When it comes to the confidentiality,
integrity, and availability of your corporate network, it should go
without saying that security is a vital concern. Of course,
accepting this fact doesn’t mean you automatically know where to
begin. The task of securing a variety of platforms can be
overwhelming, particularly if you don’t have the time or resources
to do it thoroughly.

However, industry best practices for security
have evolved enough that there is plenty of free information
available out there to help you secure your network. Every network
security project should begin with performing a security benchmark
of the devices that run on your network.

You don’t need to be an expert on every O/S and
platform; you just need to know where to look for the right tools.
Let’s take a look at a couple of free tools that no administrator
should be without.

For several years, members of the National
Institute of Standards and Technology, the Defense Information
Systems Agency, the National Security Agency, the General Services
Administration, the SANS Institute, and the Center for Internet
Security have collaborated on a joint project to address security
concerns in networked information systems. These agencies combined
their substantial experience and technical capabilities to provide
users with an automated system and guidelines to verify and modify
the baseline of your network devices to meet an industry standard
benchmark of security–free of charge.

This project’s main offering is the Computer
Information Systems (CIS) scoring tool. Available from the Center for Internet Security,
the CIS scoring tool analyzes your system against a security
benchmark and available hot fixes for the specific platform you’re
checking.

The CIS scoring tool is a nondestructive
process, which you can run against both new installations and
production systems. The resulting report guides you in an in-depth
approach to the steps you need to take to harden your systems.

Currently, you can use the CIS scoring tool
against the following operating systems, devices, and applications:
Windows XP Professional, Windows Server 2003, Windows 2000
Professional, Windows 2000 Server, Windows 2000 (for both servers
and workstations), Windows NT, FreeBSD, Solaris, Linux, HP-UX,
Cisco IOS Router, Cisco PIX, Oracle Database, and Apache Web
Server.

To take advantage of this tool, read the
implementation guide, install the tool, and run the tool against
the platform you want to benchmark. Each platform has an
accompanying guide that describes in detail how the developers
created the scoring method as well as how to increase your platform
security to meet industry standards.

As an added bonus, instead of chasing down
individual fixes, several security configuration templates are
available. You can apply these templates to your systems, and
they’ll modify the security configuration to meet current benchmark
standards.

One word of caution: Read the information about
the security configuration templates carefully. Some of them are
specifically for highly secure environments, and they might not be
appropriate for your organization’s operational systems.

It’s that simple–nothing to buy and no
in-depth knowledge necessary. Read a guide, run a tool, and fix
your security.

In addition to the CIS scoring tool and the
accompanying benchmark guides, the National Institute of
Standards and Technology maintains a publicly available
resource of more than 50 Security Technical Implementation Guides
(STIGs) and checklists. Covering a wide variety of platforms, these
resources provide a detailed step-by-step approach for implementing
and documenting security settings that are the accepted standards
of the U.S. government.

The security of your local network is a global
concern. Be a good Internet neighbor, and take a good look at these
guidelines.

Final thoughts

Approximately 28 seconds after you connect a
device to the Internet, a remote host scans it. Your only defense
is to apply a level of security against a known benchmark and
follow industry best practices.

There are no ruby red slippers to click when it
comes to network and systems security. However, taking advantage of
free security tools is a good place to start to secure your
corporate network.

Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.