2012-07-15

Easy high level security tips and questions

Over the last few years I have had to deal with a lot of smaller business and the general lack of security has been horrifying. Every single small business I have been to has, without any exceptions, failed at some of the most basic things. In light of this I have started to cobble together an easy to read high level security review/questionnaire that even non-technical people can understand with the hopes of mitigating some of the easy things and putting them on the right path.




High-Level Security Checklist

Overview – Approach environments asking these questions
·      Confidentiality
o   Who has access to what information or resources?
·      Integrity
o   Has any information been changed and who changed it?
·      Availability
o   Is your information or resources readily accessible when needed?
Backups
·      How often are backups run?
·      Do you have offsite storage for backups?
o   Keeping tapes in a car is not secure
o   Keeping them in a home is not really secure
o   Store them in place that can be locked up and out of harms way!
·      Do you run test restores?
·      In the event recovery is needed how quickly can the off-site backups be obtained?
·      If stored with an individual can they easily be reached anytime?
·      What type of backup medium is being used?
o   Tape
§  How often are tapes replaced?
§  Cost of proper upkeep can add up
o   Cloud
§  What is the providers privacy policy?
§  What is the providers liability for lost data?
Patches and Software Updates
·      Are windows updates configured?
·      Are looking for Java updates
o   Can java be updated?
§  Some web applications can be an issue
o   Is it using automatic updates?
§  Again careful if you have sensitive web applications.
·      Are looking for Adobe updates?
o   Adobe products are among the most notorious for having frequently patched security holes
·      Are you updating you web browsers?
·      Other third-party applications
o   Third-party application updates are often the hardest type of patching to stay current on
Least Privileges
·      Do people run as admin on local computers?
o   Not making users local administrators and or leaving UAC turned on can limit and mitigate the effect of malware
·      File sharing permissions
o   Are there unused file shares on servers and desktops?
·      Do your administrators actively use domain administrator accounts or user accounts?
o   Using a domain admin account for general purpose can be a huge risk and makes it easy to comprise an environment
Passwords
·      Use different passwords for different purposes
o   People tend to use the same password for everything
·      Are passwords written down or stored in a secured format?
o   Not uncommon to find password written on sticky notes in plain sight on or around a users desk
o   If stored is it in a place other people can easily access?
§  Physically written down in a desk drawer?
§  In a text file on the computer?
o   Many applications store passwords insecurely
§  Web browsers with saved passwords are notorious
·      Do users share passwords or use shared accounts?
o   This should be kept to a absolute minimum
o   When looking at auditing trails how can you tell which user made a change?
·      Complexity requirements
o   How long do passwords last before needing to be changed?
§  Too long between changes is bad
§  If changing a password occurs too often users tend to write them down and often store them insecurely
o   How long are you passwords?
§  Absolute minimum should be 8
§  Recommended to uses long password phrases
§  More important then traditional complexity
o   Do you require specific character sets?
§  Less important then length
§  Most password crackers substitute common letter to symbol replacements (1 to !, a to @, s to $) as it tries different dictionary words
o   Are you passwords based on dictionary words?
§  Can easily be tested with password auditing
§  Dictionary words with numbers after then and or character substitution are not effective
Anti-Virus/Malware
·      Important but its not a silver bullet
·      Not about total prevention its but rather reducing your attack surface to manageable levels
·      Are you up to date on your subscriptions and definitions?
Firewalls
·      Do you have appropriate rules for traffic / email / content filtering
o   Are you blocking inbound traffic?
o   Are you blocking outbound traffic?
·      Are you blocking inbound traffic from regions you don’t do business in (you don’t do business outside the US so block traffic from china)
·      Are you using a VPN solution for remote access?
Wireless
·      Are you using WPA/WPA2 with AES
o   WEP is NOT secure and very easily hacked
o   TKIP encryption has known flaws and not recommended
·      MAC address filtering doesn’t help
·      SSID cloaking can give a false sense of security and even be risk in itself and is not recommended
Encryption
·      Do you have data that requires using disk encryption?
o   PGP / Truecrypt
·      Do you need email encryption
o   PGP / GNUGP
Data Removal
·      How do you decommission old computers?
·      Do you erase data before getting rid of a computer?
o   Just deleting from Windows is not enough and leaves the original files intact in a way that it can be easily extracted
o   Secure erase with third-party tools is recommended
Disaster Recovery
·      Do you have a disaster recovery plan?
o   Does it cover data loss?
o   Does it cover equipment loss?
§  Is there spare equipment available if needed?