Most of the consulting projects I worked on were for small businesses that have about 5-30 employees so you would think that the network would be setup correctly, RIGHT.........wrong. That has not been the case as of late, I have ran into networks where the router is directly open to the public and they are using public ip addresses on the computers instead of using local private IP addresses, the server closet is not even locked or cooled causing some peripherals to crash continuously, all the employees are administrators (disaster when one leaves or gets terminated and has time to copy or even delete all important data) and the list goes on.
My main goal when looking at a new network is to determine that the network has been setup according to best practice settings. These next items are an except from a computerworld article that was posted 8 years ago but are still pertinent today:
1. Use encryption on your wireless access points (AP). Many site surveys have found half or more of all wireless networks are wide open, ripe for anyone to gather all the traffic and perhaps record your sensitive information by sitting in a nearby parked car. Some people mess around with locking down MAC addresses, but that gets unwieldy and a better solution would be to use WPA2 encryption. WPA2 is far better than other encryption methods that are more easily broken into.
2. If you have a wireless network, make sure to hide your SSID (service set identifier), or at least change its name to something common. All wireless routers should have obscure IDs when they announce themselves to the world. Rather than put in any real information that can make it clear who owns the router or that can divulge your location or business name, such as "Acme Systems, here on the 4th floor" or the product name like "Netgear," use something innocuous like "wireless" or "router1" that doesn't give away anything really critical. In my last apartment, I had neighbors who used their apartment numbers for their IDs, making it real easy to figure out who's router was where.
3. If your router (wired or wireless) has a Web management interface, disable access from the outside network. And change the admin default password now. Most routers have the ability to do both quite easily. You don't want anyone else coming in and changing your settings or reading your log files.
4. Make sure all of your PCs use antivirus software and if you're using Windows, add anti-spyware protection. This seems obvious, but it bears restating. And while you are at it, check to make sure that all of your antivirus subscriptions are current. Anything out of date isn't doing you any good. In my support travels, I've found that this is a very common lapse among my neighbors.
5. If you are running a Web server on your LAN, put it on a DMZ. If your router doesn't have a DMZ, get a new router. Better yet, move to a collocation facility where someone who knows what he is doing can manage it. Having your own local Web server sounds like a good idea, but is a real security sinkhole, and many cable networks have made it harder to host your own from your home network anyway. So why worry?
6. Speaking of Web servers on the Internet, if you have them, you should scan regularly for exploits. There are many sites that can do this, two of my favorites are SPIdynamics.com and Qualys.com. Also, make sure to keep track of your domain registry and change all of your access passwords regularly. If you update your Web content, don't use FTP or Microsoft's Web page creation tool, FrontPage; instead, find more-secure methods that don't send your access passwords in the clear. You can learn about other ways to protect your Web site at OWASP.org.
7. If your ISP offers such an option, use a VPN (virtual private network) for access back to your local LAN or your remote Web server. There are many to choose from, ranging from the free OpenVPN.net to inexpensive but capable ones from SonicWall and Fortinet, which are designed for small business owners.
8. Disable file/print sharing on everything other than your file server. You don't need it on each desktop, and that just causes more vulnerabilities. This is particularly important for laptop users: You don't want to be broadcasting your entire file system to everyone around you at the airport or hotel, which is something that I often see when I travel and check for open network shares.
9. Use whole disk encryption on all laptops that will ever leave home. You never know when someone will steal your data or break into your car or hotel room and lift the laptop. I like PGP Disk, but there are others that cost next to nothing and provide plenty of protection. If you are in the habit of carrying around USB thumb drives with your data, then use one of the more modern U3 drives that work with Windows and are at least password-protected to keep your data away from others. I currently use truecrypt or bitlocker on the laptops now.
10. Start doing regular off-site backups now. At least start with making copies of your key customer and business data, and then make sure you cover your personal files, such as family photos and the like. Now is the time to cook up something simple. Burn DVDs and take them home, or make use of one of the online storage vendors such as eVault and Amazon.com's S3. They cost less than $100 a year (Amazon's less than $10 a year) and can save your data in case of fire, theft or just carelessness. If you have two PCs in two different locations, sign up for Microsoft's Foldershare.com free service to synchronize your data.
This one the technology is kinda dated as dvd's cannot even hold the amount of data that is on most companies networks, but there are now companies like iBackup that will back your critical data up to the cloud
This one the technology is kinda dated as dvd's cannot even hold the amount of data that is on most companies networks, but there are now companies like iBackup that will back your critical data up to the cloud
No comments:
Post a Comment