Security

10 ways to avoid IT security breaches

Completely eliminating security breaches may be an impossible task -- but that doesn't mean you shouldn't do everything possible to thwart attackers. Michael Kassner shares 10 easy-to-implement measures that will help protect your organization from security threats.

Completely eliminating security breaches may be an impossible task -- but that doesn't mean you shouldn't do everything possible to thwart attackers. Michael Kassner shares 10 easy-to-implement measures that will help protect your organization from security threats.


I recently attended a seminar on how to prevent security breaches. As the meeting progressed, I realized something: People have been infringing on others' security for a long time. Is it too bold to think that we can finally do something about it? Maybe if we use the direct approach -- but how about working with human nature?

More specifically, security has been and always will be about effort. If I want to steal a car, I'm certainly not going to walk past a car with the doors unlocked and engine running to the next one that's locked and has the alarm activated. I think we can agree that under most conditions, the car requiring more effort to compromise is assumed to be more secure.

With that premise in mind, I created a list of 10 practices that will significantly increase the effort required to breach the security of your network and computers.

Note: This article is also available as a PDF download.


Definition

Before we get started, let's define what we're talking about. The term security breach can conjure up all sorts of meanings, but I'd like to focus on how it relates to information technology. See what you think about this definition:

Security breach: A situation where an individual intentionally exceeds or misuses network, system, or data access in a manner that negatively affects the security of the organization's data, systems, or operations.

I like that definition because it implies that any breach of security has real-world implications, be it stolen personal financial information or business trade secrets getting into the wrong hands.


1: Change default passwords

It's surprising how many devices and applications are protected by default usernames and passwords. Attackers are also well aware of this phenomenon. Not convinced? Run a Web search for default passwords, and you will see why they need to be changed. Using good password policy is the best way to go; but any character string other than the default offering is a huge step in the right direction.

2: Don't reuse passwords

On more than one occasion, I've run into situations where the same username/password combination was used over and over. I realize it's easier. But if I know this, I'm pretty sure the bad guys do as well. If they get their hands on a username/password combination, they're going to try it elsewhere. Don't make it that easy for them.

There are many helpful password vaults that require you to only remember the master password to gain access to the vault. After that, it's usually a matter of selecting the proper entry.

For instance, Figure A shows Password Safe, the password vault I use. It's open source and recommended by Bruce Schneier.

Figure A

3: Disable user accounts when an employee leaves

Security breaches are easier to pull off when the attacker has insider information. That makes it essential to disable all IT accounts of a user who has terminated employment. It doesn't matter whether the employee is leaving under amicable terms or not.

Determine baseline characteristics

In the past, when I've called my mentor with a problem I couldn't solve, his first words would always be, "What's changed?" After a few times, what he was trying to teach me finally sank in and I started paying attention to baseline characteristics. Baselining has two purposes:

  • To understand what it means to be operating normally
  • To simplify finding what's not operating normally

I may be stating the obvious with regards to baselining, but defining it may help everyone realize how big a role it plays in the next three topics.

4: Examine security logs

Good administrators know about baselining and try to review system logs on a daily basis. Since this article deals with security breaches, I'd like to place special emphasis on security logs, as they're the first line of defense.

For example, when reviewing a Windows server security log, the administrator comes across multiple 529 events (Logon Failure - Unknown user name or bad password). That should immediately raise an alert, with the administrator trying to determine whether a valid user has forgotten a password or an attacker is attempting to gain access.

Windows security logs are cryptic, to say the least, so having some kind of reference guide is beneficial. That's where Randy Franklin Smith helps out; he has a Web page that defines most every Windows security log event. Randy also has a free reference chart that can be invaluable in explaining security log events.

5: Do regular network scans

Comparing regular network scans to an operational baseline inventory is invaluable. It allows the administrator to know at a glance if and when any rogue equipment has been installed on the network.

One method of scanning the network is to use the built-in Microsoft command net view. Another option, and the one I prefer, is to use freeware programs like NetView. They're typically in a GUI format and tend to be more informative.

6: Monitor outbound network traffic

Malware is becoming sophisticated enough to avoid detection. One method of exposing it is monitoring outbound network traffic. Suspicions should be raised when the number of outbound connections or the amount of traffic deviates from normal baseline operation. To tell the truth, it may be the only indication that sensitive information is being stolen or that an email engine is actively spamming.

Most firewall applications can monitor outbound traffic. Advanced firewalls can even create scheduled reports similar to the one in Figure B.

