1. Use Linux. I disagree. This only helps if A) ALL desktops are switched to Linux and B) admins are familiar with hardening and maintaining Linux. If you're not doing A, you're just doubling the attack surface. You haven't eliminated problems with the Windows boxes, and now you've got care and feeding of Linux boxes to manage, too. If you're not doing B, admins will perform risky actions without knowing they're doing anything wrong.
2. Block users from installing software. Can I get an "AMEN!" from the audience? This is one of my pet peeves, #2 on the SANS 20 Critical Controls list, and something very few small companies implement effectively. Don't stop at removing local admin rights - use something like Bit9 for application whitelisting.
3. Update AV. Sure, updating is a good thing, but this definitely wouldn't be #3 on my list. AV is easily and routinely bypassed. You're better off assuming AV is not going to stop anything. Check out http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results. Luckily, most "AV" nowadays is actually a full-on endpoint protection suite bundled with things like a network traffic monitor, file integrity monitoring, malicious URL interception, etc. The actual "AV" is (imho) one of the least effective parts of the package.
4. Switch your browser. Bad suggestion. A GFI study earlier this year listed IE as the 8th most vulnerable application for 2012. Webkit was 4th, Firefox was 3rd, Safari 2nd, and Chrome was #1. So yeah, attacks are going after your browser no matter what you use (unless you're switching to Opera, I guess). A large number also attack Flash, Adobe Reader, Java or other plugins. You're likely to have those no matter which browser you choose. Also, IE has the advantage of controlling settings en masse through group policy. Better suggestion: reduce your attack surface by picking one approved browser for network users and uninstalling all others.
5. Disable add-ons. I agree wholeheartedly, but isn't this just a subset of suggestion #2?
6. Hardware firewall. I agree, but wouldn't abandon the client firewall. We should still use it, tightened as much as possible. Many endpoint security products come bundled with their own firewall to replace the Windows firewall. We should also deploy proxy firewalls on the perimiter (don't just inspect packets passing through - terminate outside connections at the firewall and rebuild packets to send to the client). And don't forget about egress filtering on both!
7. Strict password policy. I'm sorry, but 30 day resets is a dangerously bad idea. That's effectively telling your users "I want you to either write this down or put the month in the password." Better idea: Preach that password length matters more than anything else. Example: "StrictPwPolicy=HorribleIdea" isn't hard to remember, but at 27 characters is extremely resistant to brute force attacks. "But it has dictionary words in it!" So what? It is still better than any 8 character passwords your users are going to choose. Users make freak when you first tell them they need 24+ char phrases, but once you show how easy it is to remember a new phrase twice a year as opposed to a random 8 character string that changes every 30 days, they'll come to accept it. And a 24 character crappy password is still several orders of magnitude better than an 8 character crappy password.
8. "Everyone" folder access. I wouldn't do this even temporarily. Temporary access become long term access because "we've got it working" and there are always other issues to fix. I wouldn't grant access individually, either. Auditing individual access becomes a nightmare on even a moderately sized network. Grant access to an appropriately named group, then add users to the group. All you have to do to audit access is verify only the appropriate groups are on the share, and then check who is in the groups. Also, use limited access (RO/RE/RW/MOD) as opposed to full control when possible. Example group: PayrollShareRO for those who need to see content of files in the Payroll share, but do not need to create or change them.
9. Use a NAC. Agreed. PacketFence is a good suggestion for first time NAC users.
10. Content filtering. Not sure what "content" is being discussed. Email? If so, keywords are horrible at both detection and false positive rates. Alternative suggestion: block all attachment types except those absolutely needed for business, disable direct-clicking of links in Outlook, and educate your users on current phishing techniques. Use filters based on multiple factors, including the reputation of the sending domain/server. For web filtering, I prefer using a service such as SurfControl to allow certain categories of sites and block everything that hasn't been categorized. Individual sites that fall into normally blocked categories can then be added to a whitelist on a one-off basis.
I kinda ended up picking this list apart, so it is only fair I offer up my own top 10 for critique:
1. User education. Users should know what is normal PC behavior, what is not, and who to contact when something odd happens. Java icon unexpectedly popped up on the taskbar while web surfing, sluggish pc, unexpected reboot, certificate error, new homepage, phishing emails, etc. They should also be trained to think twice before clicking on anything. Make your users into an intrusion detection system. Stroke their ego and let them know they play a vital part in protecting the network.
2. Application whitelisting. If it isn't necessary, the file doesn't run. Extremely effective in warding off infection. Even moreso if you can prevent legit running processes from having malware injected into them, but I have yet to see an elegant solution to that.
3. Know thyself with network monitoring. Something like SpiceWorks (ad-supported free version available, but not open source) is great for taking inventory of what is on your network, both in terms of software and hardware. You can't protect what you don't know is there. Deploy something like SecurityOnion to see what traffic is already present on your network and detect anything new/unusual.
4. Get security to be a management priority at the START of projects. Otherwise, you run the risk of hearing things like "ok, we've licensed this product for the next five years and have already installed it on the network - it gets updates via FTP and is managed through an outdated embedded web server that doesn't support SSL and requires an old version of Java on the client PC. Now make it secure."
5. Have a secure configuration standard that is always followed when deploying a new machine. Know what software/services are supposed to be installed/running on each machine, and which aren't.
6. Centralized logging. If buying a commercial SIEM isn't an option, use something like Splunk (free for less than 1GB/day) or OSSIM. Good logs can be crucial in determining the scope of a security incident.
7. Check all web apps against the OWASP Top 10. It's shameful how many still fail at the basics.
8. Perform regular vulnerability scans. Use trials of various scanners (Nessus, NeXpose, etc) until you find what fits your needs/budget.
9. Patch religiously. Not just MS auto-updates, either. Get a 3rd party patching solution and take care of all the software on your network. Of particular importance on clients are Flash, Acrobat, Reader, Java, QuickTime, and browsers. On servers, databases and web servers are the most common targets.
10. Run drills. You don't get to be great at playing linebacker in football just by describing what you would do on the field. Similarly, you need to get experience in realistic network threat scenarios - see what works and what doesn't. Tweak your defenses and test again.
Keep Up with TechRepublic