Over the last few years I have had to deal with a lot of smaller business and the general lack of security has been horrifying. Every single small business I have been to has, without any exceptions, failed at some of the most basic things. In light of this I have started to cobble together an easy to read high level security review/questionnaire that even non-technical people can understand with the hopes of mitigating some of the easy things and putting them on the right path.
High-Level Security Checklist
Overview – Approach environments
asking these questions
·
Confidentiality
o
Who has access to what information or resources?
·
Integrity
o
Has any information been changed and who changed
it?
·
Availability
o Is your information or resources readily accessible when needed?
Backups
·
How often are backups run?
·
Do you have offsite storage for backups?
o
Keeping tapes in a car is not secure
o
Keeping them in a home is not really secure
o Store them in place that can be locked up and out of harms way!
·
Do you run test restores?
·
In the event recovery is needed how quickly can
the off-site backups be obtained?
·
If stored with an individual can they easily be
reached anytime?
·
What type of backup medium is being used?
o
Tape
§
How often are tapes replaced?
§
Cost of proper upkeep can add up
o
Cloud
§
What is the providers privacy policy?
§
What is the providers liability for lost data?
Patches and Software Updates
·
Are windows updates configured?
·
Are looking for Java updates
o
Can java be updated?
§
Some web applications can be an issue
o
Is it using automatic updates?
§
Again careful if you have sensitive web
applications.
·
Are looking for Adobe updates?
o
Adobe products are among the most notorious for
having frequently patched security holes
·
Are you updating you web browsers?
·
Other third-party applications
o
Third-party application updates are often the
hardest type of patching to stay current on
Least Privileges
·
Do people run as admin on local computers?
o
Not making users local administrators and or
leaving UAC turned on can limit and mitigate the effect of malware
·
File sharing permissions
o
Are there unused file shares on servers and
desktops?
·
Do your administrators actively use domain
administrator accounts or user accounts?
o
Using a domain admin account for general purpose
can be a huge risk and makes it easy to comprise an environment
Passwords
·
Use different passwords for different purposes
o
People tend to use the same password for
everything
·
Are passwords written down or stored in a
secured format?
o
Not uncommon to find password written on sticky
notes in plain sight on or around a users desk
o
If stored is it in a place other people can
easily access?
§
Physically written down in a desk drawer?
§
In a text file on the computer?
o
Many applications store passwords insecurely
§
Web browsers with saved passwords are notorious
·
Do users share passwords or use shared accounts?
o
This should be kept to a absolute minimum
o
When looking at auditing trails how can you tell
which user made a change?
·
Complexity requirements
o
How long do passwords last before needing to be
changed?
§
Too long between changes is bad
§
If changing a password occurs too often users tend
to write them down and often store them insecurely
o
How long are you passwords?
§
Absolute minimum should be 8
§
Recommended to uses long password phrases
§
More important then traditional complexity
o
Do you require specific character sets?
§
Less important then length
§
Most password crackers substitute common letter
to symbol replacements (1 to !, a to @, s to $) as it tries different
dictionary words
o
Are you passwords based on dictionary words?
§
Can easily be tested with password auditing
§
Dictionary words with numbers after then and or
character substitution are not effective
Anti-Virus/Malware
·
Important but its not a silver bullet
·
Not about total prevention its but rather reducing
your attack surface to manageable levels
·
Are you up to date on your subscriptions and definitions?
Firewalls
·
Do you have appropriate rules for traffic /
email / content filtering
o
Are you blocking inbound traffic?
o
Are you blocking outbound traffic?
·
Are you blocking inbound traffic from regions
you don’t do business in (you don’t do business outside the US so block traffic
from china)
·
Are you using a VPN solution for remote access?
Wireless
·
Are you using WPA/WPA2 with AES
o
WEP is NOT secure and very easily hacked
o
TKIP encryption has known flaws and not
recommended
·
MAC address filtering doesn’t help
·
SSID cloaking can give a false sense of security
and even be risk in itself and is not recommended
Encryption
·
Do you have data that requires using disk
encryption?
o
PGP / Truecrypt
·
Do you need email encryption
o
PGP / GNUGP
Data Removal
·
How do you decommission old computers?
·
Do you erase data before getting rid of a
computer?
o
Just deleting from Windows is not enough and
leaves the original files intact in a way that it can be easily extracted
o
Secure erase with third-party tools is
recommended
Disaster Recovery
·
Do you have a disaster recovery plan?
o
Does it cover data loss?
o
Does it cover equipment loss?
§
Is there spare equipment
available if needed?