Figure B

7: Patch and update regularly

Keeping operating system and application software up to date is the best way to foil breach attempts originating from outside the network's perimeter (Internet). It's that simple. If the operating system and applications aren't vulnerable, the exploit will not work.

Using a product like Microsoft Baseline Security Analyzer or one of the products from Secunia is the most effective way to ensure that computers under your care are indeed up to date and have all of the necessary patches.

Now the hard topics

Up until now, each improvement was in the realm of the IT department. That's about to change, as the last three topics require input from other departments in the organization. It's going to be tough, but it's worth the effort.

8: Implement a security plan

No matter what size the organization, having a security plan in place is invaluable for the following reasons:

  • Everyone is working off of the same playbook, which provides continuity.
  • When the organization is in panic mode, the security plan will provide solid solutions developed at a time when everyone was less anxious.

Security plans should be individually sculpted to fit the needs of each organization. To get an idea of what's required, I've linked to two guides, a rather generic one by Microsoft and an all-encompassing guide by NIST.

9: Raise user awareness about information security

Some of my clients are bullish on user training -- and others aren't. The difference is night and day, with the proof being evident in my billable hours. The Web is littered with papers that explain the benefits of user training, but they're typically geared toward increasing user efficiency in the work environment.

The user education I'm referring to is focused on creating well-informed users who can function on the Internet securely. Kathleen Coe of Symantec has written a paper titled Employee Awareness - The Missing Link, which does a good job of explaining what's required to set up a computer security training program.

10: Get upper management to buy in

I saved the hardest for last. Getting upper management buy-in for security policies and for purchasing the required technology is typically a tough sell. Another problem is when people in upper management give the go-ahead to implement security practices but feel the rules don't apply to them.

One thing I've found that usually changes upper management's position is to perform a security breach personally (get permission) or have a TPV do a security audit. It's been my experience that the results are a real wake-up call for everyone involved.

Final thoughts

Completely eliminating security breaches may indeed be an impossible task. But I get concerned when that conclusion drives the attitude of "Why even try, then?" The 10 methods above are simple to implement and will go a long way toward making it more difficult for a security breach to occur.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

47 comments
jacobsaterr
jacobsaterr

as a critical item? up the creek restaurant cobbler recipe all recipes om almond candy recipe and spinich recipe arborio rice recipe 24 cm sponge cake recipe alton brown good eats recipes mexican spicy sala recipe american sponge cake recipe apple vinegar recipe

bobdavis321
bobdavis321

Most IT departments have little to no security. They buy a 'firewall' and assume they are protected. The biggest weakness is a rogue computer inside of of the firewall, so monitoring and even limiting outbound traffic is CRITICAL! Outbound traffic can be limited to ports used for internet, email, and IM only. So far most virus' use strange ports so they are easily blocked this way.

Blaszta
Blaszta

Thanks for the reference of security logs.. I always puzzle when reading some of the log.

santeewelding
santeewelding

You have the con, and I'm glad of it. In fact, you climb to the crow's nest and operate with a 360-degree view. Thanks yet again.

CG IT
CG IT

there are even software packages that can produce reports. What I would like is a cross router platform software program that can compile outbound traffic reports that doesn't cost serveral thousand dollars in licensing. Been tinkering with one that can grab the router logs on any SMB or consumer router and display it in a graphical terms. So far my tinkering hasn't come up with something that can be used on all models of consumer level routers [and SMB products].

Michael Kassner
Michael Kassner

I especially like the table of state laws. I will join that group. I'm a member of ISSA and they have several active groups on LinkedIn as well

JCitizen
JCitizen

That looks like a good one! Maybe my next boss will make these a priority! I think he will! Thanks Michael! Hopefully I can just reduce the log events on my home machines, until then!

JCitizen
JCitizen

I'd say. Good starter for newbies, and a good checklist for low-IT-knowledge business supervisors. Good article! But they always are with Michael. These are the most critical, like - [u]it's an emergency![/u]

Michael Kassner
Michael Kassner

The funny thing is that those two items are relatively easy to do. I guess it's just overlooked.

Neon Samurai
Neon Samurai

The gateway fireall keeps things from getting into the network easily but I like each node inside to do it's own work. My *nix servers all run snort, psad, rkhunter and solid firewall rules. The workstations should be no different, each doing all it can to protect itself. IT departments afraid to play "what if something gets in" are not nearly as rare as they should be. "We have a perimeter firewall, we're golden" is far too common.

