Technology alone will not solve the IT security problem.
Technology is an important part, but only a part of a comprehensive information security solution. Equally important is the development of an information security policy for your company, an assessment of your current situation, and training for all users and process owners.
Securing the internal network is as important as securing the external network (ex-employees, contractors, temporary personnel, fired employees, Viruses …)
Also never think that Security incidents won’t happen in your organization, no matter how big or small you are, because it does and once it hits it hits hard.
It is a must that the technical implementation is actually drafted from a policy not just on the ground only.
Security is part of an organization internal process never to be outsourced, Technical capabilities can be found outside but the process should be owned by the organization only.
Below are some 20 steps to consider for securing your Information Technology, Microsoft Windows Business environment:
One man do it all should not exist in your organization, small or big since it is a serious threat.
One man show was a phenomenon and is becoming more since the economy recession and this may lead to the organizations depending on one single person to do the Security/IT administration job and the High potential risk of losing him and its consequence on the job and security aspect. (Retirement, Firing, Resignation or Sudden Death)
Lock down your workstations and Network
Don’t Allow End Users and Administrators to Log On as Administrator
Create an alternative account non administrator for administrators, to do the daily work and when admin privileges is needed use the RunAs Feature, the application will run in administrator account privileges.
Disable Booting from CD, USB and everything else but the Primary Hard Disk, and put a password on the Bios.
With that in place no change can be done, or any trials of booting from alternative.
Rename the Administrator and Other Highly Privileged accounts, first thing a virus tries is to get admin privileges using the administrator account and trying passwords and if it is renamed with a strong password then it is 100 % Safe
Defeat Password Crackers Enable password complexity in your environment no matter what.
And enabled password lockout (be careful Viruses e.g.: Conficker.C) Disable LM hashing. And enable NTLM version 2 and run (LC 4 to test Cracking SAM)
Strengthen Windows Services.
Disable un-necessary service e.g. telephony or schedules.
Define the log on as a services accounts as a GPO.
Change Standard ports for Example SQL Server.
Work on NTFS permission for users files and important executable
And be careful on the registry it is an important part of security which you must secure, Firstly if it is possible to stop remote registry access, and always deny non admin user to have write on it.
Run Firewall, antivirus, spyware on local Workstation and on networks for example internet/email gateway (in case the antivirus on the Workstation is outdated or disabled) have different brands make sure you antivirus can’t be disabled or killed.
Separate the external network from the internal, using DMZ; never Ever publish any service directly to internet from the internal network.
Patch, Patch and Patch
Nothing more important as patching as an organization you need a patch management solution, there is plenty in the market for Example Windows SUS which comes for free.
Others such as SMS, GFI, Shavlik.
Get a remote access solution, in case there is a need for it or in case a disaster hit and no accessibility to the premises.
Get and Have an effective backup/Restore solution, Test Backups Frequently, and don’t forget to integrate it to the policy.
Disable FTP access to the outside world.
Invest in your network:
Get network firewalls (from layer 1 to layers 7 today’s viruses are on all layers) for VPN/IPSec Tunnels and segregation of network (VLANS)
Get web and email filters but an intrusion prevention system.
And not forgetting someone dedicated to look at the logs otherwise all the investment is thrown away
Also encrypt tunnels or data if you have more than one branch, never send clear data and never presume it is safe.
Lock, Log and protect the IT Server Room/Data Centre (theft, Fire, breaking, leakage)
Clustering Alone is not enough using Data replication where adequate also. Since Clustering only protects application failure not data.
Do periodic external checks using Nesuss or any other product just to see if you are exposed to the outside world.
Be careful of SNMP Components to change the password never leave them to defaults since a virus/technical person can issue command to shut them down or unauthorized access to the components can happen, which may lead to undesirable events.
Have all your employees acknowledge formally the IT/Security Policies and procedures.
Wireless:
Be careful from wireless Networks if they are configured wrongly.
Always have them behind a firewall; always use high encryption and never use static password connect them to a Radius server or any other password mechanism for ultimate security.
About BCCManagement:
We’ve been in Business since 2006, we have participated in several related International Conferences and seminars held in many countries including Canada, United Kingdom, and the United States.
Also, we published numerous Business Continuity studies and articles in renowned magazines and international websites, noting that BCCManagement had been actively involved in the development of standards dealing with Business Continuity namely the Business Continuity Standard BS25999.
In 2009 BCCManagement has done a corporate partnership with Business Continuity Institute BCI to Bring It’s Client the state of the art Business Continuity practice.
Courtesy of Google Maps (As of May 4 2009)
WHO Pandemic Phases
Business Continuity, BCCManagement.com 