting the data they contain.

1. Backups make the top of the list. There is nothing more important to your success than having a solid backup strategy. Not to be pessimistic, but we need to operate under the mindset that eventually, we will all fail in protecting our networks from disaster of one kind or another. Large companies are often infiltrated by attackers while smaller organizations are victims of fires, floods and miffed employees that have too many privileges on the network. Many companies simply don't have a backup strategy. Those that do often don't test the backups or worse - aren't really sure how to go about restoring the data they contain. Do know how to restore your Active Directory if needed? Backups are a necessity but they also introduce a security risk themselves. Are your backup tapes encrypted? If not, why not? Backups are one-stop shopping for someone trying to access your company data and can be highly sought after. In short, make sure you make backups that actually contain the data you will need when it comes time to restore. Make sure you know how to restore the data and test that process. Finally, ensure the tapes are encrypted and protected.