JCitizen
JCitizen

Kiwi and others have code charts that explain the log features, and pretty soon you get a pretty good picture of what is an actual problem and what is just "background radiation".

Michael Kassner
Michael Kassner

If you are interested Randy Franklin Smith has e-mail newsletters that will notify you of Web casts about security logs. I watch them all the time and they are very informative.

Neon Samurai
Neon Samurai

You could forward logs to a log server then analyse through that interface. It may not provide exactly what your after though.

Michael Kassner
Michael Kassner

You will become wealthy. That would be something I'd consider extremely useful.

Michael Kassner
Michael Kassner

He makes the recorded Web casts available. I truly think he's the premier expert on MS event logs, especially the security ones. I've learned so much from him.

Michael Kassner
Michael Kassner

I've noticed that protection is moving more internal. Actually, security is circling the wagons around the data and letting everything else go wild. It's an interesting concept, but not quite ready for prime time.

JCitizen
JCitizen

and then half again as many have weak outbound protection to boot.

Michael Kassner
Michael Kassner

I had forgotten about that. Stuff for another article.

CG IT
CG IT

I like Kiwi syslog but ... not all consumer level routers have the syslog capability. I've tried some code that will allow a lan login and then query the log files the router has. Had intermittent success with Linksys and none for far with Netgear.

JCitizen
JCitizen

malware process guards for conflicts. Speaking of which - have you been getting reports on how IE 8 is ditching Comodo Defense+? I am having to reinstall all my clients firewalls with it turned completely off, or they go into a boot loop!(XP) I hope that browser can make up the difference! Must be some powerfull security added in the last two updates!

JCitizen
JCitizen

made them a believer in the state of their interior network. I emailed it to them and introduced it as a matter of fact state of business, with no criticism or complaint. I can now brag there is no extraneous back ground radiation! All their efforts of course; but law suits, and that recent FTC action, in the news, may have made them a believer! My report couldn't have had a bearing on that could it? ]:)

Michael Kassner
Michael Kassner

As I mentioned in the article, I've been able to promote that a security audit isn't as expensive as the upgrades I suggested and they fall for that. As they think they will have proof that things are OK. Nine times out of ten after the audit they spring for the upgrades as the testing backed up my claims.

Neon Samurai
Neon Samurai

It's expensive to get a good third party testing firm in for a visit but the report they hand back after is pretty powerful when talking to decision makers.

Michael Kassner
Michael Kassner

Stays that way if dictionary or rainbow tables get that good we are in trouble

Neon Samurai
Neon Samurai

Windows Firewall provides some protection and does outbound as of SP3 so it'll be a matter of figuring out a good policy to inject into each of the workstations. For now, I just want to be able to drop a rogue box on the network and still not get anything from it easily. Now, I'll also have to look into a way to manage dynamic IP while mitigating ARP poisoning. Luckily, there doesn't seem to be a pre-generated table attack for Kerb5 PreAuth hashes so strong passwords still mitigate dictionary and brute force.

JCitizen
JCitizen

I'm always saying when I ever get the time, I was always going to follow up on some good links to open source solutions listed with some the equipment at Tom's Hardware. Excellent place to start for silly ol' me anyway. Problem is; Windows always gets in the way and forces priorities elsewhere. I'll probably have to buy a used Barracuda gateway and play with it to catch up. That seems to be the direction Windows business is heading in larger shops now. Thank God nobody wants Cisco, I've hated those buggers since my CCNA school.

Neon Samurai
Neon Samurai

reading logs is actually emberassingly new to me. I started with ksystemlog which lead quickly to grep (same filtering outcome, no X required, logs not limited to what's default). Right now I have only a few servers to monitor so my admins Thunderbird pulls the logs safely through pop3s for daily scanning by hand. I'm unwilling to have them push into a central log server until I can be sure of rsyslog through tunneling. For reporting systems it's the usual suspects: snort, rkhunter, tiger, tripwire, chkrootkit, psad. For me, the next step will be more industrial log analysis and alert notices. The one program that has had an obvious sms or pager alert function is little app that watches your network deamons and performs an action; restart the deamon and send the admin an email. Or, if the lines are uncommented, send to a pager using XYZ application. I've moved away from using it but I can go back and look; band-aid fix for an old Mandriva based server where my newer machines based on Debian don't present random Apache crashes. Gah.. there was also something I read past on Linux.com a while back that did log analysis resulting in pretty graphs. The PDF must be in my library so I'll see if I can track that down later.

Neon Samurai
Neon Samurai

The thread above lists consumer level hardware which may allow dd-WRT. If it won't push directly to an rsyslog then it does have the option to mount a samba share. Not ideal but gets logs onto a remote system. An sshfs into the router or out to a server could also be possible. Logs on the remote server makes it simply a scripting task. As for allerts, I don't see why a log monitor couldn't be run against the logs when they hit the consolidating server. There is already a program to send the sms out to a pager number. OpenWRT should be able to do it if dd-WRT can't be used.

JCitizen
JCitizen

since I was into it; but my foggy mind recollects seeing some links posted by reviewers about analytic emails you could get from some of the FOSS service solutions featured there. This would be great if true. Beats getting charged $50 bucks a year(or so) to do the same thing.

Neon Samurai
Neon Samurai

I buy my routers off the compatibility list specifically because I've yet to find a vendor provided firmware that comes close. - dhcp issued static IP - configuration backup - internal traffic rules like my NAS not being allowed to talk to the public interface Those are not the only features but those alone trump what usually ships on Linksys anyhow. If the consumer grade hardware is enough for your required task then ddWRT will fill it out with enterprise class functions.

Michael Kassner
Michael Kassner

I'm also Cisco trained, but if you don't use their equipment daily you lose touch. They need to get up to speed with the others when it comes to GUI.

JCitizen
JCitizen

Many of them may do better with some dd-WRT solutions I saw on Tom's Hardware - haven't had the time to look into it, however. I would like to buy a cheaper used Barracuda unit, and play with it for a while. Most serious businesses seem to swear by it. I know I didn't care for Cisco in my experience. I know they trained me, but their equipment really sucks for the money they charge!

Michael Kassner
Michael Kassner

When you get it to a point where you need beta testers. I'd gladly help if you were so inclined.

Michael Kassner
Michael Kassner

Is good that way. They are high on my list of firewalls for larger clients as they do cost a bit too much for most SMBs.

JCitizen
JCitizen

I see a lot of syslog readers for free on CNET; but for multi-systems that would be the bomb! I deal most with private clients and SMBs; the single users can go the free route, but surprisingly my SMB clients usually buy KIwi after seeing a demo. I'm not a software peddler, I just get a kick out of giving extra service. I hate IT crime with a passion! I don't like keeping my router consol open; and it wouldn't stay that way anyhow. I'm just paranoid and like to have it running on a monitor so I can take a quick look at traffic, with the other eye cocked toward the IDS intrusion light panel too! I must have a nose for trouble, because I always happen to be looking at the light panel when trouble starts and I can quickly follow up with syslog observation. This is for small time of course, big offices would need something like your putting together; with alerts and filtering put in for clarity. Otherwise you'd be overwhelmed, as you already know. The folks at solarwinds are real helpfull in this regard. I also get a email from CheckPoint once a month from my service with very good analysis, pie charts, IP addresses of top offenders, the works. Makes for very good over all picture of the threatscape.(not FortiGuard)

JCitizen
JCitizen

I wasn't privy to everything on that contract. I always install syslog as an application and service on my, and my clients LAN. We had a pretty tight perimeter there, and we used Server 2003. I took my MCSE under W2K, but never used it again. We were rapidly deploying to XP and Server 2003 at the time to ease HIPAA restrictions. My immediate supervisor was pretty good at hacks like that, though. Wireshark and snort were very popular with the head office.

CG IT
CG IT

The problem is customers don't see the benefits of spending $195.00 for it just to capture logs I can read on the router for free. Part of the problem is that you buy the thing for a single install. I'm working on a low cost NOC type program that grabs the logs for viewing on multiple disparate systems. And not spending a lot of hours to create.

Michael Kassner
Michael Kassner

I've been looking for an application that would work with Win servers and Kiwi looks good. Did you install the snare agent on Win2K3 servers perchance?

JCitizen
JCitizen

that doesn't work with Kiwi, for years. I'm pretty adamant about telling my clients they need to look for one that works. Kiwi has saved my butt many times; only recently it helped me find a possible security problem in Brother Corps. CDROM drivers. I think it had perimeter scanning crackware encoded in it; NOT the spooler service it was cloaking itself as. I had to pay a LOT of money and argue with with my ISP and Brother for about two months before I got down to the bottom of it. Those outbound alerts are the best indication of undiscovered infection inside my perimeter. A good IDS that works on port 80 can't hurt a bit either.

Michael Kassner
Michael Kassner

That it would be a difficult task, just considering all the variables.

Editor's Picks